View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
August 26, 2014

Ministry of Justice hit with £180k ICO fine

Loss of hard drive and failure to enforce new data encryption rules “beggars belief”.

By Vinod

The Ministry of Justice has been slapped with a severe fine following news that it misplaced a hard drive containing the details of up to 3,000 prisoners and members of the public.

The department was fined £180,000 by the Information Commissioner’s Office (ICO) after it found "serious failings" in how the body instructed its staff to handle and protect confidential data.

This included the loss of a hard drive containing details on 2,935 prisoners at Erlestoke prison in Wiltshire in 2013.

The data included material on organised crime, prisoners’ health and drug misuse, as well as details relating to details on inmates’ victims and visitors.

"We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it," said the ICO’s head of enforcement, Stephen Eckersley.

The lost information was stored on a hard drive that was not encrypted, despite the body bringing in new rules to ensure this following a similar loss in 2011, the ICO heard.

Details of 16,000 prisoners were lost on an unprotected hard drive in 2011, leading the Ministry of Justice to bring in new back-up hard drives that could be encrypted for the Prison Service.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

However, the government body apparently failed to explain to employees that the encryption option had to be switched on manually.

"The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it, beggars belief," Eckersley added.

"The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year."

The ICO revealed earlier this year that just one out of 17 UK police forces achieved high data protection ratings when measured against the 1998 Data Protection Report, raising questions surrounding their handling of confidential data.

The news was welcomed by the security industry, where many observers had been calling for a better understanding of security from non-security professionals for many years.

"The time has come to accept that getting everyone in a huge organisation to behave in a secure manner is impossible, and we need to start building systems that are secure by default," said Graeme Stewart, director of public sector strategy and relations at security firm McAfee.

"This is the job of the IT and security department and ultimately the responsibility of management to ensure suitably skilled people have oversight of their data to implement such systems. We can’t keep shifting blame to the user, non-security staff shouldn’t even have access to unencrypted hard drives that they can lose."


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.