The Information Commissioner’s Office said the venue’s staff found an envelope containing four “official sensitive” documents in September last year and handed them to police.
“A government investigation concluded the Home Office was the most likely source of the documents,” a statement added.
“The reprimand has been issued to the home secretary, as the data controller for the Home Office.”
The documents included two reports by the government’s Extremism Analysis Unit, which analyses ideologies that have an impact on British interests and security.
There were also two copies of a Counter Terrorism Policing report on an unnamed visa applicant who was seeking to travel to the UK.
The ICO did not identify the location where the documents were found but said it was a public venue in London.
It said that the documents were marked official-sensitive and contained specific handling instructions aiming to ensure security and confidentiality.
“The handling instructions for the reports were not followed as they were found unsecured in a venue in London, where they were accessed by unauthorised individuals,” said a letter from the ICO to Home Office permanent secretary Matthew Rycroft.
“[The Home Office] first became aware of the breach on 6 September 2021, however the breach was not reported to the ICO until 4 April 2022.”
The statutory time limit for reporting data breaches to the ICO is 72 hours but officials chose to launch an internal investigation by the Cabinet Office’s Government Security Group instead.
The ICO said the Home Office has subsequently put in place measures to ensure similar documents are given unique reference numbers.
It recommended a review of the handling instructions around official-sensitive information, consideration of a sign out process when documents leave government premises, and a review of training provided to staff around the handling of records containing personal data.
Information Commissioner John Edwards said: “Government officials are expected to work with sensitive documents in order to run the country.
“There is an expectation, both in law and from the people the government serves, that this information will be treated respectfully and securely. In this instance that did not happen, and I expect the department to take steps to avoid similar mistakes in the future.”
A Home Office spokesperson said it would take the ICO’s recommendations into consideration but insisted that the UK has “one of the most robust and transparent oversight regimes for the protection of personal data and privacy anywhere in the world”.
A statement added: “We continue to ensure that robust controls and independent oversight are in place to ensure we are fully compliant with requirements on processing of personal data.”