The UK Home Office has violated the GDPR norms at least 100 times while handling the EU Settlement Scheme (EUSS), said a report by the independent chief inspector of borders and immigration (ICIBI).
The EUSS scheme is for the citizens of the European Union (EU) and European Economic Area (EEA), and Switzerland to continue living and working in the UK after 30 June, 2021.
The Home Office, who oversees the EUSS received over 1.3 million applications by the end of August 2019. There were at least 100 recorded incidents of GDPR violation during the processing of these applications between 30 March and 31 August.
The reported issues range from IDs and passports getting lost, documents being misplaced, and PIIs of applicants being disclosed to third parties without permission, said the report by the ICIBI.
The first incident came to light in April 2019, in which an employee sent emails to 240 recipients without blind copy protections, leading to each address being inadvertently shared. The UK Home Office then apologised and attributed human error for the incident.
Days later, the Home Office admitted that the email addresses of 240 applicants were accidentally shared. The apology letter to each applicant affected blamed technical difficulties for the issue.
“The information provided to inspectors regarding data breaches was concerning, not least the increase in breaches each month between April and July 2019 (with a slight dip in August 2019), albeit most of those to the end of June were due to a postal company rather than EUSS staff or processes,” said the report.
An NCSC spokesperson declined to comment on the report, as it was a regulatory issue relating to GDPR. SC Media UK is yet to receive a reply for a request for comment from the Information Commissioner’s Office on the 100 instances reported.
“Of these 100 instances, 63 were traceable to documents being misplaced by the postal services. In looking at the remaining instances, we see the impact of improving processes where, by August 2019, EUSS employees were able to identify that six incidents were from documents being returned to applicants at addresses containing typographical errors written by the applicants,” commented Tim Mackey, principal security strategist at the Synopsys CyRC.
“Data breaches damage public confidence, and applicants will blame the Home Office, whether or not this is fair. It is therefore important for the Home Office to do everything it can to keep breaches to a minimum. Most appear to have involved document handling errors and these should be easiest to prevent with clear instructions and good organisation,” the ICIBI report said.
The Home Office still remains under the GDPR ambit, Brodies Solicitors partner Martin Sloan told SC Media UK.
“There is no change in the application of EU law in the UK during the transition period. This means GDPR continues to apply in the UK until at least 31 December 2020,” he said.
“Under data protection law, individuals are entitled to compensation where they can show that a breach has caused them damage or distress. The Information Commissioner also has power to take action, including the ability to issue orders to suspend processing and to issue monetary penalties,” Sloan added.