The ICO reports that highly sensitive information was insecurely handled by prisons across England and Wales for over a year, leading to a data loss at HMP Erlestoke. The penalty follows the loss of a back up hard drive in May 2013.
According to the report, the hard drive contained information about 2,935 prisoners that included ‘details of links to organised crime, health information, history of drug misuse and material about victims and visitors.’ The hard drive was not encrypted, despite the fact the prison service provided new encrypted hard drives to all 75 prisons across England and Wales. The report stated that ‘the prison service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly.’
ICO Head of Enforcement, Stephen Eckersley, said “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.”
Chris McIntosh, CEO at ViaSat UK agreed with Eckersley that lack of knowledge is still a basic problem that needs to be addressed early on. “Data protection should no longer be a mystery to organisations for individuals and the fact that employees didn’t realise they needed to turn on encryption shows the need for employees to be educated and best practice followed in order for any investment in security to deliver value. It’s clear from this and a myriad of other cases that the message simply isn’t getting through: whether large organisations or single workers it seems that the threat of fines and other recriminations still doesn’t dissuade these actions and fines themselves are left as the only deterrent with any impact.”
Richard Anstey, CTO EMEA, Intralinks said that it might instead be time to find an alternative to encryption. “Security experts frequently stress the importance of encrypting data when storing it on portable devices. Despite years of such warnings, this simply isn’t happening. It’s clear that a better solution is not to allow the use of portable storage devices at all where sensitive information is at stake. Instead, businesses should employ a secure cloud service that can maintain protection and track access to the information – and also allow them to withdraw access after download. With modern security technologies, sharing and storing data online – if handled correctly – allows much greater security and much higher levels of control over the flow of information, eliminating the risk of physical storage devices being misplaced and delivery security as an inherent part of the process rather than something that someone needs to be specially trained to implement.”