What sensitive data did the Home Office lose in Belgrade?

Written by Sam Trendall on 29 September 2020 in Features

Department’s annual report shows, for the first time in many years, documents or data lost from a secure government building had to be reported to the ICO. PublicTechnology finds out more.

Credit: Stevan Aksentijevic from Pixabay 

In 2019/20 the Home Office recorded more than twice as many data breaches than in the prior year – including, for the first time in many years, a serious breach in which documents or devices went missing from a secure government premises.

Over the course of the 12-month period to the end of March 2020, the department recorded 4,229 data breaches, compared with 1,930 incidents in the previous year. This equates to a rise of almost 120%.

The biggest chunk of this increase came in losses of “inadequately protected” documents or devices that, at the time they went missing, were not housed in a government building. There were 2,414 instances of a data breach of this nature in FY20, more than three times as many as the previous year, when the department recorded a total of 706 such incidents.

The largest rise, in percentage terms, was in the loss of documents, devices, or data from inside secure government premises. Instances of this type of breach ballooned more than sixfold from 145 to 947. 

But, in 946 cases, these incidents were not flagged up with the Information Commissioner’s Office for further investigation.

Total number of data breaches recorded by the Home Office last year, compared with 1,930 in the prior year

Annual increase in data-breach incidents

Number of incidents reported to ICO in FY20 – ten fewer than the previous year

Home Office agencies where a ‘strong reporting culture’ contributed to the big rise in reported incidents

But one of these incidents was deemed serious enough to require reporting to ICO. 

This is the first time such a serious breach of this nature has been recorded by the Home Office in at the 2012/13 year – which is the period of time for which this level of detail is provided in the department’s annual reports.

Shortly after the publication of the FY20 accounts in July, PublicTechnology filed a freedom of information request seeking details of the breach in question.

The department has now revealed that the breach related to the “suspected loss” of two backup tapes containing data from the Home Office’s Proviso platform, which is the “case working system for entry clearance applications”.

The tapes went missing from the British Embassy building in the Serbian capital Belgrade. 

The Home Office does not know exactly when the loss took place, but it is “estimated to be between 2014 and 2016” – as long as six years before the ICO was notified. 

The information that the department said could have been compromised as a result of the breach was “entry clearance application data for one specific overseas post”.

"The rising trend in data incidents reported is largely due to increased awareness across business areas"
Home Office

“However, the tapes may have been destroyed without their destruction being recorded and may have been blank,” the Home Office added.

In light of the incident, “an internal investigation was conducted and measures were implemented as a result”.

The nature of these measures was not specified in the department’s response.

Similarly, it did not reveal what remedial measures were requested by the regulator, but admitted that “the ICO made a number of recommendations but imposed no enforcement action”.

The Belgrade incident was one of 25 that took place during the year that were serious enough to require reporting to the data-protection watchdog.

This included 10 instances of the loss of data or equipment from outside government premises – compared with four in FY19.

However, the number of incidents of “unauthorised disclosure” reported to the regulator fell from 26 to 11.

The overall number of unauthorised disclosures during the year dropped from 1,049 to 739.

In FY20 the Home Office saw 129 instances of data breaches that fell outside any of the specified categories, including three that were reported to the regulator. In the prior year, these figures stood at 30 and five, respectively.

British Embassy, Belgrade
Secure government premises from where data was lost in incident reported to ICO

Two backup tapes
Equipment that was lost or otherwise unaccounted for

Home Office’s best estimate of when the loss took place

‘Entry clearance application data for one overseas post’
Data that may have been compromised in the breach

Since the EU General Data Protection Regulation came into effect in May 2018, the number of data breaches reported to the ICO each year has risen dramatically across all sectors – including the public sector. 

The regulator’s first annual report following the introduction of GDPR revealed that total breach reports all industries had quadrupled from 3,331 in FY18 to 13,840 in the 2019 year.

Local government, for example, has seen its collective annual tally of incidents requiring regulatory examination go from about 300 pre-GDPR to more than 1,000 in each of the last two years.

In its FY20 annual report, the Home Office said that the sharp rise in incidents recorded in its own systems spoke to greater cognisance of the relevant regulations and reporting procedures – particularly among staff at some of the department’s agencies.

“The rising trend in data incidents reported is largely due to increased awareness across business areas, reflecting the effort that has been delivered into data protection practitioner training over the year,” the report said. “This is particularly true in relation to HM Passport Office and UK Visas and Immigration, where a strong reporting culture has returned higher volumes of reports connected with data [and] postal misdirections. Enhanced awareness has enabled more accurate reporting of incidents, when they do occur, ensuring that only incidents of appropriate significance are escalated to the Information Commissioner’s Office.”

It added: “It is anticipated that overall data incident volumes may increase further as we continue to strengthen awareness and our incident reporting culture across the department. In parallel, we are encouraging the business to better articulate its approach to risk for data incidents, to help measure our longer-term efforts to reduce overall incident volumes.”


About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

Online safety: How police, public sector and tech firms have reached a data-sharing stalemate
21 May 2021

With the Online Safety Bill now published, former police superintendent Iain Donnelly writes for PublicTechnology on the challenges that need to be overcome in order to ensure the law’s...

Court judgments to be published on single website
16 June 2021

Government claims moving information to National Archives site is ‘boost for open justice’

Vaccine passports pose discrimination and data protection risks, MPs find
17 June 2021

PACAC claims that government has not made a convincing case for introducing a certification scheme domestically

Related Sponsored Articles

Social justice: how the police can embrace online channels of citizen communication
17 June 2021

PublicTechnology talks to Salesforce about why police forces need to adopt new omnichannel capabilities, offer the public channel choice and the benefits of doing so

Stopping Cyber Attacks in Higher Education
19 April 2021

Higher Education institutions are some of the most consistently targeted organisations for cyberattacks. CrowdStrike explores the importance of the right cybersecurity measures. 

"The inflection point is here": how Covid is driving digital transformation in health
9 June 2021

It’s been one of the most challenging years for healthcare providers, but Salesforce sees lasting change from accelerated digital transformation