Maze prison records “sold at auction”.
The Northern Ireland prison service has been warned by the UK data protection regulator after a filing cabinet containing prisoner records was unwittingly sold at an auction. According to the Information Commissioner’s Office (ICO), this incident occurred in 2004 when the cabinet, which officials thought was empty, was sold at a public auction.
However it contained files about the closure of the prison, including the details of staff and a high profile prisoner. The Northern Ireland Office, which was responsible for prisons at that time, retrieved the information but failed to report the matter to the Information Commissioner’s Office (ICO).
The prison was notorious in the 1970s and 1980s for holding political prisoners of the Northern Ireland troubles, including republican hunger striker Bobby Sands.
ICO assistant commissioner for Northern Ireland, Ken Macdonald, said: “The loss of this information represents not only an embarrassing episode for the prison service in Northern Ireland, but a serious breach of the Data Protection Act that could have had damaging repercussions for the individuals affected.
“The incident went unreported for eight years and the same mistakes were allowed to occur. It is only now that we have seen a commitment from the Department of Justice Northern Ireland to tackle these problems and keep people’s information secure.”
Jonathan Armstrong, partner at Cordery, told IT Security Guru that he thought that they were “very fortunate” in that the buyer of the cabinet at auction behaved very responsibly, closed the cabinet and called the police once they worked out its contents.
“Other organisations may not be quite so lucky and it is easier to see how this could have been far worse if the cabinet had got into the wrong hands,” he said. “The fine is also lower because the information was contained so again there was a lot to thank the buyer for. In cases like this the ICO does take into account it’s the public purse (including the victim’s taxes) which pay the fine. Large companies in a similar situation cannot expect that leniency.”
In February, a civil monetary penalty of £185,000 was issued to the Department of Justice Northern Ireland (DoJ NI) after another filing cabinet, which contained personal information relating to victims of a terrorist incident, was also sold at an auction. The files included in the cabinet contained information about the injuries suffered, family details and the amount of compensation offered, as well as confidential ministerial advice.
This seems to be a light let off for the Northern Ireland prison service, as this is one of the most sensitive “sales” of data that the Information Commissioner has had to deal with. Yes there is the case that the ICO’s fining powers came into force many years after this incident, but surely there should be a case for powers being adapted for later cases. It has to be one rule for all, but in this case, the repercussions upon the affected are too terrifying to consider – Editor