Identity and Passport Service in data breach blunder

The Identity and Passport Service (IPS) has been found in breach of the Data Protection Act after losing a host of passport renewal applications.

The Information Commissioner's Office (ICO) has given the organisation a slap on the wrist, after 21 applications went missing.

Personal data of both the applicants and their countersignatories was included in the lost documents.

The IPS agreed to shore up its IT practices as well as its document handling to ensure such a breach does not occur again.

Neither the ICO nor the IPS could confirm how the document loss happened.

Often when data breaches occur, an explanation on how the information was lost is given, such as CDs being left at bus stops or USB sticks being dropped in carparks.

No such information was forthcoming in the IPS case, even when both organisations were pressed for more details.

An IPS spokesman said the organisation was confident customers "were not subject to any additional risk of identity fraud."

"An internal security review has since been carried out and we have already significantly tightened our processes to prevent such an incident happening again," the spokesman said.

An ICO spokesperson told IT PRO the IPS had not been hit with a fine as it did not meet the criteria for such a punishment.

"A passport is an important identification document and it is clearly of concern that information relating to renewal applications has been lost," said Mick Gorrill, head of enforcement at the ICO.

"However, there is no evidence to suggest that the applications have fallen into the wrong hands and we are pleased that the Identity and Passport Service is taking steps to stop this happening again."

To be levied with a fine, a data controller must have "seriously contravened the data protection principles" and "substantial distress" must have been caused, according to the ICO's guidance.

Furthermore, the breach must either have been deliberate or "the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it."

The ICO has fined a total of four organisations since it was given additional powers in April 2010. The fines levied add up to 310,000.

The watchdog can fine up to 500,000 for the most serious breaches.

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.