UK Ministry of Justice fined following a serious data breach
October 22, 2013 |
The UK Information Commissioner has served the Ministry of Justice with a £140,000 monetary penalty after a data breach involving it sending details of all prisoners serving at a Cardiff prison to three of the inmate’s families.
The ICO press release (found here) provides:
MoJ fined £140k following serious data breach
The Information Commissioner’s Office (ICO) has served the Ministry of Justice (MoJ) with a monetary penalty of £140,000 after a serious data breach led to the details of all of the prisoners serving at HMP Cardiff being emailed to three of the inmates’ families.
The breach was only discovered when one of the recipients contacted the prison on 2 August 2011 to report that they had received an email from the prison clerk about an upcoming visit, which included a file containing the inmates’ details. The file included a spreadsheet containing sensitive information including the names, ethnicity, addresses, sentence length, release dates and coded details of the offences carried out by all of the prison’s 1,182 inmates.
An internal investigation was launched and the same error was found to have occurred on two previous occasions within the previous month, with details sent to different inmates’ families. Neither incident was reported at the time.
The police and a member of the prison’s staff were sent to the recipients’ home addresses and checks were made to ensure the files had been deleted. The unauthorised disclosures were reported to the ICO on 8 September 2011.
The ICO’s investigation found that there was a clear lack of management oversight at the prison, with the clerk working unsupervised despite only having worked at the prison for two months and having limited experience and training. A lack of audit trails also meant that the disclosures would have gone unnoticed if they hadn’t been reported by one of the recipients.
The investigation also found problems with the manner in which prisoners’ records were handled, with unencrypted floppy disks regularly used to transfer large volumes of data between the prison’s two separate networks.
ICO Deputy Commissioner and Director of Data Protection, David Smith, said:
“The potential damage and distress that could have been caused by this serious data breach is obvious. Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses.
“Fortunately it appears that the fall-out from this breach was contained, but we cannot ignore the fact that this breach was caused by a clear lack of management oversight of a relatively new member of staff. Furthermore the prison service failed to have procedures in place to spot the original mistakes.
“It is only due to the honesty of a member of the public that the disclosures were uncovered as early as they were and that it was still possible to contain the breach.”
Today’s penalty was imposed on the Ministry of Justice as the National Offender Management Service, which is responsible for commissioning and delivering prison and probation services across England and Wales, is an executive agency of the department.
The Monetary Penalty Notice (found here), absent Appendix 1 and notices and unnumbered, provides:
The National Offender Management Service (“NOMS”) is an Executive Agency of the Ministry of Justice. NOMS has responsibility for commissioning and delivering Prison and Probation Services across England and Wales. The Ministry of Justice is the data controller, as defined in section 1(1) of the Data Protection Act 1998 (the “Act”), in respect of the processing of personal data carried on by Ministry of Justice, including its executive agencies, and is referred to in this notice as the ‘data controller’.
Under sections 55A and 55B of the Act (introduced by the Criminal Justice and Immigration Act 2008 which came into force on 6 April 2010) the Commissioner may, in certain circumstances, where there has there been a serious contravention of section 4(4) of the Act, serve a monetary penalty notice (‘MPN’) on a data controller requiring the data controller to pay a monetary penalty of an amount determined by the Commissioner and specified in the notice but not exceeding £500,000.
The Commissioner has issued Statutory Guidance under section 55C (1) of the Act about the issuing of monetary penalties which is published on the Commissioner’s website. It should be read in conjunction with the Data Protection (Monetary Penalties and Notices) Regulations 2010 and the Data Protection (Monetary Penalties) Order 2010.
Sensitive personal data is defined in section 2 of the Act (in so far as it is applicable to this case) as follows:-
“In this Act “sensitive personal data” means personal data consisting of information as to- [the data subject’s]
(a)the racial or ethnic origin of the data subject,
…
(g) the commission or alleged commission by him of any offence, or (h)any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings”
Power of Commissioner to impose a monetary penalty
Section 55A of the Act provides that:(1) The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that –
(a) there has been a serious contravention of section 4(4) [of the Act] by the data controller,
(b) the contravention was of a kind likely to cause substantial damage or substantial distress, and
(c) subsection (2) or (3) applies.
(2) This subsection applies if the contravention was deliberate.
