This week the Information Commissioner’s Office handed the Ministry of Justice (MoJ) a £140,000 fine after a serious breach of the Data Protection Act (DPA) led to details of all the prisoners at HMP Cardiff being emailed to three of the inmate’s families.
The breach was only discovered when one of the recipients contacted the prison. They had received an email which contained a file containing the names, addresses, sentence length, release dates and coded details of the offences carried out by the 1,182 inmates.
The breach occurred back in September 2011 and an internal investigation was launched; staggeringly it found that the same error had occurred on two previous occasions in the same month! Neither of these incidents were reported, and therefore went undiscovered until now.
The clerk involved in the incident had only been working at the prison for 2 months and had been working unsupervised. The ICO’s damning report placed blame on the management, the clear lack of training and supervision, the lack of processes and audit trails that meant that disclosures of information would have gone unnoticed if not reported.
The ICO Deputy Commissioner and Director of Data Protection, David Smith, said:
“The potential damage and distress that could have been caused by this serious data breach is obvious. Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses.”
The ICO’s huge fine reflects the sensitivity of the data in question in this incident. What everyone should take note of, however, is that it simply took one email to incur such a large fine. If your organisation stores or processes personal information then is subject to the Data Protection Act.
Our DPA toolkit provides a cost-effective route to ensuring you are compliant. It contains all the document templates, tools and data handling guidance to satisfy the requirements of the DPA. For just £99.95 it’s probably worth a look, isn’t it.