The Information Commissioner’s Office (ICO) has fined the Ministry of Justice (MoJ) £180,000 after it discovered all 75 prisons in England and Wales had been storing data on hard drives without the encryption capability turned on for more than a year.
The issue came to light after a hard drive at Erlestoke Prison in Wiltshire went missing in May 2013. The hard drive contained data on 2,935 prisoners, including information on their links to organised crime gangs, health information and data on their victims as well.
The data was not encrypted, despite the hard drives having been specifically bought for this capability, as staff at the prison did not realise the encryption had to be turned on. The lost device has still not been recovered.
All 75 prisons in England and Wales were given encrypted hard drives in May 2012 in response to an incident in October 2011, when the ICO discovered an unencrypted hard drive containing sensitive data was lost.
However, the ICO discovered the MoJ – through its National Offender Management Service (NOMS) – had not instructed its IT provider to ensure staff understood the encryption on the hard drives had to be switched on.
As such, all 75 prisons in England and Wales had been storing data without encryption for more than a year, from May 2012 to around June/July 2013, when the MoJ became aware of this and contacted all prisons to rectify the problem.
The ICO investigation followed on from this and head of enforcement Stephen Eckersley said the failure of prison staff to understand how to correctly use the kit they were given was an almost unbelievable error.
“The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.
“The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year.”
The fine is especially notable as the the MoJ is the parent department for the ICO, with information commissioner Christopher Graham recently urging the MoJ to release more funding for its work.
Eckersley added that government departments needed to lead the way on data protection, and he hoped the fine would act as a wake-up call.
“We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it."
The fine will be £144,000 if it is paid by 19 September.
A Ministry of Justice spokesperson said: "We take data protection issues very seriously and have made significant and robust improvements to our data security measures. These hard drives have now been replaced with a secure centralised system.
"Incidents like this are extremely rare and there is no evidence to suggest that any personal data got into the public domain.”
The fine is not the first time the ICO has taken action against the Ministry of Justice, after a fine of £140,000 was handed down over an email-related incident at HMP Cardiff in 2013.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago