The Ministry of Justice has been fined £140,000 after the details of all prisoners serving at HMP Cardiff were emailed to three of the inmates’ families.
The breach was discovered when one of the recipients contacted the prison on 2nd August 2011 to report that they had received an email from the prison clerk about an upcoming visit, which included a file containing the inmates’ details. The file included a spreadsheet containing sensitive information including the names, ethnicity, addresses, sentence length, release dates and coded details of the offences carried out by all of the prison’s 1,182 inmates.
An initial investigation found the two previous instances of the same error on 4th and 11th July 2011; on those occasions the recipients of the emails had not contacted the data controller or the prison and prior to notification on 2nd August, the data controller had not been aware that the unauthorised disclosures had taken place.
The ICO undertaking found that the incident occurred when a booking clerk at the prison was arranging visits to prisoners. A request for a booking had been made by a family member of an inmate and the clerk had intended to send him an email about the visit but accidentally attached the text file. The two prior incidents had occurred as a result of the same mistake, by the same clerk.
Prisoner data is stored on a database which is held on a network system called “Quantum”. It is a secure accredited network system meeting HM Government IT standards for handling information up to a “RESTRICTED” marking, and access to it is strictly controlled. At the time of the incidents, there was no formal written guidance in place to detail how the data transfer process should have operated.
Since this incident occurred, the existing training and on-going support has been enhanced by monthly checks to ensure there is an appropriate audit trail in place and the data transfer procedure has been modified from use of a floppy disc to an encrypted memory stick.
The unauthorised disclosures were reported to the ICO on 8 September 2011. ICO deputy commissioner and director of data protection, David Smith, said: “The potential damage and distress that could have been caused by this serious data breach is obvious. Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses.
“Fortunately it appears that the fall-out from this breach was contained, but we cannot ignore the fact that this breach was caused by a clear lack of management oversight of a relatively new member of staff. Furthermore the prison service failed to have procedures in place to spot the original mistakes.
“It is only due to the honesty of a member of the public that the disclosures were uncovered as early as they were and that it was still possible to contain the breach.”
Today’s penalty was imposed on the Ministry of Justice as the National Offender Management Service, which is responsible for commissioning and delivering prison and probation services across England and Wales, is an executive agency of the department.