The UK Ministry of Justice is in the dock after being fined £140,000 for a data breach at Cardiff Prison which led to personal details about all its 1,182 prisoners being emailed to three of the inmates' families.
The fine will come as a particular embarrassment to the Ministry which is in charge of the UK courts, prisons and probation services and “keeping the public safe from offenders”.
The breach was only discovered when one of the families contacted the prison to report they had received a spreadsheet containing the names, ethnicity, addresses, sentence length, release dates and coded details of the offences carried out by all the inmates.
The prison launched an investigation and found it had made the same error twice before in the previous month, with details sent to different inmates' families. Neither incident was reported at the time, and the police and a member of the prison staff were dispatched to the recipients' homes to check the files had been deleted.
The £140,000 fine was imposed last week by the UK data privacy watchdog, the Information Commissioner's Office (ICO), which described it as “a particularly serious data breach”. The leak itself took place in August 2011 and was reported to the ICO the following month.
ICO deputy commissioner and director of data protection, David Smith, said: “The potential damage and distress that could have been caused by this serious data breach is obvious. Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses.”
He added: “It is only due to the honesty of a member of the public that the disclosures were uncovered as early as they were and that it was still possible to contain the breach.”
The severity of the fine reflected a number of “aggravating features”, the ICO said: “The contravention was particularly serious because of the confidential and sensitive nature of the personal data. There was no means of identifying when this type of incident occurred. It was unknown to the data controller until a recipient of the unauthorised disclosure had contacted the prison.”
The investigation also found unencrypted disks were regularly used to transfer large volumes of data between the prison's two separate networks.
A Ministry of Justice spokesperson accepted it was at fault, saying: "We treat the security of information very seriously and took immediate steps to recover the data as soon as the loss was reported to ensure that it went no further.
"These types of incidents are extremely rare but this does not mean that we are complacent. A thorough investigation was held by the prison which immediately altered its procedures, and further changes were implemented across the prison estate.”
The ICO added: “The data controller and in particular its executive agency, the National Offender Management Service (NOMS), appears to have limited oversight of the specific operational activities of the business areas under its control.”
The Justice Ministry is one of the UK's largest government departments, with around 76,000 staff and a £9 billion annual budget.
NOMS is an executive agency of the Ministry. It works with around 260,000 offenders each year to reduce reoffending.