The Home Office has been reprimanded by the ICO after classified counter-terrorism documents were left at a public venue in London, sparking a regulatory investigation. Natasha King, examines this case and shares further possible changes to the Data Protection and Digital Information Bill (the proposed post-Brexit data protection reform) outlined in a speech made this month by the new minister for the DCMS, Michelle Donelan.
Find out the details of these and other key emerging themes as events unfold. Our analysis looks at what happened and why it matters, read our complete review below.
Home Office warned after sensitive documents left at London venue
What happened
- The Home Office has received a formal reprimand from the Information Commissioner’s Office (ICO) after sensitive documents were discovered at a public venue in London.
- Two reports from the Home Office Extremism Analysis Unit and one on Counter Terrorism Policing were among the papers that venue staff members found and handed to the police in September 2021. The reports contained personal and special category data, including that of a foreign UK visa applicant and Metropolitan Police staff.
- The Home Office was identified as the most probable source of the papers, according to a government probe. As the Home Office’s data controller, the Secretary of State for the Home Department (the Home Secretary) has been issued with the reprimand.
- The ICO ruled that the Home Office had neglected to provide an adequate level of protection of personal data, including in cases where papers were classified as “Official Sensitive.”
- The investigation also found that the Home Office did not have a clear sign-out procedure for the removal of documents from the premises, and the incident was not reported to the ICO within the statutory 72-hour time limit.
- The reprimand outlines further remedial action that must be taken by the Home Office, such as the handling instructions for managing “Official Sensitive” material, consideration of a sign out process when documents leave the office, and a strengthening of training provided to staff around the handling of records containing personal data.
Why it matters
- The reprimand follows the ICO’s statement in June 2022, where it announced the commencement of a new trial (as Xcina Consulting have previously reported) to revise the approach to public sector enforcement, increasing the use of its discretion to lessen the impact of fines on the general public when public bodies violate data protection laws.
- In practice, this means an increase in the ICO issuing public reprimands and the use of its wider powers, including enforcement notices, with fines only issued in the most severe cases.
- This is not the first reprimand issued since the ICO’s announcement in June 2022. Last month, it formally reprimanded seven organisations for not responding to subject access requests, as previously reported by Xcina Consulting here.
- It is understood that the Home Office has since taken steps to avoid similar breaches occurring in the future.
UK Government considers further data protection reform, creating more uncertainty for businesses
What happened
- Xcina Consulting previously reported that the government’s proposed post-Brexit data protection reform, in the form of its Data Protection and Digital Information Bill, which was scheduled to receive its second reading in Parliament on 5 September, was postponed after Liz Truss was named the new leader of the Conservative Party.
- It was announced at the time that the reason for the delay was to give Ministers more time to consider the legislation.
- This month, at the Conservative Party Conference 2022, the newly appointed Secretary of State for Digital, Culture, Media & Sport (DCMS), Michelle Donelan, implied that the Data Protection and Digital Information Bill may be subject to further changes before it is reintroduced to Parliament.
- She declared that “we will be replacing GDPR with our own business-and consumer-friendly British data protection system” and criticised what she considers to be the EU “red tape” that is allegedly hampering economic growth.
- She claimed that DCMS will instead be “taking the best bits from others around the world to form a truly bespoke, British system of data protection”.
Why it matters
- Businesses are now left in the dark about what this means for the future of UK data protection, as well as how it connects to the existing reform Bill that has already been brought into parliament.
- Whether the DCMS plans to start over and completely rethink its whole approach to data protection reform, or whether only small adjustments will be made, making it essentially comparable to the initial proposals, remains to be seen.
- However, given that the GDPR remains at the heart of the Bill in its current form, the latest announcement suggests that the DCMS may intend to make significant changes to it.
- Should this be the case, there will likely be several challenges to overcome, especially in light of the opinions expressed during the DCMS’s prior public consultation on data protection reform, in which the majority of respondents opposed more radical proposals, such as the potential for completely replacing GDPR in favour of a new framework.
- Furthermore, there is no guarantee that new legislation will be passed before the next general election, which is scheduled within the next two years. After this time, the proposals could be completely shelved if, for example, the current administration is unsuccessful in gaining another term in office (as current voting intention polls suggest).
- Xcina Consulting will continue to closely monitor the situation and provide updates as they occur.