Tag Archives: Information Commissioner’s Office

Egress Software Technologies CEO responds to ICO’s Data Security Incidents Report for Q2

On Friday 16 November, the Information Commissioner’s Office (ICO) published its Data Security Incidents Report for Q2 2018. Data security incidents, which are breaches of the seventh data protection principle or personal data breaches reported under the Privacy and Electronic Communications Regulations, are a major concern for those affected and a key area of action for the ICO.

On 18 July 2018, the Independent Inquiry into Child Sexual Abuse (IICSA) was fined £200,000 for revealing the identities of abuse victims in a mass e-mail. On 9 August, Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, was fined £140,000 for illegally collecting and selling personal information belonging to more than one million people.

On 20 September, Equifax Ltd was fined £500,000 for failing to protect the personal information of up to 15 million UK citizens during a cyber attack in 2017 and, on 28 September, BUPA Insurance Services was fined £175,000 for failing to have effective security measures in place to protect customers’ personal information.

ICOLogoWeb

Tony Pepper, CEO of Egress Software Technologies, commented: “Looking at this report, it’s no surprise that the number of data security incidents filed to the ICO has continued to increase with no signs of plateauing. Overall, there has been a 29% increase in the number of reported data security incidents, from 3,146 between April and June 2018 to 4056 from July to September 2018. This demonstrates a 490% increase compared to the same quarter in 2017.”

Pepper continued: “Similar to the statistics we observed in the ICO’s previous report, this doesn’t necessarily mean that organisations are experiencing more incidents, but it definitely does mean that more are now being reported. The increased awareness for organisations to tread carefully has been fuelled by the General Data Protection Regulation, as well as the significant data breach incidents that recognisable brands have suffered in recent times.”

In terms of the monetary penalties, fewer fines were issued between July and September compared to those issued between April and June, with £875,000 issued under the Data Protection Act in the most recent complete three-month period.

Significant growth in data incidents

Although the report doesn’t summarise the type of incidents reported, it does detail the sectors that have experienced significant growth in these incidents. These include general business, which has experienced an increase of 87%, finance with 49%, insurance and legal with 63%, media with 633% and transport and leisure with 57%, while Government, at both the central and local level, experienced a 14% increase.

“We have also seen an organisation fined for unlawfully selling personal data, while Equifax was fined the highest amount under the Data Protection Act (£500,000) for a cyber attack that exposed the personal information of up to 15 million UK citizens.”

ElizabethDenhamICO

Information Commissioner Elizabeth Denham

Pepper added: “Clearly, there’s not only an issue with external attackers illegally obtaining and hacking an organisation’s systems to obtain data, but also with internal employees – and companies as a whole – misleading the population on why their personal data is being collected and how it will be used. As a result, organisations should be vigilant when it comes to ensuring data security protection is in place, and especially so to combat internal threats.”

Pepper feels that organisations should take a user-centric approach to data security, ensuring that every employee – from C-Suite executives to the average worker – is as security savvy as they need to be. This philosophy has been highlighted in recent Egress research, which revealed that 20% of an organisation’s employees don’t know what kinds of personal information should be protected when sharing data via e-mail.

“By taking a user-centric approach and equipping staff to protect personal data through technology that supports and secures the work they do,” urged Pepper, “as well as more training and awareness of what constitutes the mishandling of personal data, organisations will be able better placed to mitigate the chances of external and internal data security incidents.”

Leave a comment

Filed under Risk Xtra

BSIA looks forward to impending publication of BS 8593 on body-worn video cameras

The British Security Industry Association (BSIA) is pleased to have played a pivotal role in the development of BS 8593 Code of Practice for the Deployment and Use of Body-Worn Video and is looking forward to its expected publication later this month.

The standard provides technical and operational recommendations for the deployment and use of body-worn video used for the purposes of recording interactions between the wearer and other parties, or the environments in which wearers finds themselves.

BodyWornVideo

David Wilkinson, director of technical services at the BSIA and chairman of the British Standards Institution’s GW1/10 Sub-Committee, commented: “The need for a standard in this area was born from discussions held with the Surveillance Camera Commissioner with regards to guidance for body-worn video in relation to the Surveillance Camera Commissioner’s Code of Practice. The standard’s development committee was chaired by myself and involved a wide variety of stakeholders, including manufacturers, inspectorates, the Information Commissioner’s Office, the Security Industry Authority and the Surveillance Camera Commissioner’s office.”

