Department’s annual report shows, for the first time in many years, documents or data lost from a secure government building had to be reported to the ICO. PublicTechnology finds out more.
Credit: Stevan Aksentijevic from Pixabay
In 2019/20 the Home Office recorded more than twice as many data breaches than in the prior year – including, for the first time in many years, a serious breach in which documents or devices went missing from a secure government premises.
Over the course of the 12-month period to the end of March 2020, the department recorded 4,229 data breaches, compared with 1,930 incidents in the previous year. This equates to a rise of almost 120%.
The biggest chunk of this increase came in losses of “inadequately protected” documents or devices that, at the time they went missing, were not housed in a government building. There were 2,414 instances of a data breach of this nature in FY20, more than three times as many as the previous year, when the department recorded a total of 706 such incidents.
The largest rise, in percentage terms, was in the loss of documents, devices, or data from inside secure government premises. Instances of this type of breach ballooned more than sixfold from 145 to 947.
But, in 946 cases, these incidents were not flagged up with the Information Commissioner’s Office for further investigation.
Total number of data breaches recorded by the Home Office last year, compared with 1,930 in the prior year
Annual increase in data-breach incidents
Number of incidents reported to ICO in FY20 – ten fewer than the previous year
HMPO and UKVI
Home Office agencies where a ‘strong reporting culture’ contributed to the big rise in reported incidents
But one of these incidents was deemed serious enough to require reporting to ICO.
This is the first time such a serious breach of this nature has been recorded by the Home Office in at the 2012/13 year – which is the period of time for which this level of detail is provided in the department’s annual reports.
Shortly after the publication of the FY20 accounts in July, PublicTechnology filed a freedom of information request seeking details of the breach in question.
The department has now revealed that the breach related to the “suspected loss” of two backup tapes containing data from the Home Office’s Proviso platform, which is the “case working system for entry clearance applications”.
The tapes went missing from the British Embassy building in the Serbian capital Belgrade.
The Home Office does not know exactly when the loss took place, but it is “estimated to be between 2014 and 2016” – as long as six years before the ICO was notified.
The information that the department said could have been compromised as a result of the breach was “entry clearance application data for one specific overseas post”.
“The rising trend in data incidents reported is largely due to increased awareness across business areas”
“However, the tapes may have been destroyed without their destruction being recorded and may have been blank,” the Home Office added.
In light of the incident, “an internal investigation was conducted and measures were implemented as a result”.
The nature of these measures was not specified in the department’s response.
Similarly, it did not reveal what remedial measures were requested by the regulator, but admitted that “the ICO made a number of recommendations but imposed no enforcement action”.
The Belgrade incident was one of 25 that took place during the year that were serious enough to require reporting to the data-protection watchdog.
This included 10 instances of the loss of data or equipment from outside government premises – compared with four in FY19.
However, the number of incidents of “unauthorised disclosure” reported to the regulator fell from 26 to 11.
The overall number of unauthorised disclosures during the year dropped from 1,049 to 739.
In FY20 the Home Office saw 129 instances of data breaches that fell outside any of the specified categories, including three that were reported to the regulator. In the prior year, these figures stood at 30 and five, respectively.
British Embassy, Belgrade
Secure government premises from where data was lost in incident reported to ICO
Two backup tapes
Equipment that was lost or otherwise unaccounted for
Home Office’s best estimate of when the loss took place
‘Entry clearance application data for one overseas post’
Data that may have been compromised in the breach
Since the EU General Data Protection Regulation came into effect in May 2018, the number of data breaches reported to the ICO each year has risen dramatically across all sectors – including the public sector.
The regulator’s first annual report following the introduction of GDPR revealed that total breach reports all industries had quadrupled from 3,331 in FY18 to 13,840 in the 2019 year.
Local government, for example, has seen its collective annual tally of incidents requiring regulatory examination go from about 300 pre-GDPR to more than 1,000 in each of the last two years.
In its FY20 annual report, the Home Office said that the sharp rise in incidents recorded in its own systems spoke to greater cognisance of the relevant regulations and reporting procedures – particularly among staff at some of the department’s agencies.
“The rising trend in data incidents reported is largely due to increased awareness across business areas, reflecting the effort that has been delivered into data protection practitioner training over the year,” the report said. “This is particularly true in relation to HM Passport Office and UK Visas and Immigration, where a strong reporting culture has returned higher volumes of reports connected with data [and] postal misdirections. Enhanced awareness has enabled more accurate reporting of incidents, when they do occur, ensuring that only incidents of appropriate significance are escalated to the Information Commissioner’s Office.”
It added: “It is anticipated that overall data incident volumes may increase further as we continue to strengthen awareness and our incident reporting culture across the department. In parallel, we are encouraging the business to better articulate its approach to risk for data incidents, to help measure our longer-term efforts to reduce overall incident volumes.”