IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Identity and Passport Service in data breach blunder

A bunch of renewal applications go missing, but no one wants to explain how.

Passport

The Identity and Passport Service (IPS) has been found in breach of the Data Protection Act after losing a host of passport renewal applications.

The Information Commissioner's Office (ICO) has given the organisation a slap on the wrist, after 21 applications went missing.

Personal data of both the applicants and their countersignatories was included in the lost documents.

The IPS agreed to shore up its IT practices as well as its document handling to ensure such a breach does not occur again.

Neither the ICO nor the IPS could confirm how the document loss happened.

Often when data breaches occur, an explanation on how the information was lost is given, such as CDs being left at bus stops or USB sticks being dropped in carparks.

No such information was forthcoming in the IPS case, even when both organisations were pressed for more details.

An IPS spokesman said the organisation was confident customers "were not subject to any additional risk of identity fraud."

"An internal security review has since been carried out and we have already significantly tightened our processes to prevent such an incident happening again," the spokesman said.

An ICO spokesperson told IT PRO the IPS had not been hit with a fine as it did not meet the criteria for such a punishment.

"A passport is an important identification document and it is clearly of concern that information relating to renewal applications has been lost," said Mick Gorrill, head of enforcement at the ICO.

"However, there is no evidence to suggest that the applications have fallen into the wrong hands and we are pleased that the Identity and Passport Service is taking steps to stop this happening again."

To be levied with a fine, a data controller must have "seriously contravened the data protection principles" and "substantial distress" must have been caused, according to the ICO's guidance.

Furthermore, the breach must either have been deliberate or "the data controller must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it."

The ICO has fined a total of four organisations since it was given additional powers in April 2010. The fines levied add up to 310,000.

The watchdog can fine up to 500,000 for the most serious breaches.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

MoJ faces £17.5m GDPR fine over subject access request backlog
data protection

MoJ faces £17.5m GDPR fine over subject access request backlog

20 Jan 2022
Cabinet Office fined £500,000 for New Year Honours data leak
data breaches

Cabinet Office fined £500,000 for New Year Honours data leak

3 Dec 2021
ICO publishes new data protection standards for the adtech industry
data protection

ICO publishes new data protection standards for the adtech industry

25 Nov 2021
Celebrity data leaked after ransomware attack on London's Graff jewellers
ransomware

Celebrity data leaked after ransomware attack on London's Graff jewellers

1 Nov 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022