Ministry of Justice Gets Huge Fine for “Serious” Data Protection Failings

The Ministry of Justice has been issued with a civil penalty of £180,000 by the Information Commissioners Office (ICO) after what were described as “serious failings.” The failings in question led to 75 prisons around the country storing sensitive data in a way which fell far short of the required security levels.

This is not the first time the Ministry of Justice has faced penalties for poor data protection practices. In October 2013, they were issued with a fine that was almost as large (£140,000) following another serious failure to keep sensitive information safe. In this incident, details of all the inmates at a prison, totalling more than 1,000 individuals, were accidentally and repeatedly emailed to the families of three of the inmates.

The latest fine is one of the largest penalties that has ever had to be paid by a department of the government. The failings which led to the fine were uncovered after an investigation by the ICO into the data protection practices of the prison service in England and Wales.

The mistake occurred in May 2012 when prisons were issued with new hard drives for back-up storage of important data. These hard drives were equipped with advanced encryption to protect the data from falling into the wrong hands and to keep it safe from hackers. However, the prisons were not properly instructed in how to use these hard drives. Specifically, they were not told that the encryption function had to be turned on by the end user (in this case the individual prison). Instead, many believed that the encryption was an innate function of the hard drives and did not need to be activated.

The result was that data was held for more than a year without encryption by 75 prisons in England and Wales. In May 2013, while this problem was still in effect, a hard drive containing unencrypted data of nearly 3,000 prisoners was lost. Some of the prisoners in question had links to organised criminal gangs, making the loss of their data particularly concerning. All of this data was unencrypted and vulnerable.

This issue stemmed directly from an earlier data protection issue on the part of the prison service. The new, encrypted hard drives were originally introduce in response to an earlier incident when the prison service lost data relating to around 16,000 prison inmates throughout the country.

The ICO’s head of enforcement, Stephen Echersley, said: “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it, beggars belief.”

Following the ruling, the ICO released a blog clarifying the importance of encryption to data protection.