New Year Honours address leak a ‘complete disaster’, says Iain Duncan Smith

Ministers need to ask “very serious questions” about how the home addresses of celebrities, military figures and elderly people named in the New Year Honours list came to be inadvertently posted online, a former Conservative Party leader has said.

Iain Duncan Smith, who was knighted in the latest honours list, described the alleged data breach as a “complete disaster”.

There have also been calls for an inquiry into the leak, which is being investigated by the Information Commissioner’s Office (ICO).

The Cabinet Office apologised and said it was contacting those affected after details relating to the vast majority of the 1,097 recipients could be viewed online from 11pm on Friday, shortly after news of their honours went public.

The details were removed around an hour after the disclosure.

D-Day veteran Harry Billinge, 94, is among those to have had his home address published online Credit: Normandy Memorial Trust/PA

Sir Iain told the Sunday Times: “Ministers need to be asking some very serious questions of those involved about how this was allowed to happen and why no final checks were carried out before the document was published.

“Everybody knows virtually everything about me. It’s much more concerning for private citizens, like those who have been involved in policing or counter-terrorism or other such sensitive cases, to have their addresses published.”

Lord Kerslake, who was head of the civil service between 2012 and 2014, said an “urgent investigation” was needed.

He told BBC Breakfast: “It is a serious and indeed extraordinary breach because this is a well-established process that has gone on in pretty much the same way for years, so I think an urgent investigation is certainly needed.

“Of course, it’s likely to be human error, as has been suggested, but we need to know how well staff were trained about the importance of maintaining security. Were they briefed on the potential consequences if this information was released?”

On Saturday, Silkie Carlo, director of privacy campaign group Big Brother Watch, said it was “extremely worrying to see that the Government doesn’t have a basic grip on data protection”, adding: “It’s a farcical and inexcusable mistake, especially given the new Data Protection Act passed by the Government last year – it clearly can’t stick by its rules.”

Cricketer Ben Stokes will receive an OBE. Credit: PA

The list saw awards given to members of England’s World Cup-winning cricket team, as well as performers such as Sir Elton John and Grease star Olivia Newton-John.

Alison Saunders, the former director of public prosecutions, was also among the honours recipients, alongside 94-year-old D-Day veteran Harry Billinge, and 13-year-old schoolboy Ibrahim Yousaf.

The list also included senior diplomats, counter-terror police and figures from the military.

A Cabinet Office spokesperson said: “A version of the New Year Honours 2020 list was published in error which contained recipients’ addresses.

“The information was removed as soon as possible.

“We apologise to all those affected and are looking into how this happened.

“We have reported the matter to the ICO (Information Commissioner’s Office) and are contacting all those affected directly.”

Only six people honoured for services to defence were left off the list, according to the BBC.

The introduction of General Data Protection Regulation (GDPR) rules in May 2018 increased the penalties regulators such as the ICO are able to introduce.

It means breaches can result in the ICO issuing penalties equivalent of up to 4% of annual global turnover or £17 million – whichever is greater.

Previously, the largest penalty the ICO meted out was to Facebook when it was fined £500,000 – the maximum allowed at the time – for failing to protect users’ personal data.

Ibrahim Yousaf, 13, was among those on the New Year Honours list Credit: Family handout/PA

But in July, the ICO announced its intention to fine British Airways £183 million for its own data breach, which will become the largest penalty ever issued by the regulator once the process is completed.

The ICO later handed out an intention to fine the hotel chain Marriott International £99 million after it admitted the guest records of around 339 million people had been accessed.