Wilkinson continued: “There are clear advantages for the use of body-worn video in a number of applications. However, its usage also brings about challenges in terms of privacy and data security. It’s hoped that this standard will support the work of organisations such as the ICO as well as the Surveillance Camera Commissioner in ensuring that surveillance remains appropriate and proportionate and that there’s a balance struck between safety, security and the privacy of those being surveilled.”

BS 8593 will be publicly launched by the BSI on 14 June at UBM’s offices in Blackfriars, London, with briefings from both the Surveillance Camera Commissioner Tony Porter QPM LLB and the ICO, representatives of the Metropolitan Police Service, industry practitioners and the BSIA’s David Wilkinson.

*For further information about the launch event, or to register for your free place, please visit: www.bsia.co.uk/events

Leave a comment

Filed under Risk UK News

30% of NHS Trusts have experienced a ransomware attack” finds SentinelOne

30% of NHS Trusts in the UK have experienced a ransomware attack, potentially placing patient data and lives at risk. One Trust – the Imperial College Healthcare NHS Trust – admitted to being attacked 19 times in just 12 months. These are the findings of a Freedom of Information (FoI) request submitted by SentinelOne.

The Ransomware Research Data Summary explains that SentinelOne made FoI requests to 129 NHS Trusts, of which 94 responded. Three Trusts refused to answer, claiming their response could damage commercial interests. All but two Trusts – Surrey and Sussex and University College London Hospitals – have invested in anti-virus security software on their endpoint devices to protect them from malware.

Despite installing a McAfee solution, Leeds Teaching Hospital has apparently suffered five attacks in the past year.

No Trusts reported paying a ransom or informed law enforcement of the attacks: all preferred to deal with the attacks internally.

Ransomware which encrypts data and demands a ransom to decrypt it has been affecting US hospitals for a while now. The Hollywood Presbyterian Medical Center in Los Angeles notoriously paid cyber criminals £12,000 last February after being infected by Locky, one of the most prolific ransomware variants.

nhstrustsransomware

With the infected computers or networks becoming unusable until a ransom has been paid* or the data has been recovered, it’s clear to see why these types of attack can be a concern for business continuity professionals, with the latest Horizon Scan Report published by the Business Continuity Institute highlighting cyber attacks as the prime concern. This is a very good reason why cyber resilience has been chosen as the theme for Business Continuity Awareness Week in 2017.

“These results are far from surprising,” said Tony Rowan, chief security consultant at SentinelOne. “Public sector organisations make a soft target for fraudsters because budget and resource shortages frequently leave hospitals short changed when it comes to security basics like regular software patching. The results highlight the fact that old school AV technology is powerless to halt virulent, mutating forms of malware like ransomware. A new and more dynamic approach to endpoint protection is needed.”

Rowan continued: “In the past, some NHS Trusts have been singled out by the Information Commissioner’s Office for their poor record on data breaches. With the growth of connected devices like kidney dialysis machines and heart monitors, there’s even a chance that poor security practices could put lives at risk.”

*Note that the data isn’t always recovered even after a ransom has been paid

Leave a comment

Filed under Risk UK News, Uncategorized

UNION tackles unauthorised key duplication in healthcare facilities thanks to keyULTRA solution

UNION – part of ASSA Abloy Security Solutions (a division of ASSA Abloy UK) – is tackling unauthorised key duplication in healthcare facilities with its keyULTRA master key system. 

Last year alone, NHS departments reported 498 data breaches to the Information Commissioner’s Office, in turn showing how data protection has become an increasing concern within hospitals.

Facilities and security managers in healthcare establishments need to safeguard confidential information and expensive medical equipment. On that basis, managing security and access control requirements are critical.

The keyULTRA master key cylinders possess one of the longest patents in the market, expiring in 2028. DuraPIN technology protects both the key and cylinder assembly from illegal duplication and permits access to authorised personnel only.

This system has successfully been installed in a number of healthcare facilities including Arnold Lodge, a medium secure psychiatric unit in Leicester, and Good Hope Hospital in Birmingham.

