Brian Sims
Editor
Brian Sims
Editor
THE INFORMATION Commissioner’s Office (ICO) has issued a formal reprimand to the Ministry of Justice after confidential waste documents were left in an unsecured prison holding area.
Prisoners and staff had access to the 14 bags of confidential documents, which included medical and security vetting details, for a period of 18 days. During this time period, staff challenged prisoners who were openly reading the documents, but did nothing proactive in order to ensure that the personal information involved was secured.
At least 44 individuals had access to the information, which had remained on site as a contracted shredder waste removal company had not collected the materials as scheduled.
The ICO’s extensive investigation uncovered a lack of robust policies at the prison including:
*no pre-agreed areas for staff to leave confidential waste in a secure place
*staff being unaware of the need to shred information or the risks of allowing prisoners access to non-shredded confidential documents
*inaccurate records of the number of staff who had completed data protection training
*a general lack of staff understanding of the risks to personal data and the need to report data breaches
Potentially serious consequences
Steve Eckersley, the ICO’s director of investigations, commented: “Everyone has the right to expect their personal details will be kept secure and this includes in a prison environment, where the exposure of personal information could potentially have serious consequences.”
Eckersley continued: “Whether documents are consigned to waste or not, they must be handled securely and responsibly. We expect both the prison concerned and the Ministry of Justice to continue to take steps to improve practices that will ensure people are protected.”
The reprimand details a number of required or recommended actions including:
*a thorough review of all data protection policies, procedures and guidance to ensure they are adequate and up-to-date with legislation
*the creation of a separate data breach reporting policy for staff
The Ministry of Justice is also required to provide the ICO with a progress report by the end of October.
Published reprimands
This is the 45th reprimand to have been published on the ICO’s website detailing how the work of the organisation is making sure people’s information rights are protected.
Previous examples include ensuring that a review led to a new policy being introduced at an NHS Trust, which then stopped the standard practice of sending out group e-mails, in turn significantly reducing the risk of e-mails being sent to the wrong individual.
There was also the implementation of improved technical measures at an independent advisory body in order to better guard against future attempts of unlawful access to IT systems.
In addition, there was an instance of the ICO insisting that people’s subject access requests made to a Government department were actioned within the statutory timescale.
Further, procedures were reviewed and updated at a local council to prevent the disclosure of personal details to opposing parties in child protection legal proceedings. Last, but not least, a decommissioning policy was implemented and adhered to at an NHS hospital to make sure that personal details would not be lost when a filing system was terminated.
