Could there be a safer place to store the most sensitive information? Scrambled behind encryption software, locked up inside an industrial safe so strong it can withstand a blaze, kept inside a locked room, protected by a sophisticated keypad system – and all within a secure prison.
But in the latest remarkable security blunder, it has emerged that jail staff lost a hard drive containing the intelligence logs on nearly 3,000 inmates, with all of its information unprotected because the prison service didn’t realise they had to switch on the encryption system.
The Ministry of Justice was ordered to pay £180,000 after handing out hard drives to all 75 prisons in England and Wales without telling anyone how to make the encryption system work.
None of the information contained on them was protected for more than a year until the blunder came to light after one of the drives went missing from the category C Erlestoke prison in Wiltshire in May last year. It contained details on inmates’ links to organised crime, their drug use and details of their victims – none of it protected, according to the Information Commissioner’s Office (ICO).
The drive was removed for updating from a safe which only nine members staff had the security clearance to enter. Staff only noticed that it had not been returned some days later. Despite a search by six people over two days, the drive was not found and remains missing 15 months later.
The new drive had only been given out when security flaws were revealed with the loss of a previous drive in 2011, which contained details on about 16,000 prisoners from High Down prison in Surrey, and which went missing somewhere on the prison estate. The drives were described as holding “everything that the prison service needed to know” about the prisoners.
The Ministry of Justice issued new encrypted drives to all prisons in May 2012 but nobody had told staff at the prisons how to work them. The ICO investigation “found that the prison service didn’t realise that the encryption option on the new hard drives needed to be turned on to work correctly”.
Stephen Eckersley, the head of enforcement at the ICO, said: “The fact that a Government department with security oversight for prisons can supply equipment to 75 prisons throughout England and Wales without properly understanding, let alone telling them, how to use it beggars belief.
“The result was that highly sensitive information about prisoners and vulnerable members of the public, including victims, was insecurely handled for over a year. This failure to provide clear oversight was only addressed when a further serious breach occurred and the devices were finally setup correctly.”
The maximum penalty that can imposed for such a major breach is £500,000, but the ministry was ordered to pay less than half of that because there was no evidence that the details had been spread or used, and a botched attempt had been made to remedy the first failure.
“This is simply not good enough and we expect Government departments to be an example of best practice when it comes to looking after people’s information,” said Mr Eckersley. “We hope this penalty sends a clear message that organisations must not only have the right equipment available to keep people’s information secure, but must understand how to use it.”
A Ministry of Justice spokesperson said: "We take data protection issues very seriously and have made significant and robust improvements to our data security measures. These hard drives have now been replaced with a secure centralised system. Incidents like this are extremely rare and there is no evidence to suggest that any personal data got into the public domain.”