14 DAY TRIAL // The Ministry of Justice in the UK has received a ₤180,000 ($298,500 / €226,000) penalty over the loss of an unencrypted hard drive that contained confidential information on organized crime connected to 2,935 convicts at the Erlestoke prison in Wiltshire, back in 2013.
The Information Commissioner’s Office (ICO) made this decision as a result of similar incidents occurring in the past, one example being the loss of a data storage unit with unencrypted data on it, containing details of 16,000 prisoners from HMP High Down prison in Surrey.
In the most recent case, the details exposed included sensitive and confidential details about organized crime, as well as health information, history of drug misuse, and material about victims and visitors.
It appears that the risk of exposure is given by the fact that the data was not encrypted, although this is a standard security measure for the storage hardware in the prison system in the UK.
This was not due to laziness, but to lack of technical knowledge, as “the ICO’s investigation into the latest incident found that the prison service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly,” says the communication from UK’s privacy watchdog.
The sensitive details were handled this way for more than a year in prisons across England and Wales. Encrypting the information on the storage units would guarantee that no details are exposed to unauthorized individuals; in many cases, the data they store is much more important than the device itself.
“If the hard drives in both of these cases had been encrypted, the information would have remained secure despite their loss,” said the release.
In regards to the incident, ICO head of enforcement, Stephen Eckersley said, “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it.”
“The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally setup correctly,” he added.
The monetary penalty served to the Ministry of Justice has to be paid by September 22, 2014, and will flow into the Consolidated Fund, which is the Government’s general bank account at the Bank of England.
The ministry has the possibility to pay 20% less, £144,000 ($239,000 / €181,000), if the money is delivered by September 19.