ICO (UK) - Ministry of Justice (1)

From GDPRhub
Revision as of 23:34, 1 June 2023 by At33 (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=United Kingdom |DPA-BG-Color=background-color:#023868; |DPAlogo=LogoUK.png |DPA_Abbrevation=ICO |DPA_With_Country=ICO (UK) |Case_Number_Name=Ministry of Justice (1) |ECLI= |Original_Source_Name_1=ICO |Original_Source_Link_1=https://ico.org.uk/media/action-weve-taken/reprimands/4025227/20230524-reprimand-moj_redacted.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_Link...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ICO - Ministry of Justice (1)
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 5(1)(f) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 27.04.2023
Published: 27.04.2023
Fine: n/a
Parties: Ministry of Justice
National Case Number/Name: Ministry of Justice (1)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: At33

The ICO has issued a formal reprimand to the Ministry of Justice (MoJ) after confidential waste documents were left in an unsecured prison holding area.

English Summary

Facts

Confidential waste documents were left in an unsecured prison holding area. Prisoners and staff had access to the 14 bags of confidential documents, which included medical and security vetting details, for a period of 18 days.

During this time staff challenged prisoners who were openly reading the documents, but did nothing proactive to ensure the personal information was secured. At least 44 people had access to the information, which had remained on site as a contracted shredder waste removal company had not collected as scheduled.

Holding

The ICO has issued a formal reprimand to the Ministry of Justice (MoJ). The ICO investigation uncovered a lack of robust policies at the prison including: no pre-agreed areas for staff to leave confidential waste in a secure place; staff being unaware of the need to shred information or the risks of allowing prisoners access to non-shredded confidential documents; inaccurate records of the number of staff who had completed data protection training; and a general lack of staff understanding of the risks to personal data and the need to report data breaches.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

DATA PROTECTION ACT 2018 AND UK GENERAL DATA
                       PROTECTION REGULATION


                                REPRIMAND




The Information Commissioner (the Commissioner) issues a reprimand to
the Ministry of Justice (MOJ) in accordance with Article 58(2)(b) of the UK
General Data Protection Regulation in respect of certain infringements of
the UK GDPR.


The M OJ is the data controller for HMP            .        NHS Foundation
Trust also provides healthcare services into the prison. As a result some
of the confidential waste held by the prison contained confidential medical
records.


A security incident occurred on 26 February 2022. 14 bags of confidential
waste were found in an unsecured holding area in the prison which both
prisoners and staff had access to. A shredder would usually collect the
confidential waste. On this occasion the shredder lorry did not collect the

bags within the allotted time leaving them unsecured, for a period of 18
days in total.

In addition to being in an unsecured location, some of the bags had not

been sealed or shredded correctly and contained information relating to
both prison staff and prisoners. This included medical data, security
vetting details and a                                       Report         .

During this period we are aware that 44 individuals potentially viewed the

information contained in the confidential waste bags.        prisoners were
identified as having removed information.

Despite evidence of certain staff challenging prisoners who were seen to
read papers contained in the bags, the staff did not subsequently report

that confidential waste was being stored in the unsecure area. It is
established that there were no pre-agreed areas for staff to leave
confidential waste securely at HMP             .

Th e prison does not hold accurate data on the number of staff that had

completed data protection training at the time of the incident.

The reprimand


The Commissioner has decided to issue a reprimand to the MOJ in respect
of the following infringements of the UK GDPR:


                                      1   •  Article 5(1)(f) - Security and Article 32(1)(d) & (2) which

      state:

Article 5(1)(f)


Personal data shall be processed in a manner that ensures appropriate

security of the personal data, including protection against unauthorised or
unlawful processing and against accidental loss, destruction or damage,
using appropriate technical or organisational measures (‘integrity and

confidentiality’).


Article 32(1)

Taking into account the state of the art, the costs of implementation and

the nature, scope, context and purposes of processing as well as the risk
of varying likelihood and severity for the rights and freedoms of natural

persons, the controller and the processor shall implement appropriate
technical and organisational measures to ensure a level of security
appropriate to the risk, including inter alia as appropriate:


(d) a process for regularly testing, assessing and evaluating the
effectiveness of technical and organisational measures for ensuring the

security of the processing.


Article 32(2)

In assessing the appropriate level of security account shall be taken in

particular of the risks that are presented by processing, in particular from
accidental or unlawful destruction, loss, alteration, unauthorised

disclosure of, or access to personal data transmitted, stored or otherwise
processed.


The reasons for the Commissioner’s findings are set out below.



Article 5(1)(f) and Article 32(1)(d) & (2)


The MOJ had not implemented the appropriate technical and
organisational measures to ensure the security of the personal data in this

case. As a consequence, data was left unsecured in an accessible area to


                                       2other prisoners and prison staff.


