28 August 2014
The Ministry of Justice (MoJ) has been fined by the Information Commissioner’s Office (ICO) for repeated security failings leading to data losses.
The UK government department has been fined £180,000 for serious failures in the way the prisons, in England and Wales that it had oversight for, handled prisoners’ personal information.
The penalty is a result of data losses in 2013 and 2011. A back-up hard drive at HMP Erlestoke prison in Wiltshire was lost last year, which contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information, history of drug misuse and material about victims and visitors. The device was not encrypted.
In 2011, another unencrypted hard drive containing the details of 16,000 prisoners serving time at HMP High Down prison in Surrey was lost. Following this initial data loss, the prison service provided new hard drives to all of the 75 prisons across England and Wales still using back-up hard drives in this way, in May 2012.
These devices were able to encrypt the information stored on them. However, the ICO’s investigation into the latest incident found that the prison service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly.
Highly sensitive information was insecurely handled by prisons across England and Wales for over a year, leading to the latest data loss at HMP Erlestoke. If the hard drives in both of these cases had been encrypted, the information would have remained secure despite their loss, says the ICO.
ICO Head of Enforcement, Stephen Eckersley, said: ‘The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.
‘This is simply not good enough and we expect government departments to be an example of best practice when it comes to looking after people’s information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it.’