|Breach of act
||Breach of the Seventh Data Protection Principle: there should have been a more secure method of carrying out routine transfers of high volumes of personal data. More effective training and supervision should also have been provided, along with clear written procedures for the data transfers.
The monetary penalty notice has been imposed to promote compliance with the Act and standardisation across the prison service to prevent similar incidents occurring elsewhere.
|Known or should have known
||As the Ministry of Justice routinely handles sensitive personal information and carries out high volume daily data transfers it should have been obvious that a breach could result in substantial distress and that there was a potential for human error in the absence of technical measures, written guidelines and appropriate training.
|Likely to cause damage or distress
||The coded offences were deemed by the Commissioner to be particularly likely to cause damage or disress as almost all of the coded offences are easily recognisable. Fortunately the emails were only sent to one person on each occasion but had the data got into the wrong hands, such as an inmate’s rival, it would have raised the level of distress. The Prison decided not to disclose the breach to the prisoners as those at risk of self-harm might have suffered additional anxiety, confirming that some prisoners would suffer greater distress than others.