The Ministry of Justice has been fined £180,000 by the data security watchdog. According to the Information Commissioner’s Office (ICO) the penalty comes after serious failings in the way prisons in England and Wales have been handling people’s information.
The fine follows the loss of a back-up hard drive at HMP Erlestoke prison in Wiltshire in May 2013. The hard drive contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information, history of drug misuse and material about victims and visitors. The device was not encrypted.
In a similar case in October 2011, the ICO was told of the loss of another unencrypted hard drive containing the details of 16,000 prisoners serving time at HMP High Down prison in Surrey.
In response to the first incident, in May 2012 HM Prison Service provided new hard drives to all of the 75 prisons across England and Wales still using back-up hard drives in this way. These devices were able to encrypt the information stored on them. But the ICO on looking into the 2013 incident found that the Prison Service didn’t realise that the encryption option on the new hard drives needed to be turned on, to work correctly.
The result, the watchdog said, was that highly sensitive information was insecurely handled by prisons across England and Wales for more than a year, leading to the latest data loss at Erlestoke. If the hard drives in both of these cases had been encrypted, the information would have remained secure despite their loss, according to the watchdog.
ICO Head of Enforcement, Stephen Eckersley, said: “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief. The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally set up correctly.
“This is simply not good enough and we expect government departments to be an example of best practice when it comes to looking after people’s information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it.”
The ICO reports that the Ministry of Justice, working with the National Offenders and Management Service, have now acted to ensure all of the hard drives being used by prisons are securely encrypted.
The ICO’s Group Manager for Technology, Simon Rice, has written a blog explaining the importance of encryption and the encryption options available to organisations. Visit – http://ico.org.uk/news/blog/2013/why-encryption-is-important-to-data-security
The ICO advises organisations to encrypt any personal information held electronically that would cause damage or distress if it were lost or stolen.
Meanwhile, report published by the ICO saw ‘clear room for improvement’ in how councils comply with the Data Protection Act. The ICO says that it audited 16 local authorities last year. The audits include an overall ‘assurance rating’, but none received high assurance that they were complying with data protection law. Six were told they had considerable room for improvement, while one was warned that immediate action was required. Areas for improvement identified by the audits according to the ICO are notably improving training and ensuring effective data protection governance is in place. The report also lists examples of good practice found during the audits, in areas such as information security and records management.
John-Pierre Lamb, ICO Group Manager in the Good Practice team, said: “The Information Commissioner has levied monetary penalties to local authorities for the most serious breaches of the data protection principles totalling over £2.3m. The types of breaches we’re seeing are fairly consistent, with personal information being disclosed in error and lost or stolen paperwork and hardware prevalent.
“It’s clear that there’s room for improvement, and not just by the local authorities we visited: the areas for improvement we identified in those visits should prove helpful to many local authorities. By learning from the mistakes of others, and indeed learning from the examples of good practice we found, local authorities will improve their compliance with the law, and be less likely to find the regulator knocking on their door.
“Our figures show that local authorities have much to do to improve data protection governance and training. We recognise that councils are having ‘to do more with less’ due to ongoing budgetary pressures, but it is important to appreciate that the lack of effective governance structures and training programmes significantly increases the risk of serious breaches of the DPA.”
Visit – http://ico.org.uk/for_organisations/sector_guides/local_authority
