According to the data watchdog, the information commissioner’s office the Ministry of Justice allowed data to go missing twice and failed to encrypt personal data.
It all started when an unencrypted hard drive containing data on 2,935 prisoners went missing at HMP Erlestoke in Wiltshire last May. The information included details of links to organised crime, health information, history of drug misuse and material about victims and visitors.
This followed a similar case in October 2011, when the information commissioner’s office (ICO) was alerted to the loss of another unencrypted hard drive containing the details of 16,000 prisoners at HMP High Down in Surrey.
After the first mistake, the prison service was given new hard drives in May 2012 for all of the 75 prisons across England and Wales. The devices could encrypt the information stored on them, but for some reason the prison service did not realise the encryption option needed to be turned on.
Sensitive information was insecurely handled by prisons across England and Wales for over a year, leading to the latest data loss at HMP Erlestoke. If the hard drives in both of these cases had been encrypted, the information would have remained secure despite their loss, the ICO noted.
Stephen Eckersley, ICO head of enforcement said that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.
“The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally set up correctly.
“This is simply not good enough and we expect government departments to be an example of best practice when it comes to looking after people’s information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it,” he said.