ICO rules leak of 502 victims’ details serious but below threshold for a £1 million-plus fine
The Post Office has avoided a financial penalty after the Information Commissioner’s Office concluded that its accidental leak of sensitive data relating to 502 sub-postmasters did not meet the legal threshold for an “egregious” breach. The regulator confirmed that it considered imposing a fine of more than £1m before deciding the circumstances did not justify it.
The incident occurred in April 2024, when the Post Office communications team mistakenly uploaded an unredacted version of the group litigation settlement agreement to the organisation’s corporate website. The document contained the names, home addresses and postmaster status of every claimant involved in the Bates litigation, which challenged the wrongful prosecutions brought on the basis of the flawed Horizon IT system. The settlement file remained publicly accessible for almost two months before an external law firm alerted the Post Office, prompting immediate removal.
The timing of the breach intensified concern. It happened while the statutory public inquiry into the Horizon scandal was underway and only three months after the widely viewed ITV drama Mr Bates v The Post Office significantly heightened public awareness of the claimants’ experiences. The ICO said the individuals affected had already suffered distress linked to the scandal and were entitled to expect basic safeguards around their personal information.
Embed from Getty Images
The investigation found that the Post Office failed to implement adequate technical and organisational measures for handling and publishing sensitive data. The ICO reported a lack of documented policies governing the publication of material on the corporate website, minimal quality assurance processes and insufficient staff training. There was also no specific guidance addressing the sensitivity of information or best practices for redaction prior to publication.
Sally Anne Poole, head of investigations at the ICO, said the organisation had fallen short at a critical moment. “The people affected by this breach had already endured significant hardship and distress as a result of the Horizon IT scandal. They deserved much better than this. The postmasters have once again been let down by the Post Office. Our investigation highlighted that this data breach was entirely preventable and stemmed from a mistake that could have been avoided had the correct procedures been in place.”
Following the breach, the Post Office offered compensation to all affected individuals, and most have accepted payments. It also provided identity protection services, including two years of fraud monitoring and dark web surveillance, to reduce the risk of misuse of the leaked information.
The ICO’s decision not to impose a fine reflects its assessment that, although the breach was serious and avoidable, it did not meet the high statutory threshold required for a financial penalty of the scale initially considered. The regulator said its priority was ensuring improvements to prevent a recurrence rather than punishing the organisation in this instance.