The Ministry of Justice has been fined £140,000 by the Information Commissioner's Office (ICO) for a serious breach of the Seventh Data Protection Principle.
Details of all 1,182 prisoners at HMP Cardiff were emailed to the families of three inmates, when an inexperienced booking clerk copied and pasted a detailed spreadsheet into an email in error.
HMP Cardiff only became aware of the breach when one recipient contacted the prison to say they had received an email with an attached spreadsheet containing inmate data, some of it sensitive personal information.
An internal investigation by the prison revealed two similar incidents had happened in the previous month.
The ICO concluded there was 'a clear lack of management oversight' at the prison; that the 'lack of audit trails also meant that the disclosures would have gone unnoticed'; and, more generally, that there were 'problems with the manner in which prisoners' records were handled'.
In particular, the ICO found that the prison had failed to provide adequate training, suitable monitoring to supervise employees, clear and written procedures and checklists for data transfers, or to ensure procedures were adhered to.
The fact the breach involved sensitive personal data and the distress it caused to inmates and their families was significant, affected the level of fine imposed. The ICO also said failure to have procedures in place to spot mistakes was an aggravating factor.
Lessons can be learned
Organisations processing personal data should consider whether or not they are leaving themselves exposed to the risk of a significant breach which could attract a fine. In particular:
- Do you provide adequate employee training to ensure they understand the Data Protection Act and its requirements?
- Are clear and written policies in place to guide employees? If so, do you monitor and enforce compliance with those policies?
- Do you have procedures in place to ensure mistakes are detected?