Ministry of Justice fined £140k after serious data breach at prison

The breach came to light when one of the recipients of the information contacted HMP Cardiff on 2 August 2011 after having received a file containing information on all 1,182 inmates at the prison.

The information – stored in a ‘comma separated values’ format – included names, ethnicity, details of physical marks including tattoos, addresses, sentence length, release dates and coded details of the offences committed.

In many cases the codes would have been comprehensible without reference to the code system. Six of the prisoners had sex offence information recorded against them.

An internal investigation found that there had been two previous instances of the same error on 4 and 11 July 2011, where the prisoner details had been sent to a separate individual on each occasion. On those occasions the recipients had not contacted or the prison, the National Offender Management Service (the relevant executive agency of the ministry) or the MoJ.

According to the ICO’s monetary penalty notice, the investigation revealed that a recently appointed booking clerk at HMP Cardiff had been arranging visits to prisoners.

A request for a booking had been made by a family member of an inmate. The clerk had intended to send him an email about the visit. In doing so, she accidentally ‘pasted’ a text file containing the details of the inmates. The same clerk had been responsible for the two previous incidents.

After the breaches were discovered, the police and a member of the prison’s staff visited the recipients’ home addresses. Each recipient confirmed in writing that the email message they had received had not been disseminated further and that it had been fully deleted.

The unauthorised disclosures were reported to the ICO on 8 September 2011.

The ICO blamed an absence of management oversight at the prison, with the clerk working unsupervised despite only having worked at the prison for two months and having limited experience and training.

The watchdog said a lack of audit trails also meant that the disclosures would have gone unnoticed if they had not been reported by one of the recipients.

Problems were also identified with the manner in which prisoners’ records were handled, the ICO reported, with unencrypted floppy disks regularly used to transfer large volumes of data between the prison’s two separate networks – Quantum, a secure accredited network system used for prisoner data, and a separate non-networked system used for booking and processing visits.

At the time of the incidents there was no formal written guidance in place to detail how the data transfer process should have operated.

The data controller claimed that the constraints of the IT system meant it was necessary for all prisoner data to be transferred on a daily basis.

It was also argued that most of the information revealed was, by virtue of the judicial process, already in the public domain, for example via court records or voter lists.

But the ICO said: “It would be necessary for someone to access these records proactively to compile a data set of this type. Data relating to prisoners’ physical descriptions, wing location in the prison and anticipated release date would not be in the public domain.”

David Smith, ICO Deputy Commissioner and Director of Data Protection, said: “The potential damage and distress that could have been caused by this serious data breach is obvious. Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses. 

“Fortunately it appears that the fall-out from this breach was contained, but we cannot ignore the fact that this breach was caused by a clear lack of management oversight of a relatively new member of staff. Furthermore the prison service failed to have procedures in place to spot the original mistakes.”

Smith added: “It is only due to the honesty of a member of the public that the disclosures were uncovered as early as they were and that it was still possible to contain the breach.”