The Home Office is in the dock again after a second privacy blunder in as many days led to the accidental disclosure of hundreds of emails.
The ‘administrative error’ apparently occurred when an official used the “cc” instead of “bcc” field when sending out an email to 240 EU citizens requesting settled status after Brexit.
The email was sent on Sunday to applicants who had encountered difficulties, asking them to resubmit their information, according to the BBC.
The government department was then forced to send another email requesting that the recipients delete the offending missive.
“In communicating with a small group of applicants, an administrative error was made which meant other applicants' email addresses could be seen,” a reported Home Office statement noted.
“As soon as the error was identified, we apologized personally to the 240 applicants affected and have improved our systems and procedures to stop this occurring again.”
The news emerged just two days after a similar incident in which the Home Office exposed 500 private email addresses to others.
It related to individuals who had enrolled in a compensation scheme for the so-called “Windrush generation” — UK citizens from Commonwealth countries whom the government has mistreated under Theresa May’s "hostile environment" immigration policy as home secretary.
The EU settlement scheme has already been on the receiving end of strong criticism by groups who claim it is unnecessarily bureaucratic and has been beset by technical difficulties.
The government’s mistakes could mean it is in breach of the GDPR, known in the UK as the Data Protection Act 2018.
“GDPR mandates that users handling personal data must be trained on how to handle it appropriately to protect the privacy and confidentiality of that information,” argued Proofpoint’s EMEA cybersecurity strategist, Adenike Cosgrove.
“Companies rolling out cybersecurity awareness and training programs should ensure that employees are trained not just on potential technical threats, but are also educated on how to handle sensitive information, particularly Personally Identifiable Information (PII). By leveraging technical controls and making data privacy a business priority, organizations can reduce the likelihood of data exposure.”