Department is censured for the second time in 10 days after probe reveals it took seven months to notify watchdog of breach
The UK’s data-protection watchdog has hit the Home Office with a formal reprimand after paper documents containing personal information and details of anti-terrorism activities were left at a venue in London.
The warning is the second time in little more than a week that the department has been publicly censured by the Information Commissioner’s Office.
The latest reprimand relates to an envelope containing four files that, on 5 September last year, was left at an unnamed public location somewhere in the capital. The documents – which comprised two reports from the Home Office’s Extremism Analysis Unit, and two copies of a report on counter-terrorism policing – were found by staff at the venue and handed over the police. They were then returned to the Home Office the day after they had been mislaid.
The files were classified as ‘Official Sensitive’ and contained information deemed as ‘special category’ under data-protection law. Included in them was personal information on three people, including two Metropolitan Police staff, as well as a foreign national who is applying for a UK visa and is “the subject of the documents”, according to the ICO reprimand.
Having been alerted to the incident, the Cabinet Office-based Government Security Group conducted an investigation which concluded that “the most likely source” of the breach was the Home Office.
The reprimand – which has been issued to the office of the secretary of state – notes that the ICO was not informed of the incident until 4 April 2022, seven months after it took place.
Organisations that suffer data breaches are required to report them to the watchdog within 72 hours of their detection.
“Although it is accepted that, at the time of discovering the breach, it was unclear as to how the documents came to be left at the venue, the secretary of state was nevertheless aware that the incident involved Home Office reports which contained personal data and special-category data,” the ICO said. “Therefore, it is our view that the secretary of state had sufficient information to report the breach to the ICO within statutory time limits.”
As well as failing to notify the regulator within the necessary timeframe, the Home Office also contravened UK GDPR laws via a lack of “appropriate technical or organisational” measures needed to properly protect data.
ICO investigators found that the department “did not have a specific sign-out process in place for the removal of ‘Official-Sensitive’ documents from its premises”.
The watchdog noted that the Home Office has already taken some “remedial steps” in light of the in incident, including the introduction of unique reference numbers for sensitive documents.
The reprimand recommends that the department take further action, beginning with a review of “handling instructions” for information classified at Official-Sensitive level.
The ICO has also encouraged the introduction of a clear procedure through which documents can be signed out in the future, as well as a review examining whether employees taking such documents off site are given adequate advice.
The regulator further recommends that staff compliance with GDPR requirements is monitored, and related training programmes are reviewed.
The final recommendation asks that the Home Office takes care in future not only to report all breaches within mandatory three-day window, but that “the learning from any breach report analysis should also be shared across the organisation, to embed lessons learnt”.
‘Respectfully and carefully’
Commissioner John Edwards said: “Government officials are expected to work with sensitive documents in order to run the country. There is an expectation, both in law and from the people the government serves, that this information will be treated respectfully and securely. In this instance that did not happen, and I expect the department to take steps to avoid similar mistakes in the future.”
Home secretary Suella Braverman will have ultimate responsibility for implementing the recommendations – although the incident and its fallout took place during the tenure of her predecessor, Priti Patel.
A spokesperson for the Home Office said: “The UK has one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world. We note the decision published by the Information Commissioner’s Office… and will take its implications into consideration. We continue to ensure that robust controls and independent oversight are in place to ensure we are fully compliant with requirements on processing of personal data.”
In an open letter to the public sector published over the summer, the information commissioner outlined that his office would be pursuing a new approach to its dealing with government organisations. Defined by a focus on raising standards, its engagement with public bodies will try and avoid punitive financial penalties – but is likely to feature a greater number of public reprimands, he said.
The approach was exemplified by the reprimanding late last month of the Home Office, alongside the Ministry of Defence, Kent Police, Virgin Media and three London borough councils – Hackney, Lambeth, and Croydon. All seven organisations were publicly censured over a failure to meet obligations related to subject access requests, which allow citizens to request details of data held about them, and copies of the information in question.
The commissioner told PublicTechnology that publicising these reprimands was “very much” part of the new approach, and that the next step is to help the organisations in question better.
“We will work with organisations who want to improve, and we will give them guidance and tools to get them where they want to be. But, if they are failing to meet their statutory obligations, we will call it out,” Edwards said.