When I pitched a data journalism project to PublicTechnology.net and Civil Service World on government departments and personal data breaches, I didn’t expect the biggest perpetrator to be the Ministry of Justice, or that its 3,184 incidents in 2017-18 would be 27 times the number of the second-placed Ministry of Defence.
The ministry has two reasonable arguments for such high numbers. Firstly, it reports every data breach while some departments do not. Secondly, it directly runs the justice system in England and Wales through HM Courts and Tribunal Service, which was responsible for 70% of its breaches. If the Department of Health and Social Care ran health and social care directly, it would have a much higher figure too.
But some of the breaches are the justice equivalents of ‘never events’ in the NHS – things that should never happen, although they still sometimes do. To take one example from 2016, the new name and address of a victim of an assault was accidentally sent to the perpetrator… in a restraining order. (It’s outlined on page 35 of the ministry’s 2016-17 annual report.)
Mistakes happen, but the Ministry of Justice needs to redouble its efforts to stop making ones like that.