Data protection watchdog the Information Commissioner’s Office (ICO) has levied yet another big financial penalty on a government department - this time fining the justice ministry £180,000 ($298,000) for exposing personal information on nearly 3,000 prisoners.
The incident relates to the loss of a back-up hard drive at HMP Erlestoke prison in Wiltshire in May.
That unencrypted hard drive contained “sensitive and confidential information” on 2,935 inmates including “details of links to organized crime, health information, history of drug misuse and material about victims and visitors.”
The ICO said this wasn’t the first time something similar has happened: in 2011 the watchdog was informed that an unencrypted hard drive containing information on 16,000 inmates at HMP High Down prison in Surrey was lost.
Following that incident, in 2012 hard drives in all 75 prisons across the country were replaced with devices capable of encryption, however, the prison service apparently didn’t realize that encryption functionality had to be switched on to work.
This led to the breach at HMP Erlestoke, the ICO said.
ICO head of enforcement argued in a strongly worded statement that the watchdog expects government departments to provide a best practice example when it comes to looking after people’s information.
“The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief,” he added.
“The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally setup correctly.”
Chris McIntosh, CEO of secure communications firm ViaSatUK, welcomed the large fine.
“Data protection should no longer be a mystery to organisations for individuals and the fact that employees didn’t realise they needed to turn on encryption shows the need for employees to be educated and best practice followed in order for any investment in security to deliver value,” he argued.
“It's clear from this and a myriad of other cases that the message simply isn't getting through: whether large organisations or single workers it seems that the threat of fines and other recriminations still doesn't dissuade these actions and fines themselves are left as the only deterrent with any impact.”
McAfee’s director of public sector strategy, Graeme Stewart, added that the incident shows education of non-security professionals is clearly failing and that systems need to be designed “secure by default”.
“This is the job of the IT and security department and ultimately the responsibility of management to ensure suitably skilled people have oversight of their data to implement such systems,” he added.
“We can’t keep shifting blame to the user, non-security staff shouldn’t even have access to unencrypted hard drives that they can lose.”