The Information Commissioner’s Office (ICO) has reprimanded the Home Office for poor security after sensitive documents turned up at a public London venue.
An envelope containing four documents labelled as “official sensitive” was found by staff on September 5 2021, who handed them in to police the next day.
The papers included two Extremism Analysis Unit Home Office reports and a counter terrorism policing report.
According to one report, the paperwork contained personal data, including that of Metropolitan Police Service staff, said the ICO.
A subsequent government investigation cam to the conclusion that the Home Office was the most likely to be the source of the documents.
The ICO said the ticking off has been issued to the Home Secretary, becuse it is officially the data controller for the Home Office.
Information Commissioner John Edwards said: “Government officials are expected to work with sensitive documents in order to run the country.
“There is an expectation, both in law and from the people the government serves, that this information will be treated respectfully and securely. In this instance that did not happen, and I expect the department to take steps to avoid similar mistakes in the future.”
The ICO concluded the Home Office had failed to ensure an appropriate level of security of personal data, including where documents were classified as ‘Official Sensitive’.
The investigation also found that the Home Office did not have a specific sign-out process for the removal of documents from the premises, and the incident was not reported to the ICO within the 72-hour time limit.
The ICO said the Home Office has since taken steps to “avoid similar breaches occurring in the future”.
The reprimand sets out further actions needed, including a review of the handling instructions around ‘Official Sensitive’ information, consideration of a sign out process when documents leave the office, and a review of training provided to staff around the handling of records containing personal data.
Responding to the ICO’s reprimand, a Home Office spokesperson said: “The UK has one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world.
“We note the decision published by the Information Commissioners Office today and will take its implications into consideration.
“We continue to ensure that robust controls and independent oversight are in place to ensure we are fully compliant with requirements on processing of personal data.”