ICO alerted to breach of EU citizens’ data
For the second time inside a week, the Home Office has had to report itself to the UK data regulator, after accidentally sharing email addresses of settled status applicants
The Home Office has been forced to report itself to data watchdogs after it accidentally shared the emails of hundreds of EU citizens applying to stay in the UK after Brexit.
The department apologised after it failed to mask the addresses in a group email to applicants to the settled status scheme. Some 240 email addresses were revealed on Sunday 7 April after the department failed to use the 'bcc' function, which blanks out the details of other recipients.
It was contacting applicants who had faced technical difficulties while trying to apply to keep their rights in the UK after Brexit. In a fresh email on Wednesday, the Home Office apologised to those concerned and insisted all other personal data held by the department remained safe.
The Home Office has notified the Information Commissioner's Office of the breach but has not issued a formal report to the watchdog. It means the ICO will consider the evidence and decide whether or not to launch a full inquiry.
- Is the settled status scheme a tech triumph or digital disaster?
- Government ‘expects resolution’ to settled status app iPhone compatibility issues
- Renewed calls for Home Office to rethink digital-only settled status documentation
The Home Office said: “In communicating with a small group of applicants, an administrative error was made which meant other applicants’ email addresses could be seen. As soon as the error was identified, we apologised personally to the 240 applicants affected and have improved our systems and procedures to stop this occurring again.”
The department added that it had improved its email systems and procedures since the breach, as well as checks before communications are sent out.
An ICO spokesperson said: “The Home Office have made us aware of an incident in relation to the EU Settlement Scheme and we will assess the information provided.”
This breach comes after the Home Office admitted earlier this week that it had revealed private email addresses as the Windrush compensation scheme was launched.
Yvette Cooper, the Labour chair of the Home Affairs Select Committee, said: "For the Home Office to make the same basic mistake on data protection with EU citizens as it has just made with Windrush cases is extremely serious and raises major questions about Home Office systems and competence."
Tory MP Alberto Costa told PublicTechnology sister publication PoliticsHome: “I have repeatedly advised the government of the foreseeable problems that are now, sadly and unsurprisingly, arising with the Settled Status Scheme. I am very disappointed that my warnings are not being heeded. The Home Secretary, Sajid Javid, must now listen to those of us who are arguing that this registration process is fundamentally wrong, un-British and morally repugnant.”
Ciaran Martin believes major security incident is still more likely to come from ‘unintentional consequence’, rather than attackers’ expertise
The invalidation of the EU-US data-protection agreement could have major ramifications for UK organisations’ legal responsibilities
A selection of telecoms executives and academics will help deliver a strategy to be published later this year
The spread of online misinformation during the Covid-19 pandemic has exacerbated a public health crisis. PublicTechnology digs into a recent parliamentary inquiry to find out...