UK Home Office breached GDPR 100 times through botched management of EU Settlement Scheme

ID cards sent to the wrong addresses, third party data disclosures, and lost passports are only some examples of mishandling.

The UK Home Office has breached European data protection regulations at least 100 times in its handling of the EU Settlement Scheme (EUSS).

IDs have been lost, documents misplaced, passports have gone missing, and applicant information has been disclosed to third parties without permission in some of the cases, according to a new report. 

David Bolt, the Independent Chief Inspector of Borders and Immigration (ICIBI), said in a report (.PDF) conducted by the immigration watchdog that serious breaches of the EU's General Data Protection Regulation (GDPR) have been recorded by the EUSS, despite GDPR awareness training imparted to staff. 

See also: This is the impact of a data breach on enterprise share prices

The EUSS scheme is for EU, EEA, and Swiss citizens to apply for residency rights and settled status in order to continue living in the United Kingdom after 30 June 2021. Those with indefinite leave to remain do not need to apply. 

According to the report, the Home Office -- the overseer of EUSS -- received over 1.3 million applications by the end of August 2019. Millions more have already been approved. With large volumes, however, comes mistakes, and there were 100 recorded incidents between March 30 and August 31 when GDPR data protection laws have been broken by the government. 

The first case, dated April 7, involved an employee who sent emails to 240 recipients without blind copy protections, leading to each address being inadvertently shared. 

The Home Office apologized at the time, blaming the incident on human error. 

CNET: Four steps you should take to secure your Gmail account right now

Four breaches in total took place in April, 11 were recorded in May, 24 incidents occurred in June, 32 in July, and 29 in August. Security issues include ID cards sent to the wrong applicants and home addresses; a number of passports were lost, identity documents were misplaced by both postal services and the EUSS in many cases, and applicant information was shared with third parties without consent.

The ICIBI says that it is important for the Home Office "to do everything it can to keep breaches to a minimum" -- but the problems uncovered during the investigation should be easy enough to fix as they generally relate to "document handling errors" which can be resolved through "clear instructions and good organization."

"We regularly review all processes and procedures to mitigate against data breaches," the Home Office said. "These are reviewed regularly and amended if needed. We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance. Bulk email processes have changed so there will be no errors going forward."

TechRepublic: Infosys CISO: Being good at technology is no longer enough

The government added that GDPR awareness training is now enforced and sessions are held regularly. 

"We have onboarded large numbers of new staff across the department in the last 18 months," the Home Office says. "All will have attended induction training."

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0