The Information Commissioner’s Office (ICO) has fined the Ministry of Justice (MoJ) £140,000 for a serious data breach that led to sensitive details of all the prisoners at one prison being emailed to three inmates’ families multiple times.
The breach, affecting all 1,182 inmates at HMP Cardiff, was only discovered when one of the recipients contacted the prison on 2 August 2011 to report that they had received an email from the prison clerk about an upcoming visit, which included a file containing the confidential information.
The file included a spreadsheet with information such as the names, ethnicity, addresses, sentence length, release dates and coded details of the offences carried out by the inmates.
But is was not the first time the data breach occured. An internal investigation revealed that the details were sent to different inmates’ families on two occasions in the previous month. However, these incidents were not reported at the time.
The data breaches were reported to the ICO on 8 September 2011, and an investigation identified a number of failings at HMP Cardiff.
The ICO found that there was a lack of management oversight at the prison, with the clerk working unsupervised despite only having worked at the prison for two months and having limited experience and training. There was also a lack of audit trails, which meant that the data breaches would have gone unnoticed had a recipient not reported them.
Furthermore, the prison regularly used unencrypted floppy disks to transfer large volumes of data between the prison’s two separate networks.
ICO deputy commissioner and director of data protection, David Smith, said: “The potential damage and distress that could have been caused by this serious data breach is obvious. Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses.”
Since the breaches, a member of the prison’s staff went with police to the email recipients’ homes and checks were made to ensure that the files had been deleted. The unauthorised disclosures were reported to the ICO on 8 September 2011.
“Fortunately it appears that the fallout from this breach was contained, but we cannot ignore the fact that this breach was caused by a clear lack of management oversight of a relatively new member of staff. Furthermore, the prison service failed to have procedures in place to spot the original mistakes,” said Smith.
“It is only due to the honesty of a member of the public that the disclosures were uncovered as early as they were and that it was still possible to contain the breach.”