British Home Office Admits to Breaching GDPR 100 Times

In the United Kingdom, a report issued by the Independent Chief Inspectorate of Borders and Immigration (ICIBI) has revealed that the  Home Office (UK) has broken the European Union’s General Data Protection Regulation  100 times as it was managing the private data of EU citizens’ data.

The report that was published showed that, on a number of different occasions from March 30-August 31 during 2019, the UK Home Office was responsible for a range of errors including misplaced passports, documents sent to the incorrect recipient’s address and unauthorized disclosure.

The report said that the report is a cause for concern as it clearly indicates that there was a progressive increase, month on month, in the number of breaches committed within the Home Office department and the damaging impacting it will have on the work carried out by the UK Government department.

It said: “The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June was due to a postal company rather than EUSS staff or processes. Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum.”

The report went into detail on breaches committed in relation to the EU Settlement Scheme (EUSS). The EUSS scheme was established for EU, EEA, and Swiss citizens to apply for residency rights and settled status in order to remain living in the United Kingdom after 30 June 2021. However, there is no requirement for those with indefinite leave to remain to apply for the scheme. The first breach was recorded on April 7, involved an employee who shared emails to 240 recipients without using the BCC fields, resulting in every address included being shared without permission. Additionally, at the EUSS important ID documents were misplaced inside the EUSS office on a number of different occasions and, in some cases, sent to the wrong address, according to the report.

That GDPR breach took place shortly after a similar privacy error when the Home Office exposed the details of 500 applicants to the Windrush compensation scheme. This is a scheme that was established in order to address the mistreatment of Commonwealth citizens by the Conservative government.

In response to the report, the Home Office issued a statement to say that it is attempting to enhance its data protection processes, with some success.  The statement said: “We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance,”

The ICIBI also suggested that the problems it uncovered should be easy enough to fix saying: “Bulk email processes have changed so there will be no errors going forward. Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organization.”