The Home Office suffered 33 data breaches during the last financial year – and did not report any of them to the Information Commissioner's Office (ICO)
The department's annual report and accounts 2014-15 (PDF) reveals 33 "Personal Data Related Incidents" that took place in the last financial year, but were not formally reported to the ICO.
Personal data is defined as any data that may be used to identify a living individual. Under the Data Protection Act 1998 there are very strict rules on how "data controllers" may use the data they collect and store.
The list of breaches – which does not include "small, localised incidents" – was recorded centrally within the department. The annual report noted:
- Two incidents in which "inadequately protected electronic equipment, devices, or paper documents" were lost from within "secured government premises"
- Six incidents in which "inadequately protected electronic equipment, devices, or paper documents" were lost from outside of "secured government premises"
- Zero incidents of "insecure disposal of inadequately protected electronic equipment, devices or paper documents"
- 14 incidents of "unauthorised disclosure"
- 11 incidents filed under "other"
The decision to report the breaches falls to the data controller, which for the Home Office is its permanent secretary, civil servant Mark Sedwill.
While the ICO recognises (PDF) that there is "no legal obligation on data controllers to report breaches of security", the office does encourage such reporting, and provides guidance on what breaches it considers reportable.
The Register understands that Sedwill evaluated whether breaches at the Home Office should be reported to the ICO in accordance with internal guidance, separately from the ICO's own guidance documents, though we cannot confirm whether they contain contradictory information.
The number of incidents has increased by some magnitude from the previous report (PDF), when only five breaches were recorded that were not passed on to the ICO.
Additionally, three unauthorised disclosures were reported in 2013-14 to the ICO, including one in which the Home Office accidentally published the personal details of 1,598 migrants.
The annual report declared that "information assurance and managing information risk are continuing priorities" for the Home Office, and additionally notes that "cyber issues have been added for the first time this year to the enhanced maturity assessment used by the Department to provide comprehensive assurance to our SIRO [Senior Information Risk Owner] and ultimately, the Home Office Board."
An Information Management Assessment of the Home Office began in June 2015, and is being conducted by the National Archives, in order to provide external validation of the maturity assessment work it has undertaken in the last financial year.
The report states: "Delivering the baseline assurance necessary to build a robust IA culture will be an ongoing process, especially as HMPO have been brought into the Home Office since this programme of work was initiated." ®