The Home Office reported 35 data breaches to the ICO (Information Commissioner’s Office) in 2018–19, including several cases of employees accidentally disclosing sensitive information to unauthorised parties.
A further 1,895 data breaches were logged by the Home Office’s data controller during the year but deemed not within the data breach notification requirements of the GDPR (General Data Protection Regulation).
These findings, which were published in the department’s Annual Report and Accounts 2018–19, represent a huge increase on the previous year, in which only two incidents were reported and 64 incidents were logged.
That’s not to suggest that the Home Office has suddenly got much worse at data protection. Rather, the department says an increased awareness of data breach notification requirements, including what counts as personal data, has led to greater transparency.
How are data breaches occurring so regularly?
Almost three quarters of the data breaches disclosed by the Home Office were the result of unauthorised or accidental disclosure. The report highlights three examples of how that occurred.
- An email sent to 240 applicants for settled status included their email addresses in the cc field, as opposed to the bcc field. This meant that each applicant could see the email address of everyone else in that batch.
- The department made the same mistake concerning the Windrush Compensation Scheme. Five batches of emails, each with 100 recipients, were sent to people who had registered an interest in being kept informed about the scheme’s launch, and their email addresses were all included in the cc field.
- A third party responsible for maintaining the General Aviation Report system suffered an administrative error that compromised the personal data of 168 users – mainly pilots and flight handlers who use the system to register who and what is on each non-scheduled flight – making their email addresses visible to everyone else on the system.
Improvements are coming
The Home Office report stresses that “the first duty of the government is to keep citizens safe and the country secure”, and it acknowledges that data security is a crucial part of that.
The report also states that the department “manages significant data assets in its delivery of public services. It is essential that we manage those assets properly and do not lose the public’s trust and confidence, in particular by being non-compliant with data protection legislation.”
It adds: “Improving data protection should see a reduction in breaches, but also in better use of personal data, improved quality of the data and understanding of its lineage, and responding appropriately to information rights requests by individuals.”
The department has taken several key steps to better protect personal data: all staff are required to complete mandatory information use training, senior employees are given specific data protection training, and technical measures and processes to improve data protection processes have been implemented. Notably, it has introduced strict controls on the use of bulk emails when communicating with the public.
Are you making similar mistakes with email?
Email is an essential part of most business practices, and you must be sure you’re not risking data breaches when you communicate with the public.
You might not have the resources to overhaul your systems to mitigate this risk, but fortunately there’s a much simpler fix in the form of staff awareness training.
Our Misuse of Cc and Bcc when emailing training course explains the risks involved in emailing and shows you how to prevent costly mistakes. You’ll learn everything you need to know in just ten minutes and without ever having to leave your desk.
This is the third in our “Human Patch” training series, which is designed to provide quick, easy-to-follow lessons on common workplace incidents and mistakes.
Our other courses tackle: