From BBC News:
The Ministry of Justice has been fined £180,000 for “serious failings” in the handling of confidential data.
The Information Commissioner’s Office (ICO) said the penalty was related to the loss of a hard drive containing the details of almost 3,000 prisoners at Erlestoke prison in Wiltshire.
The disk was not encrypted.
The records, lost in 2013, included material on organised crime, prisoners’ health and drug misuse, and information about inmates’ victims and visitors.
After a similar incident in 2011, in which the details of 16,000 prisoners was lost on a disk that was not protected, the Ministry of Justice issued the Prison Service with new back-up hard drives that could be encrypted.
However, the government body failed to explain to employees that the encryption option had to be switched on manually.
As a result, the data lost was unprotected, and could be accessed by the finder of the hard drive.
The ICO head of enforcement, Stephen Eckersley, said: “The fact that a government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it, beggars belief.
“The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year.”
He added: “We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it.”
A Ministry of Justice spokeswoman said: “We take data protection issues very seriously and have made significant and robust improvements to our data security measures.
“These hard drives have now been replaced with a secure centralised system.”
She added: “Incidents like this are extremely rare and there is no evidence to suggest that any personal data got into the public domain.”