The UK home office has been blamed by the Independent Chief Inspector of Borders and immigration for GDPR violations, stating that it misplaced personal documents of EU residents when handling the EU settlement scheme.
During its preparation for Brexit, the UK government designed a settlement scheme for EU and non-EU citizens to protect their residence in the UK after the transition period has ended. However, the Independent Chief Inspector of Borders and immigration (ICIBI) said that between April and August last year, the EU settlement scheme faced around a hundred incidents of data loss or leakage to unauthorised third parties.
These included passports and other identification documents being misplaced in the office and several other postages including sensitive information, being delivered to incorrect addresses. These incidents occurred around the same time when Home Office committed an "administrative error" that resulted in the leakage of email addresses of hundreds of Windrush migrants to unauthorised parties.
A large number of Windrush migrants requested the Home Office to provide more information about the compensation scheme, following which a series of emails were sent out to these migrants with each email containing about a hundred recipients.
However, before sending the emails, the Home Office failed to mask email addresses by entering them in the 'bcc field', thereby leaving email addresses of hundreds of migrants visible to others. After the breach was discovered, Immigration Minister Caroline Nokes issued an apology for the "administrative error", stating that an internal review had been launched to investigate the breach.
Home Office committed multiple data breach incidents in 2019
“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” Chief Inspector of Border and Immigration, David Bolt wrote in his report published on Thursday.
“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum. Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organisation.” he added. The Home Office did not specifically respond to the incident of data breach highlighted by the Chief inspector.
Commenting on incidents of data breach involving the Home Office, Joseph Carson, chief security scientist at Thycotic said: “When things are rushed people make mistakes and this appears to be what is going on with post Brexit schemes such as the EU settlement scheme. Sometimes quick and fast does not exactly meet the requirement for security and privacy, which appears to have been the challenge facing The Home Office when handling EU citizen personal data and unintentionally resulting data breaches.
“Unless something dramatically changes with the approach to security and privacy this will continue and we can surely expect to learn of more data breaches,” he added.