The Information Commissioner’s Officer has, according to the ICO website, fined the Ministry of Justice (MOJ) £140,000 after a serious data protection protection resulted in the details of all of the inmates at HMP Cardiff being emailed to three of the inmates’ families.
The breach occurred between July and August 2011 and was only discovered when one of the people who had received the errant email came forward to report that they had received an email from a prison clerk about an upcoming visit but that this email had also included a file which contained confidential information about all of the inmates of the prison, such as their names, ethnicity, sentence length and details of their offences.
An internal investigation was launched by the prison and it was found that there had been a number of management failures at the prison, with the clerk having worked at the prison for two months and having limited experience and training. The investigation also found that there was a lack of data audits – which meant that the prison would probably have missed the error – and that the prison used unencrypted floppy disks to transfer data from one prison network to the other.
After an ICO investigation it was recommended that the Ministry of Justice be prosecuted for breaching s.4(4) of the Data Protection Act 1998. The ICO subsequently issued a Monetary Penalty Notice under s.55 of the Data Protection Act on the Ministry of Justice to the sum of £140,000 as the Information Commissioner found that the prison management should have known that there was a risk that the data protection breach could occur, that such a breach could cause substantial damage or distress and that the prison management failed to take reasonable steps to prevent the breach.
Chris Hadrill, an employment law solicitor at Redmans, commented on the case: “This case highlights the seriousness with which business should undertake their obligations relating to data protection – if there is a breach of the Data Protection Act then this can result in a business being hauled before the Information Commissioner’s Office and ordered to pay potentially substantial damages, as in this case. Businesses should therefore put in place policies and procedures for the encryption, use and transference of sensitive personal information in order to avoid a potentially embarrassing and costly court case.”
Redmans Solicitors are specialist settlement agreement solicitors offering employment law advice to employees and employers