Craig Birch, category manager for cylinders at ASSA Abloy UK, said: “Unauthorised copies of keys and an unknown number of keys distributed to people, both within and outside organisations, are common problems for hospitals with large numbers of personnel and a high staff turnover. A copied or a lost key is an immediate security threat that could lead to data breaches and costly civil monetary penalties. Investing in keyULTRA is an effective way of ensuring that no unauthorised keys are cut, meaning that facilities and security managers are fully aware of everyone with access to each area of the building. That helps to eliminate the costly problems that could occur from compromised security.”

keyULTRA boasts enhanced features including the highest key-related security, as per BS EN 1303:2005, along with resistance to bumping, drilling, picking and plug extraction. The solution is also approved for use on FD30 and FD60 fire doors in accordance with BS EN 1634-1.

Featuring self-lubricating materials designed to enhance its resistance to wear and tear, UNION’s keyULTRA is ideal for busy environments and can also help to reduce maintenance costs.

The product has been successfully tested to over half a million cycles to guarantee performance. It employs a strong and durable key, with an easy-to-grip, oversized key bow to facilitate product use.

*For further information on keyULTRA visit: http://www.unionkeyultra.co.uk/

Leave a comment

Filed under Uncategorized

UK Surveillance Camera Commissioner issues Annual Report 2013-2014

The UK Surveillance Camera Commissioner’s inaugural Annual Report outlines both the work the Commissioner, Tony Porter, has completed and his future plans.

The report explains how the Commissioner:

*continues to promote the Surveillance Camera Code of Practice to relevant and non-relevant authorities
*has launched an easy to use self-assessment tool for any organisation to demonstrate how they are meeting the principles contained in the Code
*has continued the work of his predecessor, Andrew Rennison, to simplify the CCTV standards framework in order to encourage the industry and operators of CCTV systems to meet minimum standards
*will be issuing guidance to users of domestic CCTV following his concerns about the growing number of complaints around the use of CCTV at people’s homes

Download a copy of the Annual Report 2013-2014

Tony Porter: UK Surveillance Camera Commissioner

Tony Porter: UK Surveillance Camera Commissioner

Foreword to the Annual Report

In the Foreword to the Annual Report, in which he addresses Home Secretary Theresa May, Tony Porter states:

“I am pleased to present to you the first Annual Report from the Surveillance Camera Commissioner. This report covers the period from the appointment of the first Surveillance Camera Commissioner (on 13 September 2012). I am grateful to my predecessor Andrew Rennison who undertook the functions of the Surveillance Camera Commissioner until his departure in February 2014. Much of his work is reflected in the body of the report and he has kindly attached an open letter which follows this Foreword.

“I intend to ensure that the Surveillance Camera Code of Practice (PoFA Code) is promoted to relevant authorities under S33 (5) of the Protection of Freedoms Act so that they fully understand and fulfil their duty to have regard to the PoFA Code. I also intend to explore other opportunities to promote the PoFA Code to non-relevant authorities, thereby seeking voluntary adoption across a broad range of sectors.

“According to a survey conducted by the British Security Industry Association on the number of cameras in the UK (published in July 2013), just 1 in 70 of CCTV systems are state owned. This reinforces that a major part of my role is to reach out to others who use overt surveillance in public space – not solely relevant authorities. I will detail plans later in the report, but I have already met with universities and spoken to some residential social landlords and the British Retail Consortium and will continue to reach out to others to whom the PoFA Code is applicable.

“The use of CCTV in domestic environments continues to cause concern among the public and is a high generator of complaints across various agencies. With a view to showing leadership in the sector, I have said publicly that I intend to explore ways of working with manufacturers, retailers, installers, consumers and the Information Commissioner’s Office to impart the principles of the PoFA Code.

“That said, there remains much to do to achieve that goal. I have worked with some relevant authorities, particularly public space CCTV managers in local authorities that show enormous enterprise in adopting the principles within the PoFA Code. However, it has been brought to our attention that the application of the PoFA Code is not consistent throughout all relevant authorities. We have been made aware of instances where some traffic enforcement officers, often using the same cameras as those used to deliver crime and disorder reduction strategies, do not deliver the same level of compliance to the PoFA Code. Accordingly, where dual use CCTV Operations Rooms are in use I intend to raise the obligations within the PoFA Code to encourage compliance.

