14 DAY TRIAL // The United Kingdom’s Information Commissioner’s Office (ICO) has fined the Ministry of Justice with £140,000 ($225,778 / €165,147) for exposing the details of the 1,182 inmates serving time at HMP Cardiff.
The incidents occurred in the summer of 2011 when a spreadsheet containing sensitive information was attached to an email sent to inmates' families. The file contained names, ethnicity, addresses, sentence lengths, release dates, and coded details of offences.
Such errors occurred on three different occasions. The breach was discovered in early August when one email recipient alerted the prison. The ICO was notified on September 8, 2011.
A member of the prison staff and the police visited the recipients to make sure they had deleted the files.
The ICO’s investigation has brought to light several issues in the way the prison handled sensitive information. Apparently, the emails were sent out by a clerk who was left to work unsupervised despite having limited experience and training.
In addition, the agency found that prisoner records were transferred between the prison’s two networks on unencrypted floppy disks.
“The potential damage and distress that could have been caused by this serious data breach is obvious. Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses,” said ICO Deputy Commissioner and Director of Data Protection David Smith.
“Fortunately it appears that the fall-out from this breach was contained, but we cannot ignore the fact that this breach was caused by a clear lack of management oversight of a relatively new member of staff. Furthermore the prison service failed to have procedures in place to spot the original mistakes,” Smith added.
“It is only due to the honesty of a member of the public that the disclosures were uncovered as early as they were and that it was still possible to contain the breach.”