BLS Stay Compliant

News and Information

Five fines you might have missed in 2021

The Information Commissioners Office (ICO) issued over 50 data protection related fines in 2021, across multiple industries and legislation and varying greatly in monetary value. Here are five you might have missed.



The UK Cabinet Office was issued a £500,000 penalty in December following a data breach whereby a file containing names and unredacted addresses of more than 1,000 people in the New Year Honours list was published online. The data was available for a period of two hours and 21 minutes and was accessed 3,872 times.

The Honours and Appointments Secretariat (HAS) had introduced a new IT system in 2019, which was found to have been set up incorrectly. Due to tight timescales the file containing the information was amended instead of modifying the system and as a result, the file automatically included postal addresses of the honours recipients each time a new file was created.

The ICO found that the Cabinet Office had failed to put appropriate technical and organisational measures in place to prevent the unauthorised disclosure of information. The Cabinet Office confirmed there was no specific or written process in place at the time to sign off documents and content containing personal data ahead of publication.



Scottish Health Charity HIV Scotland was fined £10,000 in October because of an email data breach where the personal data of 65 patient advocates of the charity was sent to 105 email addresses. The bulk email was sent in error, without the use of the blind carbon copy function (BCC) to correctly anonymise the email recipients.

The ICO found that HIV Scotland failed to implement an appropriate level of organisational and technical security in its email systems and processes, through inadequate staff training, an inadequate data protection policy and incorrect email methods regarding bulk sends.



Unite the Union was fined £45,000 in October for making direct marketing calls that contravened Regulation 21(1)(b) of the PECR.

The ICO found that Unite had used a third-party public telecommunications service for the purpose of making 57, 665 direct marketing calls regarding life insurance to its members, who were registered with the Telephone Preference Service – a direct breach of Regulation 21(1)(b) of the PECR. The ICO also determined the consent relied upon by Unite was insufficient as it did not provide specific details as required under the above regulation.

Despite considering that Unite had not deliberately set out to contravene the PCR, the notice stated that Unite was negligent and failed to take reasonable steps to prevent the contravention of the PECR.



In July, the ICO fined the transgender charity Mermaids £25,000 for failing to keep data secure following a historical data breach which publicly exposed around 780 pages of confidential emails containing personal data such as names and email addresses.

An investigation was launched by the ICO after Mermaids filed a data breach report in 2019 relating to an internal email group used by the charity between 2016 and 2017. The charity only became aware of the breach in June 2019. The ICO found that Mermaids had a negligent approach towards data protection, with inadequate policies and a lack of training for staff. It also stated that Mermaids should have applied restricted access to the email group and considered pseudonymisation or encryption to better protect the personal data held.



Virgin Media Ltd was fined £50,000 in December for sending emails without consent relating to a ‘price freeze’ message which was sent to consumers who had opted out of receiving marketing communications.

A single complaint made in August 2020 triggered the investigation, which found that the telecoms giant had made a deliberate contravention of Regulation 22 of PECR by sending an email stating “You have currently said no to receiving marketing messages from us, which means that we are not able to keep you up to date with our latest TV, broadband, phone and mobile news, competitions, product and bundle offers via online, email, post, SMS, phone.”

The ICO found this type of ‘marketing preference email’ to be a breach of data protection legislation and stated that Virgin Media Ltd did not have valid consent to send such messages.



The Information Commissioners Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The team regularly conduct investigations into data protection matters and offer advice and guidance for any company wishing to update or improve data protection policies and management.

Our comprehensive services at BLS Stay Compliant include training and consultancy by experienced experts to ensure all staff members of your organisation are up to date with the latest legislation and understand their role in data protection.


We can work with you on a managed service level, offer guidance on your data protection policies and conduct audits to check your compliance where necessary, train staff either in house, online or by joining one of our many data protection courses hosted online, amongst a host of other options! Get in touch to find out more.


Share this post