The Ministry of Justice has been ordered to pay a civil penalty of £180,000 for failing to tell prisons to turn on the encryption function on backup computer memories. The penalty, announced by the Information Commissioner's Office (ICO) today, is one of the highest imposed on a government department.
According to an ICO statement, the ministry’s ‘serious failings’ led to data being insecurely handled by 75 prisons across England and Wales for almost a year. It arose in May 2012 when the prison service provided new hard drives to prisons after details of 16,000 prisoners were lost. However, according to the ICO, an investigation ‘found that the prison service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly’.
The result was that highly sensitive information was insecurely handled by prisons for over a year. In May 2013, a back-up hard drive containing unencrypted information about 2,935 prisoners, including links to organised crime, was lost.
The ICO’s head of enforcement, Stephen Eckersley, said: ‘The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it, beggars belief.’
The ministry has now taken action to ensure all hard drives being used by prisons are securely encrypted, the ICO said.