Home Office breaches GDPR – again

The Home Office’s visa service has apologised for a data breach on 07 April concerning the email addresses of more than 170 people that were divulged when they were mistakenly copied into an email sent last week.

The email was about the change of location for a visa appointment with the UK Visa and Citizenship Application Service [UKVCAS] which is administered by a private sector contractor - Sopra Steria. The email addresses were a mixture of private accounts and lawyers from a variety of firms.

Following the breach the Home Office issued a further email apologising for what it referred to as a “data breach error”.

Naga Kandiah of MTC Solicitors, one of the recipients of the email, condemned the data breach. He said: “If the Home Office wishes to outsource biometric appointments to a third-party company they have to ensure that their partner is providing a service which is both legally compliant and good value for money.

“UKVCAS are charging far in excess of what was previously paid for an appointment at the Post Office yet the product is inferior. For such a high price clients do not expect GDPR breaches or loss of data.”

However, the breach has not been reported to the Information Commissioner’s Office and a Home Office spokesperson said: “Our data protection officer [DPO] is reviewing this incident to determine whether this threshold has been met.”

Given that the incident occurred a week ago, the length of time the DPO is taking to determine whether the breach needs to be reported is, in itself, a breach of GDPR guidelines which require a speedy decision and reporting within 72 hours if deemed necessary.

The Home Office has form when it comes to data breaches. It previously apologised to hundreds of EU citizens for accidentally sharing their email addresses in 2019. In the same year about 500 email addresses were mistakenly shared with recipients of a mailing list for the Windrush compensation scheme.