Ministry of Justice

Breach details

What An unencrypted, non-password protected, portable hard drive stored in a prison’s Security Department and used to back up the prisoner intelligence database, was lost. This followed a virtually identical breach in 2011.
How much 16,000 records and 2,935 records.
When October 2011 and 24 May 2013.
Why The hard drive had last been used on 18 May 2013 for the weekly back up, but had not been locked up afterwards in a fireproof safe, as required. Following the previous breach in 2011 remedial action had been taken including the distribution of encrypted hard drives to 75 prisons that had previously been using unencrypted portable hard drives. However it was not realised that the encryption software on these new drives required manual activation. As a result prisoner intelligence information was being held on portable unencrypted devices in 75 prisons for a period of at least 12 months.

Regulatory action

Regulator ICO
Action Monetary penalty of £180,000
When 26 August 2014.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: The Ministry failed to take appropriate technical measures against unauthorised processing and accidental loss of confidential and sensitive personal data, such as taking steps to ensure that the portable hard drives that were used to back up the prisoner intelligence database in 75 prisons had actually been encrypted.
Known or should have known The Ministry was aware that prisons across the entire estate were backing up this information on a weekly basis pending the implementation of a new intelligence system. As a result of a virtually identical security breach in October 2011, the data controller was also aware that the portable hard drives used to back up this intelligence information in 75 prisons were unencrypted. As it was routine to handle sensitive personal data relating to prisoners it should have been obvious that such a contravention would be of a kind likely to cause substantial damage and/or substantial distress to the data subjects
Likely to cause damage or distress This scale of the breach posed a significant risk of causing serious detriment to thousands of prisoners in England and Wales. The data subjects would be likely to suffer from substantial distress knowing that their confidential and sensitive personal data may be accessed by unauthorised third parties, aggravated by the fact that the hard drive has still not been recovered. If the data has in fact been accessed by untrustworthy third parties then it is likely that the contravention would cause further distress and substantial damage.

Treasury Solicitor’s Department

Breach details

What Disclosure of personal data.
How much 4 records.
When 06 February 2012, 24 August 2012, 30 August 2012 and 3 January 2013.
Why Three of these breaches involved case files containing un-redacted third party personal information to a claimant’s solicitor and the claimant themself. The fourth breach involved the sending of a case of papers relating to an unfair dismissal claim to an individual, although the papers contained personal information relating to another individual’s claim. All four of these breaches were self-reported. The Solicitor’s Department have some measures in place to safeguard personal data but there are gaps which are preventing further compliance.

Regulatory action

Regulator ICO
Action Undertaking to comply with the seventh data protection principle.
When 26 February 2014.
Details The Solicitor’s Department is to implement a clear, documented procedure for the preparation of information for disclosure within six months, as well as creating a structured, formal procedure concerning communication requirements between Junior and Senior lawyers carrying out the disclosure process. Mandatory training about the requirements of the Act is also to be given to all staff.

Department of Justice Northern Ireland

Breach details

What A locked filing cabinet containing sensitive personal data relating to claims arising from terrorist incidents in Northern Ireland was sold at auction.
How much Not specified – four-drawer filing cabinet.
When 12 May 2012
Why In the course of an office move the filing cabinet was sent to auction for disposal. Despite it being locked (and the weight of the cabinet must have indicated that it wasn’t empty) the Data Controller simply ignored the fact that there may have been personal data in the filing cabinet and set it to auction. When the purchaser of the cabinet forced the lock they realised the sensitivity of the information and called the police to take the information away.

Regulatory action

Regulator ICO
Action Monetary penalty of £ 185,000.
When 14 Jan 2014.

Why the regulator acted

Breach of act Breach of the seventh data protection principle. The Commissioner argued that the Data Controller should have had “detailed procedures in place for the removal of cupboards, pedestals and filing cabinets etc. from one office location to another”.
Known or should have known Given the sensitive political nature of the contents of the cabinet, and the fact that the cabinet was kept locked, the Data Controller should have known that the unauthorised release of the information was likely to case “substantial distress”.
Likely to cause damage or distress The Commissioner states that substantial distress was not actually caused in this case, but argues that had the buyer of the cabinet not contacted the police to remove the data, substantial distress would have occurred.

Ministry of Justice

Breach details

What Emails containing sensitive personal data concerning prison inmates accidentally sent to members of the public. This information included coded offences, addresses, identifying physical characteristics and location within the prison.
How much Three emails containing the details of 1,182 prisoners.
When 04 July, 11 July and 01 August 2011.
Why Each day HMP Cardiff manually transfers prisoner details from their network system Quantum onto a biometrics database in order to facilitate visits and other prisoner movements. The data is copied and pasted through Windows Explorer and thus can remain on the clipboard of Quantum. On 01 August the prisoner details were accidentally attached to an email to a member of the public booking a visit to a family member in HMP Cardiff. The individual reported this incident the next day and it was only at this point that the previous two emails came to light as they had not been reported by their recipients or noticed by the prison. Each email was sent by the same recently appointed booking clerk. Shortly after the breach was reported each recipient confirmed in writing that the data had not been disseminated further and was fully deleted; physical access was allowed to confirm this for two of the recipients and the other had already double-deleted the message and attachment.

