Credit: Florian Pircher/Pixabay

The Ministry of Justice has been issued with a formal reprimand by the Information Commissioner’s Office after “14 bags of confidential documents” were left exposed in the holding area of a prison.

The files contained within – which were intended for disposal – contained sensitive information including medical information and details of security vetting processes. 

After a shredding and waste-removal company did not collect the bags as scheduled, they were left unsecured for 18 days. During this time at least 44 people were able to access the data – including prisoners who were observed by staff “openly reading the documents”, according to the ICO.

Prison workers challenged inmates doing so “but did nothing proactive to ensure the personal information was secured”.

It is understood that two prisoners removed documents from the bags. Their cells were subsequently searched, and their telephone and mail communications were monitored. The men were also warned that, if information was shared externally, they could face action under the Data Protection Act as individuals.

Following the breach, an investigation by the ICO “uncovered a lack of robust policies at the prison” – which is understood to be HMP Rochester.

This is included insufficient awareness among staff of the need to shred sensitives documents or the risks created by prisoners reading the documents. The prison also lacked a defined and secure area in which confidential waste should be left.

Investigators also found there were “inaccurate records” of how many employees had undertaken data-protection training, as well as “a general lack of staff understanding of the risks to personal data and the need to report data breaches”.

Related content

• ICO: Instead of massive fines, regulation works best when we work alongside organisations
• Information commissioner: ‘I want us to be for all of society – not just those with the resources to access data protection’
• ICO reprimands Home Office after anti-terror documents left at London venue

Alongside the reprimand, the ICO has demanded that the prison creates a new and dedicated policy through which staff should report breaches, and conduct “a thorough review of all data protection policies, procedures and guidance to ensure they are adequate and up to date with legislation”.

The MoJ is required to provide the regulator with a progress update by the end of October.

ICO director of investigations Steve Eckersley said: “Everyone has the right to expect their personal details will be kept secure and this includes in a prison environment, where exposure of personal information could potentially have serious consequences. Whether documents are consigned to waste or not, they must be handled securely and responsibly and we expect both the prison and the MoJ to continue to take steps to improve practices to ensure people are protected.”

'Lessons learned'
HMP Rochester is understood to have already implemented new processes intended to ensure confidential waste is stored securely and collected in a timely fashion.

A spokesperson for the MoJ said: “Mistakes like this are extremely rare and we acted swiftly to correct it. We’ve implemented a raft of new measures to ensure this does not happen again – including installing 15 new shredders and a strict new confidential waste process which the ICO has welcomed”.

The reprimand issued to the ministry is the 45th to have been published since John Edwards took on the role of UK information commissioner at the beginning of 2022. Six months into his tenure, Edwards announced that the watchdog would be taking a new approach to the public sector, in which – over the course of a two-year trial period – it would reduce the use of financial punishments, but would increase publication of reprimands and enforcement notices, to help promote “lessons learned” as a result of breaches.

“We will do more to publicise these cases, sharing the value of the fine that would have been levied, so there is wider learning,” Edwards wrote in an open letter published in June of last year. But this is not a one-way street. In return, I expect to see greater engagement from the public sector, including senior leaders, with our data protection agenda. I also expect to see investment of time, money and resources in ensuring data protection practices remain fit for the future.”

In the press release announcing the MoJ reprimand, the ICO claimed that the reprimands issued over the past year have already had resulted in improvements to the data-protection practices of public-sector bodies, including “a new policy being introduced at an NHS Trust which stopped the standard practice of sending out group emails” and the “procedures [being] reviewed and updated at a local council to prevent disclosure of personal details to opposing parties in child protection legal proceedings”.