Thursday, 24 October 2013

ICO fines Ministry of Justice £140,000 for Cardiff prison data breach

HM Prison sign
The Information Commissioner’s Office (ICO) has fined its parent department, the Ministry of Justice (MoJ), £140,000 after data on 1,000 prisoners at HMP Cardiff were leaked.
The breach saw details on 1,182 prisoners emailed to three families of inmates at the prison. The breach was discovered on 2 August, 2011, when one of the families told the prison they had received a spreadsheet of information.
The spreadsheet included details on names, addresses, sentence length, release dates and coded details of offences by all of the prisoners at HMP Cardiff. The ICO was informed of the issue on 8 September, 2011.
Once the issue was investigated it was discovered the same data had already been sent out to two other unintended recipients. Police and prison staff visited the homes of the recipients to ensure the data was deleted.
The ICO said the issue occurred because of a lack of relevant training and supervision of junior staff, with a clerk responsible having only two months experience in the role. It also found the prison used unencrypted floppy disks to transport prisoner data.
ICO deputy commissioner David Smith said it was lucky that the breach appeared to have no major consequences but it had brought to light very poor data handling practices at the prison.
“Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses,” he said.
“We cannot ignore the fact that this breach was caused by a clear lack of management oversight of a relatively new member of staff. Furthermore the Prison Service failed to have procedures in place to spot the original mistakes.”
A statement from the MoJ said it acknowledged the severity of the incident and would be working to improve procedures across prisons.

"We treat the security of information very seriously and took immediate steps to recover the data as soon as the loss was reported to ensure that it went no further. These types of incidents are extremely rare but this does not mean that we are complacent," it said.

"A thorough investigation was held by the prison, which immediately altered its procedures, and further changes were implemented across the prison estate.”
The fine is just one of many handed out to government bodies over recent years but it is especially embarrassing for the government as the MoJ is the department responsible for the ICO and overseeing data protection issues.
The MoJ received the fine, rather than the prison itself, because the National Offender Management Service, responsible for commissioning and delivering prison and probation services in England and Wales, is an executive agency of the department.

No comments:

Post a Comment