ICO reprimands Home Office after sensitive documents left at London venue

The Information Commissioner's Office has issued a formal reprimand to the Home Office after 'Official Sensitive' classified documents were found at a London venue.

The documents included two Extremism Analysis Unit Home Office reports and a Counter Terrorism Policing report containing personal data relating to a foreign UK visa applicant and two Metropolitan Police staff.

Venue staff handed the documents to the police in September 2021, who then returned them to the Home Office. The ICO did not hear of the breach until April 2022.

A Government investigation concluded the Home Office was the most likely source of the documents.

The ICO found that the Home Office had failed to ensure an appropriate level of security of personal date, including where documents were classified as 'Official Sensitive'. Its investigation also found that the Home Office did not have a specific sign-out process or the removal of documents from the premises, and the incident was not reported to the ICO within the 72-hour time limit.

As a result, the ICO issued a reprimand to the Secretary of State for the Home department, as the relevant data controller of the personal data concerned, for having infringed articles 5(1)(f) and 33(1) of UK GDPR.

Article 5(1)(f) states:

“Personal data shall be:

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Article 33(1) states:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

The reprimand set out further actions needed, including a review of the handling instructions around ‘Official Sensitive’ information, consideration of a sign out process when documents leave the office, and a review of training provided to staff around the handling of records containing personal data.

Information Commissioner John Edwards said: "Government officials are expected to work with sensitive documents in order to run the country. There is an expectation, both in law and from the people the government serves, that this information will be treated respectfully and securely. In this instance that did not happen, and I expect the department to take steps to avoid similar mistakes in the future."

A Home Office spokesperson said: “The UK has one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world.

“We note the decision published by the Information Commissioners Office (ICO) today, and will take its implications into consideration. We continue to ensure that robust controls and independent oversight are in place to ensure we are fully compliant with requirements on processing of personal data.”

The Home Office added that where recommendations have been made, it is implementing a plan of work to address these, and these plans will be integrated into the wider push for more robust controls around the processing of personal data throughout the department.

Adam Carey