The Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice for “serious failings” in personal data protection at prisons in England and Wales.
The penalty follows the loss of a back-up hard drive at Erlestoke prison in Wiltshire in May 2013.
The unencrypted hard drive contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information and history of drug misuse.
In October 2011, the ICO was alerted to the loss of another unencrypted hard drive containing the details of 16,000 prisoners serving time at High Down prison in Surrey.
In response to the first incident, the prison service provided new hard drives to all the 75 prisons across England and Wales that were still using back-up hard drives in this way.
These devices were able to encrypt the information stored on them, but the ICO’s investigation into the latest incident found the prison service did not realise the encryption option on the new hard drives needed to be turned on.
The ICO noted that if the hard drives in both these cases had been encrypted, the information would have remained secure despite their loss.
“The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief,” said Stephen Eckersley, head of enforcement at the ICO.
The result was that highly sensitive information was insecurely handled by prisons across England and Wales for over a year, leading to the data loss at Erlestoke prison, the ICO said.
“This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally set up correctly.”
Read more on the ICO
- ICO probes Facebook over psychology experiment data protection fears
- Wearable tech must comply with privacy laws, warns ICO
- UK police forces fail to impress in ICO audit
- ICO publishes guide on top IT security failings
- ICO issues data protection warning to users of Windows XP
- ICO updates corporate plan for better data protection
- ICO fines charity £200,000 for data breach
- Infosec 2014: Act now, but no new EU data protection law before 2017, says ICO
- The ICO issues BYOD warning after breach
- ICO denies bias against public sector organisations
Eckersley said the ICO expected government departments to be an example of best practice when it comes to looking after people’s information.
“We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it,” he said.
The ICO said the Ministry of Justice had taken action with the National Offenders and Management Service to ensure all the hard drives being used by prisons are securely encrypted.
The ICO’s group manager for technology, Simon Rice, has written a blog explaining the importance of encryption and the encryption options available to organisations.
The ICO advises organisations to encrypt any personal information held electronically that could cause damage or distress if it were lost or stolen.
Chris McIntosh, chief executive of ViaSat UK, said data protection should no longer be a mystery to organisations and their employees.
“The fact that employees did not realise they needed to turn on encryption shows the need for them to be educated and best practice followed in order for any investment in security to deliver value,” he said.
McIntosh said this case demonstrates that the threat of fines and other recriminations is not having the desired effect.
“Data protection organisations such as the ICO need both carrot and stick to ensure information is protected,” he said.
In July this year, the ICO said it needed better funding, greater powers and guaranteed independence.
The call came as the ICO released its annual report, which showed that the watchdog dealt with a record 15,429 data protection complaints in the past year, up 10% from the previous year.
But Simon Eappariello, European senior vice-president at iboss Network Security, said funding is not the whole answer to fixing data privacy issues.
“While funding will, critically, give the ICO the manpower to handle the ever-growing number of complaints, personal and industry attitudes towards data need to change,” he said.
Eappariello believes the UK needs to tackle the root cause of why so many organisations need to be investigated.
“And that buck does not stop with the ICO,” he said. “It is something that should be addressed at the board level, too.”
Eappariello says every organisation that deals with personal data must review its processes to ensure they are providing adequate protection.