This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

Ministry of Justice fined for data breaches

News
Share:
Ministry of Justice fined for data breaches

By

Encryption blunder costs government department after two high-profile failures by prison staff

The Ministry of Justice has been served with a £180,000 penalty by the Information Commissioner's Office (ICO) with regards to serious failings in the way prisons in England and Wales have been handling personal information.

The fine follows the loss of a back-up hard drive at HMP Erlestoke prison in Wiltshire in May 2013. The device, which was not encrypted, contained the confidential data of 2,935 prisoners, including details of links to organised crime, health information, history of drug misuse and material about victims and visitors.

The incident at HMP Erlestoke follows the loss of an unencrypted hard drive at HMP High Down prison in Surrey in October 2011, which contained the details of 16,000 prisoners.

In May 2012 the prison service provided new hard drives to all 75 prisons across England and Wales. These devices were able to encrypt the information stored on them. However, the ICO's investigation into the latest incident at HMP Erlestoke found that the prison service did not realise that the encryption option on the new hard drives needed to be turned on.

The ICO said that as a result highly sensitive information was insecurely handled by prisons across England and Wales for over a year and that if the hard drives in both cases had been encrypted, the information would have remained secure despite their loss.

ICO head of enforcement, Stephen Eckersley, said: "The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.

"The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally setup correctly."

Eckersley continued: "This is simply not good enough and we expect government departments to be an example of best practice when it comes to looking after people's information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people's information secure, but must understand how to use it."