Ministry of Justice fined £180,000 after prison didn't realise encryption had to be turned on

MoJ ineptitude 'beggars belief', says ICO, after it is fined again for mishandling prisoner data

The Ministry of Justice (MoJ) has been fined yet again for the mishandling of sensitive information, in a situation that "beggars belief", according to the head of enforcement at the Information Commissioner's Office (ICO), Stephen Eckersley.

Serious failings in the way that English and Welsh prisons have been handling data are to blame for the £180,000 fine, the ICO said.

The penalty was meted out after the loss of a back-up disk-drive from HMP Erlestoke in Wiltshire in May 2013. The hard drive, which was unencrypted, contained confidential information about 2,935 prisoners, including details of links to organised crime, health information, history of drug misuse and material about victims and visitors.

The security mishap follows another "serious data breach" in August 2011, in which details of all 1,182 prisoners serving time at HMP Cardiff were sent to three families of inmates. The ICO subsequently fined it £140,000 in October 2013.

Meanwhile, in October 2011, the ICO was alerted to the loss of another hard drive containing the details of 16,000 prisoners serving time at HMP High Down prison in Surrey. The data on this drive, though, had been encrypted.

In response, in May 2012 the prison service provided new hard drives with the option to encrypt data to all of the 75 prisons across England and Wales who were still using back-up hard drives in this way.

However, the ICO found in its investigation of the back-up hard drive from HMP Erlestoke in Wiltshire that the prison service didn't realise that the encryption option on the new hard drives needed to be turned on to work correctly.

The ICO's Eckersley said that the fact that the MoJ could supply equipment to prisons without properly understanding it, let alone telling the prisons how to use it, "beggars belief".

He continued: "The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year.

"This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally set up correctly.

"This is simply not good enough and we expect government departments to be an example of best practice when it comes to looking after people's information. We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people's information secure, but must understand how to use it," he said.

Chris McIntosh, CEO of security and data communications provider ViaSat UK, believes that the fact that the MoJ has been fined yet again shows that the ICO's message on data protection is not being acted on by many organisations.

"It's clear from this and myriad other cases that the message simply isn't getting through: whether large organisations or single workers, it seems that the threat of fines and other punishments still doesn't dissuade people from taking these actions and the fines themselves are left as the only deterrent with any impact," he said.