The UK Information Commissioner’s Office issues for old fashioned data breach…leaving confidential information in paper form in a public area. Not every data breach is cyber related
May 30, 2023 |
The Information Commissioner’s Office (the “ICO”) has issued the Ministry of Justice a formal reprimand after confidential waste documents were left in an unsecured area. The focus of recent reporting about data breaches has been on the large scale hacks of databases. However data breaches involving documents left n public places or sent to parties not entitled to them can be as equally damaging. In this reported data breach (at an unnamed prison facility) the damage is serious as it revealed personal information about prison staff and inmates.
The press release provides:
The ICO has issued a formal reprimand to the Ministry of Justice (MoJ) after confidential waste documents were left in an unsecured prison holding area.
Prisoners and staff had access to the 14 bags of confidential documents, which included medical and security vetting details, for a period of 18 days.
During this time staff challenged prisoners who were openly reading the documents, but did nothing proactive to ensure the personal information was secured. At least 44 people had access to the information, which had remained on site as a contracted shredder waste removal company had not collected as scheduled.
The ICO investigation uncovered a lack of robust policies at the prison including:
-
- no pre-agreed areas for staff to leave confidential waste in a secure place;
- staff being unaware of the need to shred information or the risks of allowing prisoners access to non-shredded confidential documents;
- inaccurate records of the number of staff who had completed data protection training; and
- a general lack of staff understanding of the risks to personal data and the need to report data breaches.
The reprimand details a number of required or recommended actions including:
-
- a thorough review of all data protection policies, procedures and guidance to ensure they are adequate and up to date with legislation; and
- the creation of a separate data breach reporting policy for staff.
The MoJ is also required to provide the ICO with a progress report by the end of October 2023.
The reprimand relevantly provides:
- the incident occurred on 26 February 2022.
- 14 bags of confidential waste were found in an unsecured holding area in the prison which both prisoners and staff had access to. The bags were left unsecured, for 18 days in total.
- some of the bags had not been sealed or shredded correctly and contained information relating to both prison staff and prisoners. This included medical data, security vetting details
- 44 individuals potentially viewed the information contained in the confidential waste bags, including prisoners.
- despite certain staff challenging prisoners who were seen reading the papers from the bags, the staff did not subsequently report that confidential waste was being stored in the unsecure area
- the processes were inadequate in that:
- there was no specific instructions provided to prison staff in relation to the designated storage areas for confidential waste prior to its disposal
- whilst there were data breach reporting and guidance documents there was minimal evidence that established data incident reporting requirements, were sufficiently reinforced to prison staff at appropriate intervals.
- staff lacked understanding of the risks and need to report the data breach.
- the prison staff involved in placing the confidential waste in the unsecure area had a lack of awareness of processes for handling sensitive and confidential waste.
- staff were not aware of the need to shred information prior to its disposal and did not understand the risk of using prisoners to move confidential waste
- whilst there was data protection training is in place, there were no robust measures in place to ensure that staff were completing the mandatory training
- the mitigating factors were:
- once the breach was discovered, the waste bags were transferred to a secure location by a staff member within the prison
- the incident was reported to the prison’s Information Security Team
- The cells of the prisoners initially identified as having accessed the waste bags were searched and relevant CCTV footage reviewed to identify other prisoners who had access to the data
- the MOJ took remedial action of:
- a new process to ensure all confidential waste is collected within the allocated time slot.
- secure areas have now been identified for confidential waste and staff made aware of the new procedure.
- sufficient shredders have now been brought on site, to ensure prior shredding of confidential waste can be completed