ICO alerted to breach of EU citizens’ data
For the second time inside a week, the Home Office has had to report itself to the UK data regulator, after accidentally sharing email addresses of settled status applicants
The Home Office has been forced to report itself to data watchdogs after it accidentally shared the emails of hundreds of EU citizens applying to stay in the UK after Brexit.
The department apologised after it failed to mask the addresses in a group email to applicants to the settled status scheme. Some 240 email addresses were revealed on Sunday 7 April after the department failed to use the 'bcc' function, which blanks out the details of other recipients.
It was contacting applicants who had faced technical difficulties while trying to apply to keep their rights in the UK after Brexit. In a fresh email on Wednesday, the Home Office apologised to those concerned and insisted all other personal data held by the department remained safe.
The Home Office has notified the Information Commissioner's Office of the breach but has not issued a formal report to the watchdog. It means the ICO will consider the evidence and decide whether or not to launch a full inquiry.
- Is the settled status scheme a tech triumph or digital disaster?
- Government ‘expects resolution’ to settled status app iPhone compatibility issues
- Renewed calls for Home Office to rethink digital-only settled status documentation
The Home Office said: “In communicating with a small group of applicants, an administrative error was made which meant other applicants’ email addresses could be seen. As soon as the error was identified, we apologised personally to the 240 applicants affected and have improved our systems and procedures to stop this occurring again.”
The department added that it had improved its email systems and procedures since the breach, as well as checks before communications are sent out.
An ICO spokesperson said: “The Home Office have made us aware of an incident in relation to the EU Settlement Scheme and we will assess the information provided.”
This breach comes after the Home Office admitted earlier this week that it had revealed private email addresses as the Windrush compensation scheme was launched.
Yvette Cooper, the Labour chair of the Home Affairs Select Committee, said: "For the Home Office to make the same basic mistake on data protection with EU citizens as it has just made with Windrush cases is extremely serious and raises major questions about Home Office systems and competence."
Tory MP Alberto Costa told PublicTechnology sister publication PoliticsHome: “I have repeatedly advised the government of the foreseeable problems that are now, sadly and unsurprisingly, arising with the Settled Status Scheme. I am very disappointed that my warnings are not being heeded. The Home Secretary, Sajid Javid, must now listen to those of us who are arguing that this registration process is fundamentally wrong, un-British and morally repugnant.”
In a lengthy attempt to find out about the security of government’s software systems, PublicTechnology finds a very uneven approach to transparency and what constitutes sensitive...
The UK has tended to only introduce data-protection laws in conjunction with EU legislation and, according to Ray Walsh from ProPrivacy, the post-Brexit world may see the country prioritise...
A major government-commissioned study found that about half of UK organisations are lacking basic security skills. PublicTechnology talks to the researchers behind it to find out where...
Introducing a dedicated week of features, interviews and exclusive research
CyberArk's David Higgins explores the cyber risks of hiring independent contractors
PublicTechnology talks to Rich Turner about why organisations need to adopt a ‘risk-based approach’ to security – but first make sure they get the basics right
CyberArk's John Hurst looks at the true cost of GDPR breaches