(3) This subsection applies if the data controller –
(a) knew or ought to have known –
(i) that there was a risk that the contravention would occur, and
(ii) that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but
(b) failed to take reasonable steps to prevent the contravention.
Background
On 2 August 2011 a member of the public reported to the data controller that he had received by email details of inmates at HMP Cardiff (‘the Prison’). The email had been sent to the individual on the previous day. He was the intended recipient. A file containing the details of 1,182 inmates had accidentally been attached to the email.
The data controller completed an internal significant data breach investigation in response to the incident. The initial investigation showed there had been two previous instances of the same error on 4 and 11 July 2011 where the prisoner details had been sent to a separate individual on each occasion. On those occasions the recipients of the emails had not contacted the data controller or the Prison. A total of three emails with the attachment of prisoner details had been sent to three different individuals. Prior to notification on 2 August 2011 the data controller had not been aware that the unauthorised disclosures had taken place.
Shortly after the breach was known, a representative of the data controller and the police visited the recipients of the emails. Each recipient confirmed in writing that the email message had not been disseminated further and that it had been fully deleted. For two of the recipients, access was allowed to their email accounts for confirmation of their actions. The other recipient had already double-deleted the message and attachment.
The text file contained detailed information on every prisoner at the Prison. The data was stored in a ‘comma separated values’ (CSV) format and each type of data was contained in a field – with no header information to denote the meaning of each field. The fields of data included; name, DOB, address, details of physical marks including tattoos, wing location in the prison, sentence lengths, release dates and, offence types and ethnicity. Offence types and ethnicity were shown by reference to a code system. In many cases the codes would be comprehensible without reference to the code system (e.g. BURG for burglary). Six of the prisoners had sex offence information recorded against them. Dates, such as DOB and the date of release were in normal date format but with no heading explanation. Sentence length data was in three consecutive fields – e.g. 06, 01, 00. The Commissioner is satisfied this data was personal data and sensitive personal data.
The email program used by the data controller is Outlook. It is run on the Quantum system (the main network infrastructure) as it requires network connectivity. The text files in question had remained on the ‘clipboard’ of Quantum, which allowed the accidental pasting as email attachments. The Prison uses ‘rich text’ email format which displays attachments in the body of the email message as a fairly large icon. The emails in question were sent in HTML format, which displays the attachments as a single line of text immediately below the email header. The attachments to the emails were in excess of 250Kb. There is no monitoring software installed on the Quantum network to detect emails with attachments over a certain size, or those containing protectively-marked information. The data controller has stated that it would be too expensive to purchase and host commercially-available scanning software on the Quantum system and such costs would not be proportionate to the risk associated with the incidents that occurred at the Prison.
The clerk who sent the emails was a relatively new employee. She had received induction and general training, along with specific training on the booking system in her first two weeks. Training on the update procedure took place a week later, and the following week she was given responsibility for the procedure. The standard supervision arrangements at the Prison for the visit bookings clerk involve one-to- one shadowing for 1 or 2 days, with a further 15 working days under supervision before the employee is permitted to work without assistance. The clerk who sent the emails worked on her own four weeks after starting at the Prison and two weeks after commencing training on the update procedure.
At the time of the incidents there was no formal written guidance in place to detail how the data transfer process should have operated. Since this incident occurred, the existing training and on-going support has been enhanced by monthly checks. The new procedure ensures there is an appropriate audit trail in place. The data controller has stated the data transfer procedure has been modified. A floppy disc is no longer used. In its place an encrypted memory stick is used for the data transfer. The method used for placing the data on the USB stick is to locate the text file and use the ‘send to’ function, not the ‘copy and paste’ method. Therefore the file is not retained on the ‘clipboard’, which the data controller considered to be a key factor in this case. Following the successful update, the PC used to copy the file is rebooted to clear any temporary files and this is checked by trying a ‘paste’ in a Word document. However, the new procedure still does not remove the risk of manual error or oversight. Further, the new instructions provided to the Commissioner do not mention using the ‘send to’ function, rebooting the PC or attempting to paste into a new Word document. It appears these particular instructions may be given verbally.
The data controller has argued that most of the information revealed was, by virtue of the judicial process, already in the public domain. Some of the information would be available via court records and similar, such as voter lists. However, it would be necessary for someone to access these records proactively to compile a data set of this type. Data relating to prisoners’ physical descriptions, wing location in the prison and anticipated release date would not be in the public domain.