“There remain a large number of surveillance camera system users who are not under a duty to have regard to the PoFA Code. By focusing on the larger scale operators via seminars, webinars and personal engagement, I intend to raise the profile of the PoFA Code. My aim is to secure voluntary adoption and achieve surveillance by consent across the broadest range of organisations.

“Application of the PoFA Code not only delivers benefits to society in terms of privacy, security of public safety, transparency and reassurance but also benefits business through better performance and cost reduction. This will be my mantra going forward.”

Leave a comment

Filed under Risk UK News

“Organisations must act now to avoid hackers’ oldest trick in the book” urges ICO

The Information Commissioner’s Office (ICO) is warning organisations that they must make sure their websites are protected against one of the most common forms of online attack – SQL injection.

The warning comes after the hotel booking website, Worldview Limited, was fined £7,500 following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers.

The data was accessed after the attacker exploited a flaw on a page of the Worldview website to access the company’s customer database. Although customers’ payment details had been encrypted, the means to decrypt the information – known as the decryption key – were stored with the data. This oversight allowed the attackers to access the customers’ full card details, including the three digit security code needed to authorise payment.

Christopher Graham: the Information Commissioner

Christopher Graham: the Information Commissioner

The weakness had existed on the website since May 2010 and was only uncovered during a routine update on 28 June 2013. The attackers had access to the information for ten days. The company has now corrected the flaw and invested in improving its IT security systems.

Worldview Limited would have received a £75,000 penalty but the ICO was required to consider the impact any penalty would have on the company’s financial situation.

Attacks are preventable

Simon Rice, the ICO’s Group Manager for Technology, said: “It may come as a surprise to many in the IT security industry that this type of attack is still allowed to occur. SQL injection attacks are preventable but organisations need to spend the necessary time and effort to make sure their website isn’t vulnerable. Worldview Limited failed to do this, allowing the card details of over 3,000 customers to be compromised.”

Rice added: “Organisations must act now to avoid one of the oldest hackers’ tricks in the book. If you don’t have the expertise in-house then find someone who does, otherwise you may be the next organisation on the end of an ICO fine and the reputational damage that results from a serious data breach.”

Leave a comment

Filed under Risk UK News

ICO Blog: ‘An updated CCTV Code of Practice fit for 2014 and beyond’

Jonathan Bamford – head of strategic liaison at the Information Commissioner’s Office (ICO) – discusses the ICO’s updated CCTV Code of Practice and outlines why a revised Code is required to meet the demands of modern society.

It’s nearly five months since I last wrote about the importance of having a CCTV Code fit for the demands of modern society. At that time the draft version of the Code was out for consultation. Now, all of your comments have been considered and our updated CCTV guidance is available on the ICO’s website.

The updated CCTV Code is one that’s truly fit for the times in which we live. The days of CCTV being limited to a video camera on a pole are long gone. Our new Code reflects the latest advances in surveillance technologies and their implementation, while also explaining the key data protection issues that those operating the equipment need to understand.

So what’s changed? Well, in some respects it’s a case of ‘keep calm and carry on’. The fundamental principles that need to be followed remain the same. People must be informed about the information being collected about them with relevant use of privacy notices and signage where required. The information also needs to be kept secure so that it doesn’t fall into the wrong hands, and effective retention and disposal schedules must be in place to make sure information is only kept for as long as necessary before it’s securely destroyed.

The ICO has updated its CCTV Code of Practice

The ICO has updated its CCTV Code of Practice

However, the Code must reflect the times. The pace of technological change since our CCTV guidance was last updated in 2008 – let alone when it was first published some 14 years ago – has been considerable. These advances bring with them new opportunities and challenges for making sure the technology continues to be used in compliance with the Data Protection Act.

One common theme from the enforcement action we’ve taken in relation to the use of surveillance cameras is that there needs to be a thorough privacy impact assessment. This needs to be conducted before deploying these increasingly powerful and potentially intrusive technologies. The Code will help operators to stay on the right side of the law and save them from wasting money and resources on non-compliant systems.

New and emerging surveillance technologies

The new and emerging technologies section of the updated Code covers the key surveillance technologies that we believe will become increasingly popular in the years ahead.

