New legislation saw the department recording and reporting many more incidents
The Home Office’s annual report has revealed a spike in the department’s reporting and recording of data breaches in light of GDPR coming into effect.
A total of 35 data breaches were reported to the Information Commissioner’s Office in the year to 31 March 2019, up from two the previous year.
A further 1,895 data breaches were recorded by the department’s data controller during 2018/19 but not deemed major enough to warrant reporting to ICO. Sixty-four such breaches were recorded the previous year.
The report attributes the sharp increase in reporting to “greater awareness and vigilance amongst staff” since the introduction of GDPR in May 2018. Guidance published post-GDPR and a revised reporting process “has raised awareness across the Home Office regarding the need to escalate such incidents”, it says.
- Home Office implements ‘strict controls’ on email comms after data breaches
- NHS and government have highest levels of public trust on use of personal data, ICO finds
- Home Office to review data-protection set-up
However, the report does reveal concern about the Home Office’s compliance with data-protection regulations. A section on risks to the department’s work stresses that “it is essential that we manage those assets properly and do not lose the public’s trust and confidence, in particular by being non-compliant with data protection legislation”.
It addresses, in particular, a three-day period in early April in which three separate data breaches occurred. On 7 April, when sending an email to 240 EU settlement scheme applicants, an official failed to use the BCC function to hide recipients’ email addresses from each other. The following day, a similar error happened in five batches of emails to people who had contacted the Home Office about its Windrush compensation scheme.
In a third incident on 9 April, which has been less well publicised, an administrative error by a contractor meant the email addresses belonging to 168 users of the General Aviation Report system – a Border Force system used by pilots and flight handlers to register who and what is being carried on non-scheduled flights – were shared.
The department said it had introduced an unspecified “technical solution” on 5 March to minimise the risk of similar breaches happening in future.
Recent research by PublicTechnology revealed that, in 2017/18, the Home Office recorded the third-highest number of data breaches of any Whitehall department – behind only the Ministry of Defence and the Ministry of Justice, which recorded almost 30 times as many as any other department.