The Information Commissioner’s Office has confirmed it is investigating an alleged CCTV data breach involving then-Secretary of State for Health and Social Affairs Matt Hancock, which made headlines.

The CCTV images were published by The Sun newspaper on June 25, 2021 by a person (s) who received the footage showing the then Minister of Health in a private room physically occupied with another person.

As part of the ICO’s investigation, the ICO searched two residential properties in mid-July and seized PC equipment and electronic devices. The company that provides facility management and CCTV services to the Ministry of Health and Welfare, as a processor of the personal data, filed a breach report alleging that the CCTV images were removed from the company without the consent of the company or the CCTV system The CCTV system was taken from the Office for Health and Social Affairs.

A CCTV recording would be defined under the UK GDPR and DPA 2018 as personal data by which a living person can be identified or is identifiable – which was clear in this particular case. A violation of Section 170 of the Data Protection Act 2018 states that it could be a criminal offense for a person knowingly or recklessly to obtain or disclose personal information without the consent of the controller. The defense options available for this type of crime, although relatively limited, may include:

  • the violation is necessary for the purpose of preventing or detecting criminal offenses;
  • the violation is required or approved by an order or by the order of a court or tribunal; or
  • in the particular circumstances the public interest infringement was justified.

The ICO investigation continues.

The Chadwick Lawrence regulatory team is experienced in advising organizations and individuals on personal data breaches and can be contacted on 01484 519 999 or by email at or

  • Like this ? share with friends