The UK Home Office reprimanded by the UK Information Commissioner’s Office for leaving sensitive documents at a public venue in London…an old school data breach
October 9, 2022 |
A data breach is not confined to a cyber attack resulting in theft of personal information or the insertion of ransomware. A data breach includes loss of paper documents in a public place or documents stored on a mobile device or memory stick.
The Information Commissioner issued a formal reprimand to the Home Office, after sensitive documents were found at a public London venue in September 2021. It involved 4 documents in an envelope.
As is commonly the way of it, the documents were handed to police in September 2021. The documents included two Extremism Analysis Unit Home Office reports and a Counter Terrorism Policing report. The reports contained personal data, including that of Metropolitan Police staff.
As often happens, the initial data breach is usually only the start of the organisation’s trouble. The regulator found the Home Office’s processes lacking.
Not surprisingly the ICO found that the Home Office had failed to ensure an appropriate level of security of personal data, including where documents were classified as ‘Official Sensitive’ did not have a specific sign-out process for the removal of documents from the premises.
The reprimand relevantly states:
- the documents were classified ‘Official-Sensitive’ and contained specific handling instructions. Those handling instructions stated that to ensure the confidentiality of the reports, they must be kept securely, and appropriate measures must be taken to prevent the unlawful or unauthorised processing of the personal data they contain.
- the handling instructions for the reports were not followed as they were found unsecured in a venue in London where they were accessed by unauthorised individuals.
- prior to the breach, the Secretary of State for the Home Department did not have a specific sign out process in place for the removal of ‘Official-Sensitive’ documents from its premises.
- extra care should be taken when handling such information to ensure its security.
- staff of the Secretary of State for the Home Department first became aware of the breach on 6 September 2021, however the breach was not reported to the ICO until 4 April 2022.
- the Secretary of State for the Home Department was aware that the incident involved Home Office reports which contained personal data and special category data.
- the Secretary of State for the Home Department had sufficient information in order to report the breach to the ICO within the statutory time limits, namely within 72 hours of first becoming aware of it.