The Information Commissioner’s Office (ICO) has served a £180,000 penalty on the Ministry of Justice over serious failings in the way prisons in England and Wales have been handling people’s information.

The penalty follows the loss of a back-up hard drive at HMP Erlestoke prison in Wiltshire in May 2013. The hard drive contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information, history of drug misuse and material about victims and visitors. The device was not encrypted.

The incident followed a similar case in October 2011, when the ICO was alerted to the loss of another unencrypted hard drive containing the details of 16,000 prisoners serving time at HMP High Down prison in Surrey.

In response to the first incident, in May 2012 the prison service provided new hard drives to all of the 75 prisons across England and Wales still using back-up hard drives in this way. These devices were able to encrypt the information stored on them. But the ICO’s investigation into the latest incident found that the prison service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly.

The result was that highly sensitive information was insecurely handled by prisons across England and Wales for over a year, leading to the latest data loss at HMP Erlestoke. If the hard drives in both of these cases had been encrypted, the information would have remained secure despite their loss.

ICO Head of Enforcement, Stephen Eckersley, said:

“The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.

“The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally setup correctly.

“This is simply not good enough and we expect government departments to be an example of best practice when it comes to looking after people’s information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it.”

The Ministry of Justice, working with the National Offenders and Management Service, have now taken action to ensure all of the hard drives being used by prisons are securely encrypted.

The ICO’s Group Manager for Technology, Simon Rice, has written a blog explaining the importance of encryption and the encryption options available to organisations. The ICO advises organisations to encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen. 

ENDS

If you need more information, please contact the ICO press office on 
0303 123 9070 or visit the website at: ico.org.uk.

Notes to Editors

1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
 
2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
 
3. The ICO is on TwitterFacebook and LinkedIn. Read more in the ICO blogand e-newsletter.Our Press Office page provides more information for journalists.
 
4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is:

Fairly and lawfully processed
Processed for limited purposes 
Adequate, relevant and not excessive 
Accurate and up to date 
Not kept for longer than is necessary 
Processed in line with your rights 
Secure 
Not transferred to other countries without adequate protection