MoJ told to pay £180k after "serious failures" in handling of personal information

The government department with overarching responsibility for data protection legislation, the Ministry of Justice, has been hit with a £180,000 monetary penalty over what the Information Commissioner’s Office described as “serious failings” in the handling of personal information.

The monetary penalty was levied after the loss of a back-up hard drive at HMP Erlestoke prison in Wiltshire in May 2013.

The ICO said the hard drive contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information, history of drug misuse and material about victims and visitors. The device had not not encrypted.

A similar incident involving the loss of an unencrypted hard drive had occurred in October 2011 affecting 16,000 prisoners at High Down prison in Surrey.

In response to the incident at High Down, the prison service provided new hard drives to all of the 75 prisons across England and Wales still using back-up hard drives in this way.

An investigation into the HMP Erlestoke prison incident found that the prison service had not realised that the encryption option on the new hard drives needed to be turned on to work correctly.

“The result was that highly sensitive information was insecurely handled by prisons across England and Wales for over a year, leading to the latest data loss at HMP Erlestoke,” the ICO said.

“If the hard drives in both of these cases had been encrypted, the information would have remained secure despite their loss.”

Stephen Eckersley, ICO Head of Enforcement, said: “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.

“The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally setup correctly.”

Eckersley added: “This is simply not good enough and we expect government departments to be an example of best practice when it comes to looking after people’s information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it.”

The ICO said the MoJ, working with the National Offenders and Management Service, had now taken action to ensure all of the hard drives being used by prisons were securely encrypted.

A copy of the monetary penalty notice can be viewed here.

A Ministry of Justice spokesperson said: "We take data protection issues very seriously and have made significant and robust improvements to our data security measures. These hard drives have now been replaced with a secure centralised system.

"Incidents like this are extremely rare and there is no evidence to suggest that any personal data got into the public domain.”