Irish Prison Service reports 15 data breaches in two years
In one reported breach the name, date of birth and criminal convictions and security measures of a prisoner was released. File Picture.
The Irish Prison Service (IPS) suffered 15 data breaches over the course of two years, including the disclosure of a person’s criminal history and another case involving the release of an internal prison photograph.
The cases — eight last year and seven in 2018 — were reported to the Data Protection Commissioner for further investigation but those inquiries are all now closed.
The IPS said 14 cases were classified as “low” risk with just one breach reported to be of “medium” risk.
In one case, a photo from the official Prisoner Information Management System found its way into the public domain.
Last December, another breach was reported where a prisoner’s name, date of birth, criminal convictions, and security measures surrounding their detention at Cloverhill Prison were sent to an incorrect email address.
In a case from November, a warrant was sent to a solicitor for a prisoner, also in , who was not their client.
In October, the name of a person and witness names in connection with an incident were sent to an incorrect email address.
Another incident in July involved the disclosure of personal data and email addresses of 24 staff from the IPS by email to the wrong person.
Two months earlier, the same type of incident was reported; this time involving the personal data and criminal history of a person in custody, again at Cloverhill.
A breach was also discovered in human resources in May 2019 when personal data and work-related information from an individual was sent to the wrong person.
In March, private information relating to the health of a prison officer on leave due to stress was disclosed to an incorrect email address.
The previous year in 2018, the name and audiogram results of a person were inadvertently disclosed by human resources in what was described as a “low” risk incident.
That October, a “medium” risk breach was reported when information was released in an FOI request that should not have been disclosed.
An account of the incident said: “No names were breached; however data given to FOI recipient that made people identifiable.”
Another breach involved disclosure of a person and their payroll number sent to a “large email group” by Human Resources.
A spokesman said: “The IPS treat all breaches of data with the utmost seriousness. Any detection of a possible breach is reported to [our] Data Protection Officer [DPO] for assessment.
“The DPO may determine that it is necessary under data privacy legislation to inform both the Data Protection Commissioner and the data subject of this potential personal data security breach, informing them of the categories of personal data compromise, the action [we] are undertaking to determine if and how the communication was compromised and detailing the controls put in place to mitigate against such risks.”
CONNECT WITH US TODAY
Be the first to know the latest news and updates
