The Ministry of Justice (MoJ) has published its annual report for 2021 – 2022. The report confirms that they reported 17 personal data incidents to the Information Commissioner’s Office (ICO) from 1 April 2021 to 24 March 2022.
There were also 5,782 incidents that the MoJ felt did not meet the threshold to report to the ICO. Most of the incidents reported were data breaches. For the purpose of this blog, we have focused on 1 of the breaches reported to the ICO.
What is a data breach?
A personal data breach as defined by the ICO means:
“breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are as a result of both accidental and deliberate causes…there will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted, or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the date is unavailable and this unavailability has a significant negative effect on individuals.” [emphasis added]
Incident on 26 October 2021
One of the incidents detailed within the MoJ’s report happened on 26 October 2021. A spreadsheet was produced detailing the Covid-19 status of all staff and offenders. The spreadsheet was accidentally disclosed to all members of staff by email, affecting an estimated 1,800 people.
In accordance with Recital 85 of the UK GDPR, a controller must notify the ICO of a data breach as soon as they become aware of the breach and in any event not less than 72 hours after becoming aware (if it is a breach that needs to be reported). This breach occurred on 26 October 2021. It is unclear when the MoJ became aware of the breach, presumably it was on the day the breach occurred as they reported it to the ICO on 28 October 2021.
The UK GDPR also makes it clear that if a breach is likely to result in a high risk to the rights and freedoms of individuals, those impacted must be notified directly and without undue delay. MoJ would therefore have needed to consider whether to notify the 1,800 individuals affected having regard to the severity of the potential or actual impact on the individuals and the likelihood of the impact actually occurring.
Interestingly, the data within the spreadsheet included health data. In accordance with Article 9 of the UK GDPR, data concerning health is considered to be special category data. Special category data needs more protection because it is sensitive. On this basis alone, the breach could be regarded as “high risk” as it involved the inadvertent disclosure of special category data. It is unclear from the MoJ whether they decided to notify the individuals concerned.
The MoJ’s report confirms that the ICO carried out an investigation into this breach and decided to take no further action. It is unclear from the MoJ’s report why the ICO decided to take no further action.
MoJ has confirmed the:
“department continues to monitor and assess its personal data risks to identify and address any weaknesses and ensure continuous improvements.” For the year ahead, they will “continue to carry out mitigating activity to reduce the principal identified departmental personal data risks, including data subject rights, third-party assurance, information security and policies, and processes”.
Comments
In accordance with ICO25, the ICO is planning to issue an increased number of official reprimands and practice recommendations to public sector organisations (and publish these on their website). John Edwards, the Commissioner commented as follows in this respect:
“Government officials are expected to work with sensitive documents in order to run the country. There is an expectation, both in law and from the people the government serves, that this information will be treated respectfully and securely. In this instance that did not happen, and I expect the department to take steps to avoid similar mistakes in the future.”
It will be interesting to see what the MoJ does in the future to address any weaknesses and ensure continuous improvement as specified within their annual report. If they do not make these changes and report yet more breaches, it will be interesting to see how the ICO will deal with these in light of ICO25.
How can we help
Ruby Ashby is an Associate in our expert Dispute Resolution team.
If you need any advice concerning the subjects discussed in this article, please do not hesitate to contact Ruby or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us