The Information Commissioner’s Office really had no choice
but to come down hard on the National Offender Management Service recently,
after a portable hard drive used to back up the prisoner intelligence database
went missing from a prison security department.
Although nobody knew when it had actually gone missing, it
could have been gone for almost a week since it had last been used on 18 May
2013 for the weekly back up - but was missing when staff went to back up six
days later. It had not been locked in the fireproof safe afterwards, contrary
to policy. Not only was it missing, it
was also unencrypted and had not been password protected. It contained
sensitive information about almost 3000 prisoners, including names and dates of
birth, length of sentence, offence(s), physical descriptions and distinguishing
marks, plus intelligence information about drug use and links to other
prisoners or organised crime - certainly not the sort of details you’d want to
lose.
Although only nine staff members had access to the area
where the hard drive was used and the area was controlled by a keypad system,
the door to the Security Department could be opened by anyone on the prison
staff.
To make matters worse, this wasn’t the first time something
like this had happened. Back in October 2011, an almost identical breach
involving 16,000 prisoners in another establishment had taken place, and the
ICO had been told that because of this, encrypted hard drives had been supplied
to 75 prisons that had been using unencrypted portable hard drives to back up prisoner
intelligence information. Unfortunately, nobody realised that the encryption
software required manual activation and the IT provider was never asked to
check that the encryption software was working, so all the 75 prisons carried
on using insecure portable hard drives for at least a year afterwards.
The software has now been activated and automatic upgrades
enabled. The hard drive was never recovered although it doesn’t appear to have
been accessed and there was no evidence that it fell into the wrong hands.
Because there had already been a virtually identical serious
breach, the Commissioner considered that this was a very serious contravention
of the seventh data protection principle;
“Appropriate technical
and organisational measures shall be taken against unauthorised or unlawful
processing of personal data and against accidental loss or destruction of, or
damage to, personal data”
The National Offender Management Service was fined £180,000.
It just underlines the fact that even though you think you’re doing everything
you can to comply with the rules, sometimes it can be the simplest thing you
overlook that can lead to a damaging security breach.
Do you know where your backup drives are kept, and have
official policies in place to ensure that they don’t go missing? Are the drives encrypted? Can you
imagine what would happen if the personal information you keep backed up were
to be lost, either for your business or your clients? If you’re unsure of how
to make sure that this sort of faux pas doesn’t ever happen to you, contact me
and I will be delighted to provide you with guidance and advice.
No comments:
Post a Comment