The ministry has published a plan of how it intends to meet 51 data-policy recommendations made as part of review into the loss of MoD laptops

The Ministry of Defence has published an 'action plan' to implement all the recommendations of an official review of its data security.

The comprehensive plan sets out how the Ministry of Defence (MoD) intends to meet the 51 recommendations made in a report by Sir Edmund Burton, chair of the Information Assurance Advisory Council.

The report was commissioned after the ministry lost laptops containing the personal details of individuals who had expressed interest in joining the armed services.

Key changes at the MoD include ensuring:

• An enforced policy exists on the sharing of personal data outside the MoD
• Only qualified users are authorised to handle personal data
• All instances of the loss of laptops and other IT equipment are reported and acted upon
• The ministry and its IT contractors understand record management and the consequences of failure
• Implementation of a data-retention policy that complies strictly with the Data Protection Act
• Transparent responsibilities for personal data management
• New system security procedures, followed through by audits
• The ministry retains only the minimum amount of information necessary to carry out its work
• Potential risks to information are regularly reviewed by executive boards and audit committees, and as part of capability reviews and Office of Government Commerce 'gateway reviews'

Bill Jeffrey, permanent undersecretary at the ministry, said: "We deeply regret the losses of personal data. We have identified weaknesses within parts of the MoD that led to this situation and I am confident that we are taking the necessary steps to address them."

Burton was asked to carry out a full investigation after the theft of a Royal Navy recruiter's laptop in Birmingham on 9 January this year. The laptop contained unencrypted personal records for more than 600,000 people. He was also asked to examine the ministry's broader approach to data protection.

Burton's investigations revealed that this was one of four laptops to have been stolen since 2004. All had been taken from parked cars. The report states that only the recent theft appears to have led to disciplinary proceedings.

Although the MoD's security instructions for the safekeeping of laptops were clear in prohibiting them from being left in unattended vehicles, they did not dictate that the data must be encrypted.

"The effective management of information risks must engage every user — military and civilian — across the department, and within our community of commercial suppliers," the report states.

The report also identifies a shortage of IT expertise across government and its private-sector contractors, posing a significant risk to the MoD.

Burton's report was passed to the ministry on 30 April and made public on Wednesday.

Copyright © 1995-2009 CBS Interactive Limited. All rights reserved
ZDNET is a registered service mark of CBS Interactive Limited. ZDNET Logo is a service mark of CBS Interactive Limited.