From the Information Commissioner’s Office (ICO), with emphasis added by me:
The prison service in Northern Ireland has been warned by the UK data protection regulator after a filing cabinet containing Maze Prison records was unwittingly sold at auction.
The incident occurred in 2004 when a cabinet that officials thought was empty was sold at a public auction. It in fact contained files about the closure of the prison, including the details of staff and a high profile prisoner. The Northern Ireland Office, which was responsible for prisons at that time, retrieved the information but failed to report the matter to the Information Commissioner’s Office (ICO).
The ICO became aware of the breach when a similar incident occurred in 2012. By this time the Department of Justice Northern Ireland had taken responsibility for prisons across Northern Ireland.
The second incident – which also involved the loss of sensitive information left in an old cabinet sold at auction – resulted in the Department of Justice receiving a penalty of £185,000. The ICO was unable to issue a penalty for the 2004 breach as the incident occurred before the ICO had the power to issue monetary penalties.
ICO Assistant Commissioner for Northern Ireland, Ken Macdonald, said:
“This is a story of basic errors and poor procedures, which if the incident happened today would see us issuing a substantial fine.
“The loss of this information represents not only an embarrassing episode for the prison service in Northern Ireland, but a serious breach of the Data Protection Act that could have had damaging repercussions for the individuals affected.
“The incident went unreported for eight years and the same mistakes were allowed to occur. It is only now that we have seen a commitment from the Department of Justice Northern Ireland to tackle these problems and keep people’s information secure.”
Under today’s agreement the Department of Justice Northern Ireland must keep a record to ensure condemned equipment containing personal data has been emptied or erased before removal. They will also introduce annual refresher and induction training for all staff whose role involves the routine processing of personal data by September 2014.