A number of organisations are starting to use body-worn video. These small, inconspicuous devices can record both sound and images. This can mean that they are capable of being much more intrusive than traditional town centre CCTV. On that basis, their use needs to be well justified with safeguards put in place such as to ensure they are not used when they’re not needed. There must be strong security in case the devices fall into the wrong hands. The Code details specific guidance to help deal with the challenges of using these new devices.

The guidance also considers technologies that are not currently commonplace, but which may prove increasingly popular in future. Just last month, the Civil Aviation Authority released figures showing that over 300 companies have now been given permission to operate UAS (Unmanned Aerial Surveillance) in the UK. This figure has risen by a third within the last 12 months alone. Many of these devices can now be bought for a few hundred pounds and can record imagery. There’s important guidance on how they can be used by organisations to record personal information.

Recreational users are also encouraged to operate UAS responsibly. For example, recording should be restricted and only carried out in controlled areas where people are informed that monitoring may be taking place. It’s important that organisations understand these obligations at an early stage if they’re to remain on the right side of the law.

Jonathan Bamford: head of strategic liaison at the ICO

Jonathan Bamford: head of strategic liaison at the ICO

The updated CCTV Code also addresses long-standing issues where the consultation responses have shown that further clarification of the law is required. One such issue is the need for operators to comply with subject access requests. These requests are an important right enshrined in the Data Protection Act and allow individuals to request a record of any personal information that an organisation holds about them. This includes CCTV footage capturing their image.

However, these requests have been causing a great deal of confusion, particularly for smaller operators unaware of this area of the law. The new CCTV guide includes an expanded section explaining how these requests should be handled, when the information should be given out and details of the statutory deadline of 40 days by which time operators have to provide a full response.

Complementing the Surveillance Camera Code of Practice

We’ve designed our guidance to complement the Surveillance Camera Code of Practice published under the Protection of Freedoms Act 2012. The Surveillance Camera Code’s ‘Guiding Principles’ apply to police forces, Police and Crime Commissioners and local authorities in England and Wales as described in the Act, and contain advice about recommended operational and technical standards that others may find useful.

The technology may change but the principles of the Data Protection Act remain the same. CCTV and other surveillance systems need to be proportionate, justifiable and secure in order to be compliant.

The updated ICO Code will help to make sure that this situation continues for the years ahead.

Leave a comment

Filed under Risk UK News

ICO warns CCTV operators that use of surveillance cameras must be “necessary and proportionate”

The Information Commissioner’s Office has warned CCTV operators that surveillance cameras must only be used as a necessary and proportionate response to a real and pressing problem.

The warning comes on the same day that the Information Commissioner’s Office (ICO) has published its updated CCTV Code of Practice. The update includes a look at the data protection requirements placed on the operators of new and emerging surveillance technologies, including drones and body-worn video cameras.

“The UK is one of the leading users of CCTV and other surveillance technologies in the world,” said Jonathan Bamford, the ICO’s head of strategic liaison. “The technology on the market today is able to pick out even more people to be recorded in ever greater detail. In some cases, that detail can then be compared with other databases, for instance when Automatic Number Plate Recognition (ANPR) is used. This realises new opportunities for tackling problems such as crime, but also poses potential threats to privacy if cameras are just being used to record innocent members of the public without good reason.”

The ICO has moved to warn CCTV operators that the use of surveillance cameras must be "necessary and proportionate"

The ICO has moved to warn CCTV operators that the use of surveillance cameras must be “necessary and proportionate”

Bamford added: “Surveillance cameras should not be deployed as a quick fix, but rather as a proportionate response to a real and pressing problem. Installing surveillance cameras or technology like ANPR and body-worn video is often seen as the first option, but before deploying such systems we need to understand the problem and whether that’s an effective and proportionate solution. Failure to conduct proper privacy impact assessments in advance has been a common theme in our enforcement cases.”

Updated Code of Practice: the detail

The updated Code of Practice explains how CCTV and other forms of camera surveillance can be used to process people’s information. The guidance details the issues that operators should consider before installing such surveillance technology, the measures that companies should have in place to make sure an excessive amount of personal information isn’t being collected and the steps organisations should take in order to make sure captured information is kept secure and destroyed once it’s no longer required.

