The Ministry of Justice has lost over 2,000 people’s records in the last year.
The department, responsible for prisons, probation and criminal sentencing, said in its newly published annual financial report that the largest loss was of the unencrypted details of 1,500 staff in March.
“A member of staff lost a non-issue unencrypted memory stick containing budget spreadsheets for two areas,” it said. Details on the memory stick included names and national insurance numbers, and the MoJ sent an email to all staff to inform them of the incident.
In another large data breach last September, supplier EDS lost an external hard drive containing the details of prison staff. It was being used to transfer data between systems. At the time, it was reported that 5,000 individuals could have been affected, but the MoJ insists only 256 staff members have the potential to have been affected.
A further 250 records were lost on seven other occasions, it said, including mistakenly mailed data, and the loss of a cabinet by a contractor during an office move.
But in spite of the extensive losses, the previous year had been far worse. In September 2008, the MoJ financial report detailed the loss of 45,000 records.
“The Ministry of Justice is applying the government’s Security Policy Framework to control risks across the organisation,” the MoJ said in the report.
“This comprises the requirement for all areas to robustly apply procedures for reporting security incidents where there is the possibility of inadvertent release of personal data, however minor.”
It added that it “will continue to monitor and assess its information risks in order to identify and address any weaknesses” of systems. A “dedicated Information Assurance Programme” is scheduled for next year, to improve awareness and practice of data security and compliance.