Ministry of Justice

Breach details

What An unencrypted, non-password protected, portable hard drive stored in a prison’s Security Department and used to back up the prisoner intelligence database, was lost. This followed a virtually identical breach in 2011.
How much 16,000 records and 2,935 records.
When October 2011 and 24 May 2013.
Why The hard drive had last been used on 18 May 2013 for the weekly back up, but had not been locked up afterwards in a fireproof safe, as required. Following the previous breach in 2011 remedial action had been taken including the distribution of encrypted hard drives to 75 prisons that had previously been using unencrypted portable hard drives. However it was not realised that the encryption software on these new drives required manual activation. As a result prisoner intelligence information was being held on portable unencrypted devices in 75 prisons for a period of at least 12 months.

Regulatory action

Regulator ICO
Action Monetary penalty of £180,000
When 26 August 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: The Ministry failed to take appropriate technical measures against unauthorised processing and accidental loss of confidential and sensitive personal data, such as taking steps to ensure that the portable hard drives that were used to back up the prisoner intelligence database in 75 prisons had actually been encrypted.
Known or should have known The Ministry was aware that prisons across the entire estate were backing up this information on a weekly basis pending the implementation of a new intelligence system. As a result of a virtually identical security breach in October 2011, the data controller was also aware that the portable hard drives used to back up this intelligence information in 75 prisons were unencrypted. As it was routine to handle sensitive personal data relating to prisoners it should have been obvious that such a contravention would be of a kind likely to cause substantial damage and/or substantial distress to the data subjects
Likely to cause damage or distress This scale of the breach posed a significant risk of causing serious detriment to thousands of prisoners in England and Wales. The data subjects would be likely to suffer from substantial distress knowing that their confidential and sensitive personal data may be accessed by unauthorised third parties, aggravated by the fact that the hard drive has still not been recovered. If the data has in fact been accessed by untrustworthy third parties then it is likely that the contravention would cause further distress and substantial damage.