The prison service in Northern Ireland has been warned by the ICO over another data breach. The ICO press release is available online: http://ico.org.uk/news/latest_news/2014/prison-service-warned-after-maze-records-sold-at-auction-18062014

Prison Service warned over data breach

Prison Service warned over data breach

This incident relates to the Prison Service auctioning off a cabinet containing records from the Maze prison.

Interestingly, this breach took place in 2004, when the Northern Ireland Office was responsible, but nothing was reported at the time. In the end the breach was discovered while the ICO was investigating a Prison Service breach from 2012, which resulted in the Department of Justice being fined.

ICO Assistant Commissioner for Northern Ireland, Ken Macdonald, said:

“This is a story of basic errors and poor procedures, which if the incident happened today would see us issuing a substantial fine.

“The loss of this information represents not only an embarrassing episode for the prison service in Northern Ireland, but a serious breach of the Data Protection Act that could have had damaging repercussions for the individuals affected.

“The incident went unreported for eight years and the same mistakes were allowed to occur. It is only now that we have seen a commitment from the Department of Justice Northern Ireland to tackle these problems and keep people’s information secure.”

Sadly this is a common problem – basic security controls are either not in place or are allowed to be ignored.

At the most fundamental level, the Prison Service (or the Northern Ireland Office in 2004), should have maintained a record of what assets it was responsible for and their locations. This would have prevented the cabinet being sold off at auction.

Failing that, before any assets (information assets, technology or physical products such as cabinets and furniture) are disposed, they absolutely must be checked to ensure no sensitive data is being accidentally leaked.

Hopefully the Prison Service has learned from this, and it should also act as a reminder to all organisations that they should review all asset lifecycle policies to make sure they are suitable.