The Ministry of Justice has been fined £180,000 by the Information Commissioner’s Office (ICO) after an investigation concluded that there were serious failings in the handling of confidential data.
Confidential data belonging to almost 3,000 prisoners at Erlestoke prison in Wiltshire was compromised after a hard drive was lost. All the data on the hard drive was not encrypted despite previous efforts to improve the security of confidential data that was being transported on portable devices.
The hard drive was lost in 2013 and contained confidential information about prisoners’ health and drug misuse, information about inmates’ victims and visitors and material on organised crime.
This incident still occurred even though a very similar thing happened back in 2011 when another hard drive was lost which compromised data belonging to 16,000 prisoners. In an attempt to protect the data, the Ministry of Justice provided the Prison Service with hard drives that could be encrypted.
Despite this, a lack of communication and training resulted in the government body failing to explain to employees that the encryption option had to be switched on manually.
Stephen Eckersley who is the ICO head of enforcement stated, “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it, beggars belief. “
Eckersley added, “The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it.”
A spokeswoman for the Ministry of Justice stated, “We take data protection issues very seriously and have made significant and robust improvements to our data security measures. These hard drives have now been replaced with a secure centralised system.”
The spokeswoman added, “Incidents like this are extremely rare and there is no evidence to suggest that any personal data got into the public domain.”
This incident is another example of where an organisation has acted reactively and not proactively which has resulted in confidential data being compromised. This incident also shows the importance of having effective training and communication procedures in place.