Ministry of Justice Fined for BreachesUnencrypted Hard Drives Containing UK Prisoner Information Lost
The UK's Ministry of Justice has been hit with a Â£180,000 penalty from the Information Commissioner's Office following the loss of two unencrypted hard drives containing personal information on prisoners.
In October 2011, the ICO was alerted to the loss of a hard drive containing "intelligence information" relating to 16,000 prisoners serving time at HMP High Down prison in Surrey.
Following the incident, the Ministry of Justice in May 2012 provided new hard drives to all of the 75 prisons across England and Wales still using back-up hard drives, enabling information on them to be encrypted, the ICO says.
Yet, in May 2013, HMP Erlestoke prison in Wiltshire lost an unencrypted back-up hard drive that contained information on more than 2,900 prisoners, such as details of links to organized crime, health information, history of drug misuse and details about victims and visitors, the ICO says.
An ICO investigation determined that the Ministry of Justice didn't realize that the encryption option on the new hard drives provided in May 2012 needed to be turned on to work correctly. "The result was that highly sensitive information was insecurely handled by prisons across England and Wales for over a year, leading to the latest loss at HMP Erlestoke," the ICO says. "If the hard drives in both of these cases had been encrypted, the information would have remained secure despite their loss."
The Ministry of Justice has taken action to ensure all the hard drives are encrypted, the ICO says.
The ICO has the power to issue fines of up to Â£500,000 ($830,000) for data protection law violations. "We can issue penalties for the first offense," an ICO spokesman tells Information Security Media Group.
Penalties are determined on a case-by-case basis, meaning that the hit for losing an unencrypted hard drive containing protected data won't always be as high as the Â£180,000 fine slapped on the Ministry of Justice.
"The penalty is necessarily for the incident itself - if a different organization had lost a hard drive, it wouldn't have necessarily gotten the same penalty, or any penalty," the spokesman says. "The reason this one prompted such a high penalty was because the organization had previously already had this issue with a hard drive, and then they managed to [mess] it up again the second time around - because they didn't put the right policies and procedures in place."
(Managing editor-Europe Mathew Schwartz contributed to this report.)