The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

1,000 prisoners’ details emailed to inmates’ families

News release: 22 October 2013


MoJ fined £140k following serious data breach

The Information Commissioner’s Office (ICO) has served the Ministry of Justice (MoJ) with a monetary penalty of £140,000 after a serious data breach led to the details of all of the prisoners serving at HMP Cardiff being emailed to three of the inmates’ families.

The breach was only discovered when one of the recipients contacted the prison on 2 August 2011 to report that they had received an email from the prison clerk about an upcoming visit, which included a file containing the inmates’ details. The file included a spreadsheet containing sensitive information including the names, ethnicity, addresses, sentence length, release dates and coded details of the offences carried out by all of the prison’s 1,182 inmates.

An internal investigation was launched and the same error was found to have occurred on two previous occasions within the previous month, with details sent to different inmates’ families. Neither incident was reported at the time.

The police and a member of the prison’s staff were sent to the recipients’ home addresses and checks were made to ensure the files had been deleted. The unauthorised disclosures were reported to the ICO on 8 September 2011.

The ICO’s investigation found that there was a clear lack of management oversight at the prison, with the clerk working unsupervised despite only having worked at the prison for two months and having limited experience and training. A lack of audit trails also meant that the disclosures would have gone unnoticed if they hadn’t been reported by one of the recipients.

The investigation also found problems with the manner in which prisoners’ records were handled, with unencrypted floppy disks regularly used to transfer large volumes of data between the prison’s two separate networks.

ICO Deputy Commissioner and Director of Data Protection, David Smith, said:

“The potential damage and distress that could have been caused by this serious data breach is obvious. Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses.

“Fortunately it appears that the fall-out from this breach was contained, but we cannot ignore the fact that this breach was caused by a clear lack of management oversight of a relatively new member of staff. Furthermore the prison service failed to have procedures in place to spot the original mistakes.

“It is only due to the honesty of a member of the public that the disclosures were uncovered as early as they were and that it was still possible to contain the breach.”

Today’s penalty was imposed on the Ministry of Justice as the National Offender Management Service, which is responsible for commissioning and delivering prison and probation services across England and Wales, is an executive agency of the department.

View this news release in Welsh

 

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter.

4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

5. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.

6. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).

7. If you need more information, please contact the ICO press office on 0303 123 9070.