The ICO has issued a formal reprimand to the Ministry of Justice (MoJ) after confidential waste documents were left in an unsecured prison holding area.
Prisoners and staff had access to the 14 bags of confidential documents, which included medical and security vetting details, for a period of 18 days.
During this time staff challenged prisoners who were openly reading the documents, but did nothing proactive to ensure the personal information was secured. At least 44 people had access to the information, which had remained on site as a contracted shredder waste removal company had not collected as scheduled.
The ICO investigation uncovered a lack of robust policies at the prison including:
- no pre-agreed areas for staff to leave confidential waste in a secure place;
- staff being unaware of the need to shred information or the risks of allowing prisoners access to non-shredded confidential documents;
- inaccurate records of the number of staff who had completed data protection training; and
- a general lack of staff understanding of the risks to personal data and the need to report data breaches.
“Everyone has the right to expect their personal details will be kept secure and this includes in a prison environment, where exposure of personal information could potentially have serious consequences.
“Whether documents are consigned to waste or not, they must be handled securely and responsibly and we expect both the prison and the MoJ to continue to take steps to improve practices to ensure people are protected.”
- Steve Eckersley, ICO Director of Investigations
The reprimand details a number of required or recommended actions including:
- a thorough review of all data protection policies, procedures and guidance to ensure they are adequate and up to date with legislation; and
- the creation of a separate data breach reporting policy for staff.
The MoJ is also required to provide the ICO with a progress report by the end of October 2023.
This is the 45th reprimand now published on the website, detailing how the work of the ICO is making sure people’s information rights are protected. Previous examples include ensuring:
- a review led to a new policy being introduced at an NHS Trust which stopped the standard practice of sending out group emails, significantly reducing the risk of emails being sent to the wrong person;
- the implementation of improved technical measures at an independent advisory body to better guard against future attempts of unlawful access to the IT systems;
- people’s subject access requests made to a government department are actioned within the statutory timescale;
- procedures were reviewed and updated at a local council to prevent disclosure of personal details to opposing parties in child protection legal proceedings; and
- a decommissioning policy was implemented and adhered to at an NHS hospital, to make sure that personal details would not be lost when a filing system was terminated.
Notes to editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
- The ICO can take action to address and change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.