The UK Home Office breached General Data Protection Regulation (GDPR) 100 times in its handling of EU citizens’ data, an investigation has found.
Independent Chief Inspector of Borders and Immigration (ICIBI) found that a “concerning” number of data breaches occurred between 30 March and 31 August 2019, amounting to 100 GDPR breaches in total.
The ICIBI, a government-appointed official responsible for examining the UK’s border and immigration, said that these were largely the result of “document handling errors” such as ID documents, including passports, being misplaced, documents being sent to the wrong address, and the unauthorised disclosure of information to a third party.
The EU Settlement Scheme (EUSS) enables EU, EEA and Swiss citizens to continue living in the UK after 30 June 2021. According to the Home Office, more that 3 million people have applied to the scheme as of February 2020.
Darren Wray, CTO & co-founder at Guardum said: “Whenever you are dealing with personal information, it is vital to follow the Educate and Automate mantra.
“Education ensures that all staff need, understand and have the right level of awareness of the data protection processes, controls and regulation.
“Mature controls are automated controls. If you leave staff to send emails as part of a process, data will leak and will breach. The Home Office may blame human error, but the fact is humans can only make mistakes if the processes are not automated.”
In April 2019, the Home Office apologised after an administrative error meant that email the email addresses of 240 EU citizens were visible to other recipients, breaching GDPR.
In the report, the ICIBI said data breaches such as this damage public confidence and recommends that the Home Office “do everything it can” to mitigate future breaches.
“Quick and fast does not exactly meet the requirement for security and privacy”
Joseph Carson, chief security scientist at Thycotic said:
“When things are rushed people make mistakes and this appears to be what is going on with post Brexit schemes such as the EU settlement scheme. Sometimes quick and fast does not exactly meet the requirement for security and privacy, which appears to have been the challenge facing The Home Office when handling EU citizen personal data and unintentionally resulting data breaches.
Unless something dramatically changes with the approach to security and privacy this will continue and we can surely expect to learn of more data breaches.”