The Information Commissioner’s Office has issued a formal reprimand to the Home Office, after sensitive documents were found at a London venue.
The documents, which were handed by venue staff to police in September 2021, included two Extremism Analysis Unit Home Office reports and a Counter Terrorism Policing report.
The Extremism Analysis Unit analyses ideologies that have an impact on British interests and security, whilst the policing report had the details of an unnamed visa applicant who was seeking to travel to the UK.
An investigation found concluded the Home Office was the most likely source of the documents.
The reprimand has been issued to the Home Secretary, Suella Braverman, as the data controller for the Home Office.
“The handling instructions for the reports were not followed as they were found unsecured in a venue in London, where they were accessed by unauthorised individuals,” said a letter from the ICO to Home Office permanent secretary Matthew Rycroft.
“[The Home Office] first became aware of the breach on 6 September 2021, however the breach was not reported to the ICO until 4 April 2022.”
As part of the reprimand, the Home Office must take other action, which includes a review of the handling instructions around “official sensitive” information, consideration of a sign-out process when documents leave the office and a review of training provided to staff around the handling of records containing personal data.
The statutory time limit for reporting data breaches to the ICO is 72 hours but officials chose to launch an internal investigation by the Cabinet Office’s Government Security Group instead.
A Home Office spokesperson told City A.M.: “The UK has one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world.
“ We note the decision published by the Information Commissioners Office (ICO) today, and will take its implications into consideration. We continue to ensure that robust controls and independent oversight are in place to ensure we are fully compliant with requirements on processing of personal data.”