On August 20, the United Kingdom’s Information Commissioner’s Office (ICO) announced that it was fining the government’s own Ministry of Justice £180,000 after two separate occasions when unencrypted portable hard drives containing the personal information of prisoners went missing, affecting nearly 19,000 prisoners. Although the drives had encryption software installed, the Ministry of Justice division responsible for prison services did not realize that the software had to be manually activated. While only two drives were lost, 75 prisons were storing prisoners’ confidential information on unencrypted devices for at least a year. In issuing a monetary penalty notice, the ICO noted that the Ministry of Justice had failed to take proper remedial action after the first hard drive was lost and that, as a part of the government, the ministry should “be expected to be a model of best practice and exemplary in respect of data protection compliance.”
The ICO regulates data controllers under Data Protection Act and Privacy and Electronic Communications Regulations. It routinely fines both public and private entities for failing to safeguard data. These entities may either pay the fine (at a discount if they pay early) or appeal to a tribunal. This was not the first time the ICO took action against the Ministry of Justice, which apparently is a repeat offender. In October 2013, it was fined £140,000 after spreadsheets containing prisoners’ personal information were inadvertently emailed to members of the public.