Data Protection

100 Data Breaches by the UK Home Office

11 Mar 2020

2 min read

The UK Home Office was responsible for at least 100 instances of data breaches that violated the country’s data protection laws, according to a report published last month by the Independent Chief Inspector of Borders and Immigration.

According to the report, personal data relating to the EU Settlement Scheme (EUSS), including passport copies, have been lost or sent to the wrong address – a violation of English and European data protection laws.

The data breaches occurred during the Home Office’s administration of the EUSS scheme between April and August 2019.

The investigation’s findings have raised concerns about the handling of personal data by government bodies, like the Home Office.

To date, 3.2 million people have applied to the EUSS, a scheme set up to cater for EU/EEA and Swiss citizens residents in the UK who intend to stay after 30th June 2021. To file for ‘settled status’ through the scheme, applicants are required to submit electronic or paper copies of their identity documents.

The breach occurred as a result of an administrative error which saw 240 personal applicant email addresses sent out in a mass email without blind copy protection. The first recorded breach was reported in the media in April of last year, with the report showing that further breaches took place between April and August 2019.

In more than one case, the Home Office sent passport copies to the wrong applicant, or intended to send them to the right applicant, but contacted the wrong address.

On other occasions, ID documents were misplaced in the EUSS office, or by the postal company delivering them.

Reacting to the report’s publication, the Home Office said it had added changes to its processes for sending out bulk emails, meaning there would be no more errors going forward.

“We regularly review all processes and procedures to mitigate against data breaches. These are reviewed regularly and amended if needed. We are also in discussion with the heads of security, integrity and data protection to ensure our processes are aligned to GDPR compliance. Bulk email processes have changed so there will be no errors going forward,” read the statement.

For further information about how GVZH Advocates can help you with your data protection legal requirements, kindly contact us on