Department of Justice Northern Ireland Data Breach (2004)

Filing cabinet included staff and prisoner details News release: 19 June 2014 The prison service in Northern Ireland has been warned by the UK data protection regulator after a filing cabinet containing Maze Prison records was unwittingly sold at auction. The incident occurred in 2004 when a cabinet that officials thought was empty was sold at a public auction. It in fact contained files about the closure of the prison, including the details of staff and a high profile prisoner. The Northern Ireland Office, which was responsible for prisons at that time, retrieved the information but failed to report the matter to the Information Commissioners Office (ICO). The ICO became aware of the breach when a similar incident occurred in 2012. By this time the Department of Justice Northern Ireland had taken responsibility for prisons across Northern Ireland. The second incident which also involved the loss of sensitive information left in an old cabinet sold at auction resulted in the Department of Justice receiving a penalty of 185,000. The ICO was unable to issue a penalty for the 2004 breach as the incident occurred before the ICO had the power to issue monetary penalties. ICO Assistant Commissioner for Northern Ireland, Ken Macdonald, said: This is a story of basic errors and poor procedures, which if the incident happened today would see us issuing a substantial fine. The loss of this information represents not only an embarrassing episode for the prison service in Northern Ireland, but a serious breach of the Data Protection Act that could have had damaging repercussions for the individuals affected. The incident went unreported for eight years and the same mistakes were allowed to occur. It is only now that we have seen a commitment from the Department of Justice Northern Ireland to tackle these problems and keep peoples information secure. Under todays agreement the Department of Justice Northern Ireland must keep a record to ensure condemned equipment containing personal data has been emptied or erased before removal. They will also introduce annual refresher and induction training for all staff whose role involves the routine processing of personal data by September 2014. Notes to Editors 1. The Information Commissioners Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. 2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003. 3. The ICO is on Twitter, Facebook and LinkedIn, and produces a monthly e-newsletter. 4. Anyone who processes personal information must comply with eight principles of the Data Protection Act, which make sure that personal information is: Fairly and lawfully processed Processed for limited purposes Adequate, relevant and not excessive Accurate and up to date Not kept for longer than is necessary Processed in line with your rights Secure Not transferred to other countries without adequate protection 5. If you need more information, please contact the ICO press office on 0303 123 9070.