Home Office Issued With A Formal Reprimand After Classified Documents Left In A Public London Venue

The Information Commissioners Office (ICO) has issued a formal reprimand to the Home Office after classified documents were found at a public London venue.

On 5 September 2021, an envelope containing four classified documents was found at a venue in London by venue staff. The documents included two Extremism Analysis Unit Home Office reports and a Counter Terrorism Policing report. Both reports contained personal data including data relating to Metropolitan Police staff.

The Government conducted an investigation and concluded that the Home Office was the most likely source of the documents. The ICO conducted its own investigation into whether the Secretary of State for the Home Department had complied with the requirements of the data protection legislation, as the Data Controller for the personal data contained within the classified documents.

The ICO found that the Home Office had failed to ensure an appropriate level of security. The investigation also found that the Home Office did not have a specific sign-out procedure for the removal of any classified documents from the premises. As a result, the ICO issued a formal reprimand.

Within the formal reprimand, the ICO concluded that there had been an infringement of both Article 5(1)(f) of the UK GDPR and Article 33(1) of the UK GDPR.

Article 5(1)(f) of the UK GDPR confirms that personal data should be processed in a manner that ensures the appropriate security of the data. The ICO concluded that the Secretary of State for the Home Department had failed to ensure an appropriate level of security in contravention of this article. Whilst the documents were classified ‘Official-Sensitive’ and contained specific handling instructions, these instructions were not followed. Further, there was no specific sign-out process in place for the removal of ‘Official-Sensitive’ documents from the premises.

Article 33(1) of the UK GDPR confirms that a data controller should without undue delay and in any event not later than 72 hours after becoming aware of a breach notify the ICO of the breach. The Secretary of State for the Home Department first became aware of the breach on 6 September 2021. The breach was not reported until 4 April 2022. The Home Office took the view that at the time of discovering the breach it was unclear how the breach occurred and therefore they did not feel the need to report it until they had carried out their own investigation. The ICO within the formal reprimand took the view that it was known that the incident involved Home Office reports that contained personal data and special category data. The Secretary of State, therefore, had sufficient information to report the breach to the ICO within 72 hours of becoming aware of it.

Within the reprimand, the ICO included some recommendations to prevent a similar breach from happening again. One of the suggestions made by the ICO was the implementation of a sign-out process to ensure that any documents could be accounted for when out of the office.

Comment

The issuing of this official reprimand (and publishing on their website) is another one of the steps the ICO has taken to implement ICO25. I suspect over the next three years we will see many more public authorities issued with reprimands and practice recommendations.

The UK Information Commission, John Edwards has published a statement following the above which sheds some light on the ICO’s thinking behind the issuing of the reprimand. John Edwards has commented as follows: