Home Office breaches of GDPR took place 100 times between 30th March and 31st August 2019, a report from the Independent Chief Inspectorate of Borders and Immigration (ICIBI) has found.
The breaches took place in relation to the EU Settlement Scheme, which accepts applications from EU citizens so that they can remain in the UK after Brexit. They included unauthorised disclosure of information, documents being sent to the wrong person, and passports being misplaced.
According to an article from Infosecurity, the breaches also saw “23 documents misplaced by a postal company in July” and an incident in April where “240 email addresses were exposed after a Home Office employee forgot to put them in the BCC field when sending a bulk email”.
The article states the following from the ICIBI report:
“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” it concluded.
“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum.”
The response from the Home Office was that its data protection measures and procedures are improving:
“We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance,” it replied to the ICIBI. “Bulk email processes have changed so there will be no errors going forward.”
The ICIBI also suggested that the problems it uncovered should be easy enough to fix.
“Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said.
You can read the full article from Infosecurity here.
This demonstrates that human error is a big problem when it comes to data protection. As we learned at PrivSecLondon last month, it is responsible for 60% of all breaches.
This can and should be countered with training for all employees, at both the lowest and highest levels. A culture shift is also needed across organisations in order to keep up with evolving legislation.
If you want to make sure your employees are up-to-date and know their obligations under GDPR, check out our Staff Training offers, which are available in both in-person and online formats.