Stormont fined £185,000 after sensitive prison files sold at auction

Security watchtowers inside the Maze prison.
Security watchtowers inside the Maze prison.

Confidential prison files mistakenly sold at auction in 2012 resulted in a £185,000 fine for the Department of Justice, it has been revealed.

The papers – contained in a filing cabinet belonging to the Compensation Agency and thought to be empty – included “sensitive information”, according to the Information Commissioner’s Office (ICO).

A similar incident involving the sale of a filing cabinet from the former Maze Prison was discovered when the data protection regulator was investigating the latest breach in 2012.

The Maze documents included information on the closure of the prison, as well as the details of staff members and one high-profile prisoner, and were sold off in 2004.

NIO officials were able to retrieve the released documents but failed to report the matter to the Information Commissioner.

The Northern Ireland Office (NIO) was responsible for prisons at the time of the first incident, however responsibility for the prison estate has since transfered to the Department of Justice.

No penalty has been imposed on the NIO for the 2004 breach as it occurred before the commissioner had the power to impose financial penalties.

ICO Assistant Commissioner for Northern Ireland Ken Macdonald said: “This is a story of basic errors and poor procedures, which if the incident happened today would see us issuing a substantial fine.

“The loss of this information represents not only an embarrassing episode for the prison service in Northern Ireland, but a serious breach of the Data Protection Act that could have had damaging repercussions for the individuals affected.”

Mr Macdonald added: “The incident went unreported for eight years and the same mistakes were allowed to occur.

“It is only now that we have seen a commitment from the Department of Justice Northern Ireland to tackle these problems and keep people’s information secure.”

Under the current arrangement agreed with the ICO, the Department of Justice must keep a record to ensure condemned equipment containing personal data has been emptied or erased before removal.

According to the ICO report on the 2102 incident, the breach occurred when furniture belonging to the Compensation Agency NI was moved from Royston House and any surplus items set aside for sale by auction.

The cabinet was subsequently purchased in May 2012 and when the buyer discovered the material they contacted the police.

The information included “sensitive personal data relating to victims of a terrorist incident”.

In October last year, the National Offender Management Service in England was fined £140,000 after three separate emails were unwittingly sent to members of the public containing the details of HMP Cardiff’s 1,182 inmates.