Government fined over data loss
Businesses and other organisations have been urged to make sure they have the right equipment in place to protect individuals’ personal data – and that they understand how to use it – after the Ministry of Justice received a £180,000 penalty for losing confidential information about hundreds of prisoners.
The Information Commissioner’s Office (ICO) imposed the penalty following the loss of a back-up hard drive at HMP Erlestoke prison in Wiltshire in May 2013.
The hard drive contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information, history of drug misuse and material about victims and visitors. The device was not encrypted.
The incident followed a similar case in October 2011, when the ICO was alerted to the loss of another unencrypted hard drive containing the details of 16,000 prisoners serving time at HMP High Down prison in Surrey.
in May 2012, in response to the first incident, the prison service provided new hard drives to all of the 75 prisons across England and Wales still using back-up hard drives in this way. These devices were able to encrypt the information stored on them.
But the ICO’s investigation into the latest incident found that the prison service did not realise that the encryption option on the new hard drives had to be turned on to work correctly.
As a result, sensitive information was insecurely handled by prisons across England and Wales for more than a year, leading to the data loss at HMP Erlestoke. Had the hard drives in both these cases been encrypted, the information would have remained secure despite their loss.
Stephen Eckersley, the ICO’s head of enforcement, said on 26 August: “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.
“The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally set up correctly.
“This is simply not good enough. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it.”
The Ministry of Justice has now taken action to ensure all hard drives being used by prisons are securely encrypted.