The UK Ministry of Justice (MoJ) has defended its data protection practices following allegations it failed to support an employee affected by a data breach of an MoJ service.
The employee’s sensitive personal data was apparently exposed because of unauthorized access gained to the Justice Academy, an online learning and careers platform used by MoJ and other public sector staff.
These claims were documented in a blog post published by CEL Solicitors, a UK law firm representing the employee.
CEL Solicitors also revealed that Her Majesty’s Prison and Probation Service (HMPPS), part of the MoJ, recorded 2,152 data breaches in the 12 months up to September 2021.
One of the breaches was sufficiently serious to be reported to the Information Commissioner’s Office (ICO), according to a response from the MoJ, issued in October 2021, to a Freedom of Information Act (FOIA) request.
HMPPS runs prisons in England and Wales and has more than 58,000 full-time staff.
The MoJ’s latest Annual Report and Accounts (PDF) revealed that 16 data security incidents were identified across the government department during 2020 and 2021 were reported to the ICO.
An MoJ spokesperson told The Daily Swig: “We handle millions of pieces of sensitive data safely and securely every year. While errors and data breaches are extremely rare, we take them very seriously and have introduced extra training and safeguards to ensure data is handled correctly.”
‘Reportedly ignored’
CEL Solicitors said its client was alerted by the MoJ that their full name, staff identification information, email address, national insurance number, and details of where they work and with which department or agency was compromised in the Justice Academy breach, among other data.
Believing the breach posed a particularly significant risk given the nature of their job, the employee “requested access to an occupational health specialist to help with their increased stress and anxiety”, but “this request was reportedly ignored”.
Mark Montaldo, director and data breach expert at CEL Solicitors, said the breach likely affected “many more justice and public sector staff” who used the portal, adding: “Many, due to the sensitive nature of their work will be incredibly worried about their data getting into the wrong hands. I would therefore urge anyone who is concerned to get in touch to discuss what this could mean for them and what their rights are.”
‘No further actions taken’
The MoJ spokesperson said the ICO “investigated this incident and was satisfied by the MoJ response. The ICO closed its investigation with no further actions taken”.
It added that “security features were also enhanced” in order to prevent a recurrence of the breach.
“We take all incidents very seriously and have taken significant steps to further enhance our management of data,” said the spokesperson.
These improvements include notifying anyone potentially affected by breaches via the MoJ’s “intranet and other internal communication channels”, an enhanced process for processing data breach compensation claims, and the involvement of unions to ensure affected staff are supported.
Finally, incidents are now being reported to “appropriate MoJ risk and security boards to ensure senior governance and oversight”.
CEL Solicitors said having a robust data protection regime was particularly vital in the context of environments like HMPPS, where “employees are working with and around dangerous individuals” and are already “at increased risk of being blackmailed and personally targeted by criminal groups”.
Source: https://portswigger.net/daily-swig/prison-service-for-england-and-wales-recorded-more-than-2-000-data-breaches-over-12-months