Skip to main content

Ministry of Justice fined £180,000 over loss of unencrypted prison data

The Ministry of Justice has been fined £180,000 for the "serious failings" that led to the loss of confidential data.

According to the Information Commissioner's Office (ICO), the penalty was enforced after the loss of a hard drive containing information on nearly 3,000 prisoners at Erlestoke prison in Wiltshire.

Read more: Data recovery and erasure: What are the risks, and what do you need to look out for?

Perhaps more worrying, the disk had no form of encryption, meaning that the data could be accessed by whoever found the hard drive.

The data loss occurred in 2013 and, according to the BBC, included information on organised crime, prisoners' health and drug misuse and information regarding inmates' victims and visitors.

Following a similar data loss incident two years previously, the Ministry of Justice equipped the Prison Service with back-up hard drives that could be encrypted. However, staff were apparently unaware that the encryption had to be switched on manually.

The ICO head of enforcement, Stephen Eckersley, said, "The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it, beggars belief.

"The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year."

Read more: Government reveals new controversial data sharing plans

Eckersley added that he hoped the fine would send a clear message to the Ministry, particularly given the two high-profile data losses experienced in recent years.