A data breach has taken place in the system that allows EU citizens in the UK before Brexit to apply for settled status in order to continue to live and work there afterwards. Details of hundreds of EU citizens requesting their stay in the country have been accidentally disclosed.
Administrative error has been identified as the reason why 240 personal email addresses were released. The Home Office sent the email on Sunday 7 April asking applicants, who had already struggled with technical problems, to resubmit their information. However, the email addresses were included in carbon copy (CC), instead of a blind carbon copy (BCC), which would have prevented the data from being visible to all recipients.
The Home Office has apologised to citizens for mistakenly sharing their details plus has asked them to delete the email: “The deletion of the email you received from us on 7 April 2019 would be greatly appreciated.”
“Additional care should be taken when sharing personal information via email. First of all, it is essential ensuring the different recipients are added in BCC instead of CC where relevant, as the latter would reveal the email addresses to all of them and there would be no legitimate basis for that data sharing. Secondly, and according to GDPR data minimisation principle, emails should only include the strictly necessary information, and one should primarily aim at sharing personal data in encrypted files or with any other security measure”. Warns Cristina Contero Almagro, Aphaia Partner.
This is not the first time this has occurred. The government made a similar error with emails sent to 500 members of the Windrush generation.