The data protection watchdog the Information Commissioner’s Office (ICO) has issued a formal reprimand to the Home Office, after an envelope holding four ‘official sensitive’ documents was found at an unnamed London venue.
The watchdog said that the Home Office did not have a specific sign-out process for the removal of documents from the premises, and the incident was not reported to the ICO within the 72 hour time limit (in fact, it wasn’t reported for months, until April). Information Commissioner John Edwards said that Government officials are expected to work with sensitive documents to run the country. “There is an expectation, both in law and from the people the Government serves, that this information will be treated respectfully and securely. In this instance that did not happen, and I expect the department to take steps to avoid similar mistakes in the future.”
Why not a fine as punishment, as the ICO can issue, under the Data Protection Act 2018? In June, the Information Commissioner announced a trial of more use of discretion to reduce the impact of fines on the public, where public authorities breach data protection law. In practice this means more public reprimands and a fine only in the most gross cases.
About the case
The envelope, the ICO reports, held two /extremism analysis unit’ report from the Home Office, and two copies of a counter-terrorism policing report. The data subjects were a foreigner applying for a visa; and two Met Police staff. The venue handed the documents to the police, who handed them back to the Home Office. More details on the ICO website.
The documents did have specific handling instructions, including that they should be kept securely. The ICO noted that the Home Office has updated its business processes; such documents are given a unique reference number.