Loss of hard drive and failure to enforce new data encryption rules “beggars belief”.
The Ministry of Justice has been slapped with a severe fine following news that it misplaced a hard drive containing the details of up to 3,000 prisoners and members of the public.
The department was fined £180,000 by the Information Commissioner’s Office (ICO) after it found "serious failings" in how the body instructed its staff to handle and protect confidential data.
This included the loss of a hard drive containing details on 2,935 prisoners at Erlestoke prison in Wiltshire in 2013.
The data included material on organised crime, prisoners’ health and drug misuse, as well as details relating to details on inmates’ victims and visitors.
"We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it," said the ICO’s head of enforcement, Stephen Eckersley.
The lost information was stored on a hard drive that was not encrypted, despite the body bringing in new rules to ensure this following a similar loss in 2011, the ICO heard.
Details of 16,000 prisoners were lost on an unprotected hard drive in 2011, leading the Ministry of Justice to bring in new back-up hard drives that could be encrypted for the Prison Service.
However, the government body apparently failed to explain to employees that the encryption option had to be switched on manually.
"The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it, beggars belief," Eckersley added.
"The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year."
The ICO revealed earlier this year that just one out of 17 UK police forces achieved high data protection ratings when measured against the 1998 Data Protection Report, raising questions surrounding their handling of confidential data.
The news was welcomed by the security industry, where many observers had been calling for a better understanding of security from non-security professionals for many years.
"The time has come to accept that getting everyone in a huge organisation to behave in a secure manner is impossible, and we need to start building systems that are secure by default," said Graeme Stewart, director of public sector strategy and relations at security firm McAfee.
"This is the job of the IT and security department and ultimately the responsibility of management to ensure suitably skilled people have oversight of their data to implement such systems. We can’t keep shifting blame to the user, non-security staff shouldn’t even have access to unencrypted hard drives that they can lose."