The Prison is a Category C closed prison, housing categories C and B and stage 1 and 2 lifer prisoners, mainly from the local area. These are prisoners for whom maximum security is not necessary, but for whom escape must be made difficult, or those who may not pose a significant risk of escape, but cannot be trusted in an open prison.
The data controller has not notified the prisoners of the disclosures. This decision was made following an assessment of the impact of disclosure on those prisoners released and due for release since the date of the original data loss, and liaison with local police on measures to safeguard those individuals if required. The data controller thought there was little the inmates could do to mitigate any risk from the disclosure and that those prisoners at risk of self-harm would suffer additional unnecessary anxiety if informed.
The Commissioner is satisfied that there has been a serious contravention of section 4(4) of the Act in that there has been a breach of the data controller’s duty to comply with the Seventh Data Protection Principle.
The Seventh Data Protection Principle provides, at Part I of Schedule 1 to the Act, that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Paragraph 9 at Part II of Schedule 1 to the Act further provides that:
“Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to –
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected”
In particular, the data controller has failed to take sufficient appropriate technical and organisational measures against unauthorised processing and accidental loss of personal data so as to effectively prevent such unauthorised processing or accidental loss occurring. As well as technical measures such measures may include providing its employees with appropriate and adequate training, the outcomes of which are suitably monitored; sufficient supervision of employees undertaking a new procedure which is adequately documented; providing clear written procedures and checklists for the daily data transfer; and management checks on the operation of the procedure to ensure the process was sufficiently adhered to. The data controller should have taken timely steps to introduce the use of a more secure means of carrying out daily routine transfers of high volumes of personal data. The Commissioner notes that the breach to which this notice relates arises from an error repeated on three occasions over a period of several weeks and that this was not detected until the Prison was notified by a member of the public.
iii) The data controller had not adopted any appropriate checking procedures and failed to explore appropriate technical measures to reduce the risk of such an incident.
iv) Those measures which were put in place by the data controller did not ensure a level of security appropriate to the harm that might result from such unauthorised processing or accidental loss and the nature of the data to be protected.
The contravention is of a kind likely to cause substantial distress
The Commissioner is further satisfied that the contravention in this particular case is of a kind likely to cause substantial damage and substantial distress for the following reasons:-
i) A large amount of sensitive personal data relating to 1,182 prisoners was unintentionally disclosed to three members of the public due to inappropriate technical and organisational measures taken by the data controller.
ii) The personal data included, the fact that an individual was an offender/prisoner, coded offences (almost all easily recognisable), multiple offences, last known address, DOB, and other identifying physical characteristics and their current location within the Prison.
iii) In specific reference to the third incident, as the information had been sent to an inmate’s relative, they would have been familiar with the details of that inmate, thus making it more likely that they would have been able to decipher the coding of the information to learn the details of the other 1,181 individuals.
iv) Even without this knowledge, the offence codes used are basic and most of them would be easily deciphered by an ordinary member of the public. For people with knowledge of the criminal justice system, even the less obvious codes would be likely to be deciphered.
v) It was fortuitous that the emails had been sent to one person on each occasion, and that on the third occasion of the breach, the recipient had notified the data controller and it was possible to obtain assurances and, in two instances, physical access to the email accounts to ensure the information was destroyed.
vi) The data controller had taken the decision not to disclose the breach to the prisoners because it may cause some at risk of ‘self-harm’ to suffer additional anxiety. Therefore some prisoners may have been considered likely to suffer greater distress than others, including some of the affected prisoners who have recorded offences for rape or other sexual offences.
vii) If the data had got into the wrong hands (e.g. those involved with criminality or a rival of a particular inmate) this would be considered to raise the level of distress caused by the disclosures.
The data controller ought to have known that there was a risk that the contravention would occur, that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to reasonable steps to prevent the contravention
The Commissioner is satisfied that section 55A (3) of the Act applies in that the data controller ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial distress, but it failed to take reasonable steps to prevent the contravention for the following reasons:-i) The data transfer was undertaken on a daily routine basis involving a large volume of sensitive personal data. There were no written procedures or checking mechanisms in place for the daily data transfer.
ii) Management should have realised the potential for human error in using the ‘copy and paste’ function particularly by a new member of staff with limited training and experience.
iii) The data controller did not take reasonable steps to prevent the contravention, such as technical measures and providing its employees with appropriate and adequate training, the outcomes of which are suitably monitored; sufficient supervision of employees undertaking a new procedure which is adequately documented; providing clear written procedures and checklists for the daily data transfer; and management checks on the operation of the procedure to ensure the process was sufficiently adhered to.
iv) The data controller should have taken timely steps to introduce the use of a more secure means of carrying out daily routine transfers of high volumes of personal data.