Regulatory action

Regulator ICO
Action Monetary penalty of £140,000.
When 15 October 2013.

Why the regulator acted

Breach of act Breach of the Seventh Data Protection Principle: there should have been a more secure method of carrying out routine transfers of high volumes of personal data. More effective training and supervision should also have been provided, along with clear written procedures for the data transfers.

The monetary penalty notice has been imposed to promote compliance with the Act and standardisation across the prison service to prevent similar incidents occurring elsewhere.

Known or should have known As the Ministry of Justice routinely handles sensitive personal information and carries out high volume daily data transfers it should have been obvious that a breach could result in substantial distress and that there was a potential for human error in the absence of technical measures, written guidelines and appropriate training.
Likely to cause damage or distress The coded offences were deemed by the Commissioner to be particularly likely to cause damage or disress as almost all of the coded offences are easily recognisable. Fortunately the emails were only sent to one person on each occasion but had the data got into the wrong hands, such as an inmate’s rival, it would have raised the level of distress. The Prison decided not to disclose the breach to the prisoners as those at risk of self-harm might have suffered additional anxiety, confirming that some prisoners would suffer greater distress than others.

Department of Education

Breach details

What Loss of personal information.
How much An unknown number of records.
When 28/29 June 2012
Why The Register reported that Email addresses, unencrypted passwords and individual’s answers to questions posed in a consultation were accesable due to a security flaw in the Department for Education’s website.

BW Comments

Judging by the description in The Register the vulnerability looked like a session management problem. Something that should have been caught be the most rudimentary penetration test.

Regulatory action

Regulator ICO
Action None taken. The Register reported that it had got in touch with the ICO which, while acknowledging that the Department had breached the seventh principle, stated “As the personal information compromised was not sensitive and any distress caused is likely to have been minimal, we have decided that no further enforcement action is required at this time.”

BW Observations

Just because an organisation breaks the DPA the ICO isn’t bound to take action, however BW would have expected the ICO to have sought an undertaking from the Department that it would properly test any web site that collected personal data.

The Scottish Children’s Reporter Administration

What

Loss of sensitive personal data.

How much

10 records.

Why

An email containing sensitive information was sent to an unknown 3rd party and nine case files were temporarily lost during a move.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that staff are made aware that they may not send data to personal email accounts.

Reason for action

Information was emailed despite a policy being in place that stated this could only be done if sent to an equally secure recipient. A filing cabinet was not checked for case files during a move.

When

02 September 2011.

Links

View PDF of the Scottish Children’s Reporter Administration Undertaking (Via ICO Website)

View PDF of the Scottish Children’s Reporter Administration Undertaking (Breach Watch Archive)

Identity and Password Service

What

Loss of sensitive personal information.

How much

21 records.

Why

21 password renewal applications were lost from a particular passport office.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that reasonable steps are taken to ensure the security of data while it is processed.

Reason for action

All those effected were notified and received new passwords without complaint, however the incident demonstrated insufficiently secure processing of personal data

When

21 February 2011.

Links

View PDF of the Isle of Identity and Password Service Undertaking (Via ICO Website)

View PDF of the Isle of Identity and Password Service Undertaking (Breach Watch Archive)

Independent Parliamentary Standards Authority (IPSA)

What

Potential loss of personal data.

How much

332 records.

Why

An internal database was left insecure for a period of about 21 hours following IT maintenance.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that appropriate changes are made to the records system to prevent any future errors.

Reason for action

A mistake made during IT maintenance made personal records visible to all MPs and their nominated staff who had access to the internal system.

When

12 November 2010

Links

View PDF of the Independent Parliamentary Standards Authority (IPSA) Undertaking (Via ICO Website)

View PDF of the Independent Parliamentary Standards Authority (IPSA) Undertaking (Breach Watch Archive)

Lord Chief Justice of Northern Ireland

What

Inappropriate disclosure of personal information.

How much

One record.

Why

A document containing an individual’s name and address was inadvertently attached to an email and sent to over three hundred individuals.

Regulator

ICO

Regulatory action

Undertaking issued to ensure that all staff are made aware of and are appropriately trained in procedures for distributing emails and adequate checks are carried out.

Reason for action

Although staff had received advice and training on data protection issues in general there was no written guidance or instructions on how to deal with this type of work.

When

19 October 2010

Links

View PDF of the Lord Chief Justice of Northern Ireland Undertaking (Via ICO Website)

View PDF of the Lord Chief Justice of Northern Ireland Undertaking (Breach Watch Archive)

Department of Finance and Personnel

What
Loss of sensitive personal data.

How much
37,000 records.

Why
12 password protected laptops were stolen, two of which contained significant personal data.

Regulator
ICO

Regulatory action
Undertaking issued to ensure that portable media devices and laptops containing personal data are suitably encrypted. Physical security measures must be adequate to prevent unauthorised access to personal data. Staff must be made aware of and trained to follow the data controller’s policy for the storage or use of personal data.

Reason for action
The laptops were unencrypted, although they were physically secure.

When
30 November 2009

Links
View PDF of the Department of the Finance and Personnel Undertaking (Breach Watch Archive)