Post Office leak of victims' details 'not egregious', data watchdog finds

The Post Office has avoided a fine after accidentally leaking the details of 502 members of the Bates group litigation.

The Information Commissioner’s Office said it had considered a financial penalty of more than £1m but considered that the data protection breaches did not reach the threshold of ‘egregious’.

The breach occurred in April 2024 when the Post Office communications team mistakenly published an unredacted version of the legal settlement document agreed with sub-postmasters on its corporate website. 

This document contained the names, home addresses and postmaster status of each of the 502 who had taken part in the group litigation against the organisation in relation to prosecutions wrongly brought based on the faulty Horizon IT software. The document remained publicly accessible for almost two months before an external law firm flagged up the mistake and it was taken down.

The leak occurred at a pivotal moment in the aftermath of the Post Office scandal, coming during the public inquiry and just three months after the ITV drama Mr Bates v The Post Office had catapulted the matter into widespread public awareness.

The ICO found that the Post Office failed to implement appropriate technical and organisational measures to protect people’s information. There was a lack of documented policies or quality assurance processes for publishing documents on the corporate website, insufficient staff training, and no specific guidance on information sensitivity or publishing practices.

Sally Anne Poole, ICO head of investigations: said: ‘The people affected by this breach had already endured significant hardship and distress as a result of the Horizon IT scandal. They deserved much better than this. The postmasters have once again been let down by the Post Office. Our investigation highlighted that this data breach was entirely preventable and stemmed from a mistake that could have been avoided had the correct procedures been in place. ‘

Since the breach, the Post Office has offered compensation to all people named on the document and affected by the publication, with payments accepted by the majority.

It has also provided identity protection services including 24 months of fraud monitoring and dark web surveillance to ensure the leaked data is not being misused.