The government has apologised “to all those affected” after it accidentally published addresses of more than 1,000 New Year Honour recipients online.
The file – which included details of senior police officers and politicians – was uploaded to an official website on Friday evening and removed Saturday.
The Cabinet Office told the BBC it was “looking into how this happened”.
Among the addresses were those of Sir Elton John and former director of public prosecutions Alison Saunders.
Also on the list of 1,097 honours recipients were high-profile names such as cricketer Ben Stokes, former Conservative Party leader Iain Duncan Smith, TV cook Nadiya Hussain, and former Ofcom boss Sharon White.
The data breach was described as “farcical and inexcusable” by privacy campaign group Big Brother Watch.
The organisation’s director, Silkie Carlo, said: “It’s extremely worrying to see that the government doesn’t have a basic grip on data protection, and that people receiving some of the highest honours have been put at risk because of this.
“It’s a farcical and inexcusable mistake, especially given the new Data Protection Act passed by the government last year. It clearly can’t stick by its rules.”
A government spokesman said: “A version of the New Year Honours 2020 list was published in error which contained recipients’ addresses.
“The information was removed as soon as possible.
“We have reported the matter to the ICO [Information Commissioner’s Office] and are contacting all those affected directly.”
The ICO, which has the power to fine organisations for data breaches, said it will be “making enquiries”.
‘Much depends on the attitude of those affected’
There is no doubt that this is a serious data breach and the government, of all organisations, should be better acquainted with the law on disclosing sensitive personal information.
But while some of the celebrities and the police officers awarded honours may be concerned about their privacy and security, it would have been far more serious if the home addresses of those on the list of gallantry awards had been leaked.
The Information Commissioner’s Office has so far only levied one fine under the new Data Protection Act which came into effect in 2018 – a London pharmacy was fined £275,000 for careless storage of the very sensitive medical data of half a million people.
Lawyers who specialise in data protection think the ICO will see this as a less serious case of human error and may let the Cabinet Office escape with a warning about improving its practices.
But they say much now depends on the attitude of those who have seen their data leaked – they could decide to bring civil claims against the government for putting in the public domain information many of them have been determined to keep private.
Data rights lawyer Ravi Naik said the government could face legal action from those whose addresses were published, as well as from the ICO.
He also warned that anyone who came across the information should tell the ICO and not pass it onto others – because they themselves might face legal action.
Simon Winch, a sustainability professional from London, was among those who were able to access the sensitive information.
He told the BBC: “I clicked on the link on the gov.uk website at around 11pm on Friday and the spreadsheet opened up.
“At first I thought everyone on the list had given their permission to publish their personal addresses. But then I saw that some quite sensitive names were on there.”
Another source told the BBC they accessed the file just after midnight on Saturday but were unable to do so by 05:00 GMT.
The Cabinet Office said the document was visible for around an hour.
Most of the entries in the spreadsheet include full addresses – including house numbers and postcodes.
A separate list, that does not appear to be involved in the breach, covers gallantry awards for police, ambulance and fire staff and military personnel.