Ministry of Justice rapped by ICO for old fashioned data leak

Forget AWS buckets, bags of medical and personal info on inmates and their guards left in 'unsecured' area of prison

We step back into the analogue world for this tale of woe that involves bags and bags of sensitive data being left unsealed in an “unsecured” area of a prison. The financial penalty for doing so? A slap on the wrist for Britain’s Ministry of Justice.

The Information Commissioner’s Office, Britain’s data watchdog, says staff and inmates at an unnamed jail had access for 18 days to 14 bags of confidential documents which included “medical and security vetting details” of guards and cons.

During this period prison staff had “challenged prisoners” who were “openly reading” the documents but did nothing more to intervene to ensure the personal data was protected, and did not report it being held in an unsecured area, the ICO states in its report[pdf].

Some of the 14 bags were unsealed and not all docs were shredded correctly - presumably sifting through the paper and piecing it together would have taken time, something that prisoners have an abundance of. The “security incident” happened on February 26, 2022, which seem to be when the blunder was officially spotted.

Thwe report states that 44 individuals “potentially viewed the information contained in the confidential waste bags”.

“As a result the risks to individuals in the prison would be significant and include potential identification within the prison or outside in the wider community. There would also be a significant risk of intimidation by other prisoners. Outside of the individuals incarcerated, there is also the risk of unwarranted attention of family members if identified."

The actual number of individuals that removed information was redacted from the ICO’s recount, though it did say prison staff searched the cells of prisoners that accessed the information and came up with zero.

During its probe, the ICO found the data controller at the prison lacked robust policies for such scenarios.

- There was no pre-agreed area for staff to leave confidential waste in a secure way or pre-designed area;

- Staff were unaware of the need to shred docs or the risks of letting inmates see them;

- The prison had “inaccurate records” of the number of staff that completed data protection training;

- And there was a lack of understanding of the risks to personal data and or the need to report breaches.

Steve Eckersley, ICO director of investigations, said: “Everyone has the right to expect their personal details will be kept secure and this includes in a prison environment, where exposure of personal information could potentially have serious consequences.

“Whether documents are consigned to waste or not, they must be handled securely and responsibly and we expect both the prison and the MoJ to continue to take steps to improve practices to ensure people are protected.”

In mitigation, the ICO says that when the bags were found they were transferred to a secure location in the prison; it was reported to the prison’s Information Security Team and cells searched; and the prison has set up new processes. Given these factors, the ICO says it decided to “reprimand” the MoJ.

In return, the MoJ is advised to do a number of things including to undertake a data protection review and consider reporting policies.

We asked the MoJ to comment on this embarrassing episode, and a spokeperson for the Prison Service sent us a statement:

"Mistakes like this are extremely rare and we acted swiftly to correct it... We've implemented a raft of new measures to ensure this does not happen again – including installing fifteen new shredders and a strict new confidential waste process which the ICO has welcomed". ®

More about


Send us news

Other stories you might like