Privacy Advisor

UK—Ministry Of Justice Fined £140,000 for E-mailing Prisoner Details to Inmates’ Families

November 26, 2013

By Brian Davidson, CIPP/E

The Information Commissioner’s Office (ICO) has served the Ministry of Justice (MoJ) with a £140,000 monetary penalty after the details of all prisoners serving at HMP Cardiff were e-mailed to three of the inmates’ families.

The e-mail included a spreadsheet containing the names, ethnicity, addresses, sentence length, release dates and coded details of the offences carried out by all of the prison’s 1,182 inmates. The breach was only discovered when one of the recipients contacted the prison to report that they had received an e-mail from the prison clerk about an upcoming visit—which included the aforementioned spreadsheet file.

An internal investigation found that the same error was found to have occurred on two occasions within the previous month, with details sent to different inmates’ families. Neither incident was reported at the time. Police and a member of the prison staff were sent to the latest recipients’ home addresses, and checks were made to ensure that the files had been deleted.

The ICO investigation found that there was a lack of management oversight at the prison, with the prison clerk working unsupervised despite only having worked at the prison for two months and having limited experience and training. A lack of audit trails also meant that the disclosures would have gone unnoticed if they hadn’t been reported by one of the recipients.

The investigation also found problems with the handling of prisoner records, with unencrypted floppy disk drives regularly used to transfer large volumes of data between the prison’s two separate networks.

A copy of the notice is available here.

Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.