Home Office reprimanded by ICO for sensitive data security breach

The UK’s Home Office has been issued with a formal reprimand from the Information Commissioners Office (ICO) following the discovery of sensitive paper-based documentation being left in a public location in London.

Sensitive information left in a public location

The data breach relates to an envelope containing four files which was left in a public location in London on the 5th September 2021. The location at which the documents were found has not been named, however the content of the docu-mentation has been described as: two reports by the Home Office’s Extremism Analysis Unit and two copies of a report relating to counter terrorism policing. 

The reports were classified as “official-sensitive” and contained special category data, under the definitions of UK data protection law. Personal information con-tained within the reports related to two serving metropolitan police staff mem-bers, and a foreign national who is the “subject” of the reports. 

The documents were discovered and handed to the police by staff who were working at the location; the police returned the documentation to the Home Office the next day. 

Reporting failures

The ICO have reprimanded the Home Office following an investigation which concluded that they were the “most likely source” of the breach and that they had contravened UK data protection laws by failing to properly protect the data via “appropriate technical or organisational measures.” 

Not only that, but there was a significant delay in reporting the breach. The ICO was not informed of this particular data incident until the 4th of April 2022, which was seven months after it took place. Data breaches within any organisa-tion within the UK must be reported to the ICO within 72 hours of detecting them. 

“Although it is accepted that, at the time of discovering the breach, it was unclear as to how the documents came to be left at the venue, the Secretary of State was nevertheless aware that the incident involved Home Office reports which contained personal data and special-category data...Therefore, it is our view that the secretary of state had sufficient information to report the breach to the ICO within statutory time limits."
- ICO

Security protocol failures

During the ICO’s investigation of the Home Office, they found that there was no specific pro-cess in place for signing out or removing “official-sensitive” documents physically, from the premises. Part of the ICO’s recommendation was also to ensure that staff who take such doc-umentation off-site are given appropriate advice and information security training and that a clear procedure allowing the sign-out of such documents in future, is implemented immedi-ately. A full review of training and existing “handling instructions” for sensitive documents is also to be carried out in light of the incident. 

The ICO have also advised the Home Office to report any future incidents within the 72 hour window. 

The Home Office have already taken some remedial action such as the introduction of unique reference numbers for sensitive documents. 

“Government officials are expected to work with sensitive documents in order to run the country. There is an expectation, both in law and from the people the government serves, that this information will be treated respectfully and securely. In this instance that did not happen, and I expect the department to take steps to avoid similar mistakes in the future.”
- Commissioner John Edwards, ICO