The ICO’s CCTV Code of Practice complements the provisions in the Surveillance Camera Code of Practice issued last year by the UK Surveillance Camera Commissioner, which applies to police forces, local authorities and Police and Crime Commissioners in England and Wales (as described in the Protection of Freedoms Act 2012). The ICO’s guidance covers a wider area, as the requirements of the Data Protection Act apply to all sectors processing personal information across the whole of the UK (including the private sector). The Data Protection Act 1998 does not apply to individuals operating CCTV for their own domestic use.

Recent enforcement action taken by the ICO to stop the excessive use of CCTV includes an enforcement notice served on Southampton City Council after the latter required the video and audio recording of the city’s taxi passengers 24 hours a day.

The ICO also served an enforcement notice on Hertfordshire Constabulary after the force began using ANPR cameras to record every car entering and leaving the small rural town of Royston in Hertfordshire.

In both cases, the “excessive use” of surveillance cameras was reduced following the ICO’s action.

Leave a comment

Filed under Risk UK News

GPEN survey finds 85% of mobile apps fail to provide basic privacy information

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s data is being used.

The survey by the Global Privacy Enforcement Network (GPEN) examined the privacy information provided by 1,211 mobile apps. As a member of GPEN, the UK’s Information Commissioner’s Office examined 50 of the top apps released by UK developers.

The key findings of the research are as follows:

*85% of the apps surveyed failed to clearly explain how they were collecting, using and disclosing personal information
*More than half (59%) of the apps left users struggling to find basic privacy information
*Almost one-in-three apps appeared to request an excessive number of permissions to access additional personal information
*43% of the apps failed to tailor privacy communications to the small screen, either by providing information in a too small print or by hiding the information in lengthy privacy policies that required scrolling or clicking through multiple pages

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used

Examples of good practice

The research did find examples of good practice, with some apps providing a basic explanation of how personal information is being used, including links to more detailed information if the individual wants to know more.

The regulators were also impressed by the use of just-in-time notifications on certain apps that informed users of the potential collection (or use) of personal data as it was about to happen. These approaches make it easier for people to understand how their information is being used and when.

ICO group manager for technology, Simon Rice, commented: “Apps are becoming central to our lives, so it’s important we understand how they work and what they are doing with our information. These results show that many app developers are still failing to provide this information in a way that is clear and understandable to the average consumer.”

Rice added: “The ICO and the other GPEN members will be writing to those developers where there is clear room for improvement. We will also be publishing guidance to explain the steps people can take to help protect their information when using mobile apps.”

The ICO has published its Privacy in Mobile Apps guidance to help app developers in the UK handle people’s information correctly and meet their requirements under the Data Protection Act 1998. The guidance includes advice on informing people how their information will be used.

Research carried out last year to support the guidance’s launch showed that 49% of app users have decided not to download an app due to privacy concerns.

View the full results of the GPEN survey

Leave a comment

Filed under Risk UK News

Repeated security failings lead to £180,000 fine for Ministry of Justice

The Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information.

The penalty follows the loss of a back-up hard drive at HMP Erlestoke Prison, Wiltshire in May 2013. The hard drive contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information, histories of drug misuse and material about victims and visitors. The device was not encrypted.

The incident followed a similar case in October 2011 when the ICO was alerted to the loss of another unencrypted hard drive containing the details of 16,000 prisoners serving time at HMP High Down Prison in Surrey.

In response to the first incident, in May 2012 the prison service provided new hard drives to all of the 75 prisons across England and Wales still using back-up hard drives in this way. These devices were able to encrypt the information stored on them. However, the ICO’s investigation into this latest incident found that the prison service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly.

The Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information

The Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information

The end result was that highly sensitive information was insecurely handled by prisons across England and Wales for over a year, in turn leading to the latest data loss at HMP Erlestoke. If the hard drives in both of these cases had been encrypted then the information would have remained secure despite their loss.

Highly sensitive information insecurely handled

ICO head of enforcement Stephen Eckersley commented: “The fact that a Government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them how to use it beggars belief. The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally set up correctly.”

Eckersley continued: “This is simply not good enough. We expect Government departments to be an example of Best Practice when it comes to looking after people’s information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must also understand how to use it.”

Working with the National Offenders and Management Service, the Ministry of Justice has now taken action to ensure all of the hard drives being used by prisons are securely encrypted.

Leave a comment

Filed under Risk UK News