Home Office self-reports Windrush compensation data breach to the ICO
The Home Office has confirmed that it has reported itself to the Information Commissioner’s Office (ICO) following a data breach exposing the email addresses of individuals involved in the Windrush compensation scheme.
What are the details of the Windrush data breach?
The Immigration Minister, Caroline Noakes, admitted in a written statement to Parliament that an “administrative error” had resulted in the disclosure of the private email addresses of around 500 individuals who had requested to be kept informed about the Windrush compensation scheme. The emails were sent in five batches to around 100 recipients each.
The Home Office has also begun an internal review into the breach.
It will be interesting to see how the ICO follows up on the breach and what sanctions it imposes. Due to the subject matter of the compensation scheme, it is likely that the breach involves not only personal email addresses, but also (by deduction) some forms of special category data (race and ethnic origin).
What are the GDPR regulations in terms of a data breach?
The GDPR requires organisations to notify the ICO and individual data subjects of data breaches without undue delay and in any event within 72 hours of discovery. The ICO needs to be notified of breaches where the breach is “likely to result in a risk to individuals' rights and freedoms.” Individuals need to be notified where the breach is “likely to result in a high risk to their rights and freedoms” (emphasis added). As such, the hurdle for notifying the ICO is lower than for notifying individuals.
Given the nature of the breach, it is not surprising that the Home Office has self-reported the breach to the ICO.
What impact does this data breach have on organisations?
This latest news is a salient reminder of the need for organisations to make sure they have suitable measures to safeguard personal data they hold, both from a technological and organisational perspective. Breaches can occur through external factors (such as security hacks) and internal factors (such as human error in not blind copying mass emails, as appears to have happened in this case, albeit this has not been expressly confirmed yet).
The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.