The Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information.
The penalty follows the loss of a back-up hard drive at HMP Erlestoke Prison, Wiltshire in May 2013. The hard drive contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information, histories of drug misuse and material about victims and visitors. The device was not encrypted.
The incident followed a similar case in October 2011 when the ICO was alerted to the loss of another unencrypted hard drive containing the details of 16,000 prisoners serving time at HMP High Down Prison in Surrey.
In response to the first incident, in May 2012 the prison service provided new hard drives to all of the 75 prisons across England and Wales still using back-up hard drives in this way. These devices were able to encrypt the information stored on them. However, the ICO’s investigation into this latest incident found that the prison service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly.
The end result was that highly sensitive information was insecurely handled by prisons across England and Wales for over a year, in turn leading to the latest data loss at HMP Erlestoke. If the hard drives in both of these cases had been encrypted then the information would have remained secure despite their loss.
Highly sensitive information insecurely handled
ICO head of enforcement Stephen Eckersley commented: “The fact that a Government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them how to use it beggars belief. The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally set up correctly.”
Eckersley continued: “This is simply not good enough. We expect Government departments to be an example of Best Practice when it comes to looking after people’s information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must also understand how to use it.”
Working with the National Offenders and Management Service, the Ministry of Justice has now taken action to ensure all of the hard drives being used by prisons are securely encrypted.