Lack of robust policies


Whilst is it noted that the MOJ had policies in operation that clearly
emphasise the need to securely shred records, there was no specific
instructions provided to prison staff in relation to the designated storage

areas for confidential waste prior to its disposal. Clarity in this regard
would likely have prevented the waste bags from being left in an

unsecure area by prison staff.

The established processes for holding and disposing of confidential waste

were not sufficient at the time of the incident.


The guidance in relation to        reports relates to the prison’s general
use of its                       System, and does not make specific
reference to the appropriate handling of         . The prison should have

established more granular instructions for staff for the handling or
disposing of         This would have mitigated the risks of inappropriate
disclosure.


Whilst data breach reporting and guidance documents were in place at

the time of the incident, the ICO has been provided with minimal
evidence to demonstrate that established data incident reporting
requirements, were sufficiently reinforced to prison staff at appropriate

intervals. Staff lacked understanding of the risks and need to report the
data breach.


The prison staff involved in placing the confidential waste in the unsecure
area were found to have a lack of awareness of processes for handling

sensitive and confidential waste. Furthermore, staff were not aware of the
need to shred information prior to its disposal and did not understand the

risk of using prisoners to move confidential waste.

Whilst it is established that data protection training is in place, there were

no robust measures in place to ensure that staff were completing the
mandatory training.


The completion of such training by prison staff is crucial to embedding a
culture of risk awareness and confidence in identifying potential data

breaches. Had this training been undertaken in line with established


                                       3requirements, staff would have been more likely to recognise their
responsibilities in appropriately securing the confidential waste and/or

reporting the data breach incident at an earlier stage.


Severity of breach

It has been established that up to 44 individuals viewed the information

contained in the confidential waste bags. As a result the risks to
individuals in the prison would be significant and include potential

identification within the prison or outside in the wider community. There
would also be a significant risk of intimidation by other prisoners. Outside
of the individuals incarcerated, there is also the risk of unwarranted

attention of family members if identified.


Mitigating factors

In the course of our investigation, we have noted that:

a) Once the breach was discovered, the waste bags were transferred to a

secure location by a staff member within the prison.

b) The incident was reported to the prison’s Information Security Team
via email and senior staff and the                                     were
also informed of the incident for oversight purposes. An internal

investigation commenced.

c) The cells of the     prisoners initially identified as having accessed the
waste bags were searched with no information found and relevant CCTV
footage reviewed to identify other prisoners who had access to the data.


Remedial steps taken by the MOJ


The Commissioner has also considered and welcomes the remedial steps
taken by t he MOJ in light of this incident. In particular HMP            has

implemented a new process to ensure all confidential waste is collected
within the allocated time slot. Secure areas have now been identified for
confidential waste and staff made aware of the new procedure. Sufficient

shredders have now been brought on site, to ensure prior shredding of
confidential waste can be completed.


Additionally, guidance will be issued to staff by HMP             for future
      report disseminations. In particular, any disseminated         reports

moving forward will contain instructions on appropriate handling and


                                       4disposal.


Decision to issue reprimand


Taking into account all the circumstances of this case including the
mitigating factors and remedial steps, the Commissioner has decided to
issue a reprimand to the MOJ in relation to the infringements of Articles

5(1)(f) and 32(1)(d) & (2) of the UK GDPR as set out above.


Further Action Recommended

The Commissioner recommends that the MOJ should take certain steps to

ensure its compliance with UK GDPR. With particular reference to Articles
5(1)(f), 32(1)(d) and 32(2) of the UK GDPR, the following steps are

recommended:

1) The MOJ should conduct a thorough review of all established data

protection policies, procedures and guidance documents to ensure that
these remain adequate for purpose and reference up to date legislation.


For example, it is noted that its Information Security Policy currently
references the DPA 1998, its Information Security Policy Framework

references GDPR rather than UK GDPR and its ‘Records, Information
Management and Retention Policy’ has not been updated since 2018.


2) As part of this process, the MOJ could consider the creation of a
separate data breach reporting policy and procedure for its staff

(incorporating its incident reporting template) in place of its current
inclusion in wider information security policies (ie to highlight the
significance of the process).


3) Residual risks posed to affected individual(s) as a result of the

disseminated and later exposed         reports should be tested in future to
ensure these are sufficiently mitigated.


4) A data processing agreement or similar contract between the prison
and the Trust should be formed, to outline any established controllership

responsibilities surrounding the handling and eventual destruction of Trust
data processed at the prison.


5) The MOJ should ensure that any further remedial actions outlined in its


                                      5correspondence to the ICO (particularly those related to staff training) are

completed in a timely manner.

MOJ should provide the ICO with a progress update on the above

recommendations in six months’ time, ie by 27 October 2023.





















































                                     6