UK Home Office breached GDPR 100 times

From third-party data disclosures to lost passwords and sending ID cards to the wrong addresses, the UK Home Office has managed to breach the EU’s General Data Protection Regulation (GDPR) at least 100 times.

The Home Office is the overseer of the EU Settlement Scheme (EUSS), the programme for EU, EEA and Swiss citizens who want to stay in the UK legally after 30th June 2021.

According to a report released by the immigration watchdog the Independent Chief Inspector of Borders and Immigration (ICIBI), the Home Office had received more than 1.3m applications by 31st August 2019.

Processing such a large number of applications is certain to lead to some mistakes, and in the case of the Home Office, there were plenty.

The first such example dates back to 7th April and involves an employee sending out emails to 240 recipients without utilising the blind copy fields.

The result was that the recipients’ addresses were not shielded properly and were therefore revealed to everyone who received the email.

The Home Office blamed this on human error and apologised.

What followed was a series of events that included ID cards being sent to the wrong addresses, passports being lost, identity documents being misplaced, and applicants’ personal information being shared without asking for consent.

Although these are clearly all examples of GDPR breaches, there seems to be a common theme to them: namely, poor document handling.

The ICIBI said that by making the instructions clearer and improving organisation, the Home Office should be able to resolve the issues.

In its defence, the Home Office claims to be constantly reviewing its procedures and processes to mitigate the risk of data breaches.

Bulk email processes have gone through an overhaul, making them error-free as we move forward.

Moreover, the Home Office promises that GDPR awareness training is now mandatory.