The Information Commissioners Office (ICO) has ordered the Ministry of Justice to pay a £180,000 civil penalty. The fine follows what the ICO described in a statement as “serious failings” which led to lack of proper data protection in 75 separate prisons around England and Wales.
The fine is one of the biggest penalties ever handed down to a governmental department. The blunders made by the Ministry of Justice led to sensitive data being handled insecurely by a number of English and Welsh prisons. Specifically, the Ministry of Justice failed to tell these prisons that they had to turn on encryption when using new backup digital storage.
The issue stems from a previous blunder where data relating to roughly 16,000 individuals in prison were lost. Following this, in May 2012, prisons were provided with new hard drives which had an advanced encryption function in order to securely store data. However, prisons were not made aware that they had to actively turn on encryption at their end in order for it to properly function. As a result, 75 prisons used the hard drives without encryption being active, leading to sensitive data being stored without the levels of security that should have been necessary.
This insecure storage of important information lasted for more than a year before the blunder was uncovered and the situation was rectified. During this period of unencrypted data storage, in May 2013, one hard drive was lost. The hard drive in question contained information relating to just under 3,000 prisoners, some of whom had links to organised criminal groups. All of this data was unencrypted and, therefore, relatively easy to access should the hard drive fall into the wrong hands.
When the situation did come to light, it was as a result of a direct investigation by the ICO.
Stephen Echersley, head of enforcement for the ICO, said of the situation: “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it, beggars belief.”
However, it seems that the situation has at last been rectified to help prevent any data crises in the future. The ICO has issued assurance that the ministry has now taken the necessary steps to ensure that encryption is active on all hard drives used within prisons, and data is now being kept securely.
The Ministry of Justice was previously issued with a fine of £140,000 in October 2014 for separate data protection blunders. This incident saw the details of over a thousand prisoners emailed multiple times to the families of three inmates.