Following the introduction of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), Data Protection has been brought to the forefront of businesses minds.  Having processes and the correct documentation in place to ensure Personal Data is collected, stored and used correctly has taken up a large amount of time, cost and effort for many businesses.  However as with all businesses you are dealing with humans who can (and do) make mistakes.

The recently published fine levied by the Information Commissioner’s Office (ICO) against the Ministry of Defence shows how easily a breach of the DPA can occur.  In the penalty notice, the ICO sets out that during the evacuation of Afghanistan in 2021 the team at the MOD sent emails with all of the addresses in the “To” rather than the “Bcc” (Blind Carbon Copy) field.  In one incident, this led to the disclosure of 245 individuals’ email addresses with further incidents leading to a total of 265 unique email addresses being disclosed.

Clearly, in the circumstances this was not just a breach of Data Protection but could also have led to threats to the lives of the people involved.

This comes as the ICO has released its Fining Guidance setting out how it determines what fine to levy for a breach of the DPA/GDPR. There are a multitude of factors which are taken into account including the seriousness of the infringement, any aggravating or mitigating factors and how effective, proportionate and dissuasive the fine will be.

As an example, for the MOD fine mentioned above this was originally £1,000,000 which was reduced to £700,000 due to mitigating factors and then a 50% discount was applied as the MOD is a public sector body, so the overall fine levied was £350,000.

The overall power of the ICO to levy a fine is £17.5 million or 4% of global turnover in the preceding year, so its powers are significant and should not be underestimated.

So what can be learned from this?

It is important that employees have both training on the business’ Data Protection Policies but also it is worth considering reviewing how email is used as a tool.  Are there sufficient procedures in place for any group communications to prevent accidental disclosure of Personal Data?

Are there other ways to mitigate the risk of disclosure of Personal Data? For instance, switching off auto-complete for email addresses to avoid emailing the wrong recipient.

If you would like to discuss Data Protection issues and documentation, please contact our Corporate and Commercial team on 0116 289 7000 or email

Published by

Categorised in: , ,

Tags: , , , ,