In the circumstances, as the data controller routinely handles sensitive personal data relating to prisoners it should have been obvious that such a contravention would be of a kind likely to cause substantial distress to the data subjects due to the nature of the data involved. Aggravating features the Commissioner has taken into account in determining the amount of a monetary penalty
Effect of the contravention
The contravention was particularly serious because of the confidential and sensitive nature of the personal data.
Behavioural issues
There was no means of identifying when this type of incident occurred. It was unknown to the data controller until a recipient of the unauthorised disclosure had contacted the Prison.
The data controller and in particular its Executive Agency, NOMS appears to have limited oversight of the specific operational activities of the business areas under its control.Impact on the data controller
The data controller has sufficient financial resources to pay a monetary penalty up to the maximum without it causing undue financial hardship. Mitigating features the Commissioner has taken into account in determining the amount of the monetary penalty
Nature of the contravention
Although multiple disclosures were made, the data was sent to a small number of individuals. One individual brought the unauthorised disclosure to the attention of the data controller.
As far as the Commissioner is aware, none of the personal data involved in any of the security breaches has been further disseminated.
Effect of the contravention
The personal data compromised in these breaches has been confirmed by the data controller as having destroyed and written assurances have been received from the recipients that there has been no further dissemination.Behavioural issues
The data controller has taken some remedial action in respect of these breaches, with a view to preventing a recurrence.
The breach was self-reported and data controller has been co-operative with Commissioner’s investigation.Impact on the data controller
There is likely to be a significant impact on the reputation of the data controller as a result of these security breaches.
The liability to pay the monetary penalty will fall on the public purse although the penalty will be paid into the Consolidated Fund. Other considerations
The Commissioner’s underlying objective in imposing a monetary penalty notice is to promote compliance with the Act. This is an opportunity to reinforce the need for standardisation across the prison service as it is possible similar practices could be happening elsewhere.
This will highlight this poor practice, encourage improvements and have a broader impact on compliance across this business area.
Contravention of the Third Data Protection Principle in that excessive personal data was routinely transferred by manual means on a daily basis.
The data controller holds responsibility within Government for Government policy on data protection matters and could therefore be expected to be a model of best practice and exemplary in respect of data protection compliance.
Notice of Intent
A notice of intent was served on the data controller dated 13 August 2013. The Commissioner received written representations from the data controller’s Permanent Secretary dated 16 September 2013. The Commissioner has considered the written representations made in relation to the notice of intent when deciding whether to serve a monetary penalty notice. In particular, the Commissioner has taken the following steps:
- reconsidered the amount of the monetary penalty generally, and whether it is a reasonable and proportionate means of achieving the objective which the Commissioner seeks to achieve by this imposition;
- ensured that the monetary penalty is within the prescribed limit of £500,000; and
- ensured that the Commissioner is not, by imposing a monetary penalty, acting inconsistently with any of his statutory or public law duties and that a monetary penalty notice will not impose undue financial hardship on an otherwise responsible data controller.
Amount of the monetary penalty the Commissioner proposes to impose
The Commissioner considers that the contravention of section 4(4) of the Act is serious and that the imposition of a monetary penalty is appropriate. Further, he considers that a monetary penalty in the sum of £140,000 (one hundred and forty thousand pounds) is reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty.
In reaching this decision, the Commissioner considered other cases of a similar nature in which a monetary penalty has been imposed and the facts and aggravating and mitigating features referred to above. Of particular relevance in this case is the nature of the personal data lost, the potential for harm and likelihood of distress.
Payment
The monetary penalty must be paid to the Commissioner’s office by BACS transfer or cheque by 19 November 2013 at the latest. The monetary penalty is not kept by the Commissioner but will be paid into the Consolidated Fund which is the Government’s general bank account at the Bank of England.
Early payment discount