Home Office Admits 100 GDPR Breaches in EU Scheme

The Home Office breached the GDPR 100 times in its handling of EU citizens’ data in the space of just five months, an inspector’s report has revealed.

Between March 30 and August 31 2019 the government department admitted a catalog of errors including misplaced passports, documents sent to the wrong recipient’s address and unauthorized disclosure, according to the Independent Chief Inspectorate of Borders and Immigration (ICIBI)

The report is the second to focus on the controversial EU Settlement Scheme (EUSS), which EU citizens must apply to if they want to remain in the UK post-Brexit. The EUSS launched at the end of March.

“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” it concluded.

“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum.”

Aside from the 23 documents misplaced by a postal company in July, the worst incident came in April, when 240 email addresses were exposed after a Home Office employee forgot to put them in the BCC field when sending a bulk email.

That incident happened just days after a similar privacy snafu in which the Home Office exposed the details of 500 applicants to the Windrush compensation scheme — itself set up after the mistreatment of Commonwealth citizens by the Conservative government.

At the EUSS, important ID documents were misplaced inside the EUSS office on multiple occasions and sometimes returned to the wrong address, according to the report.

The Home Office claimed it is getting better at data protection.

“We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance,” it replied to the ICIBI. “Bulk email processes have changed so there will be no errors going forward.”

The ICIBI also suggested that the problems it uncovered should be easy enough to fix.

“Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization,” it said.

What’s Hot on Infosecurity Magazine?