A staff member at PA Consulting Group has been suspended after the contractor lost details on all prisoners in England and Wales, along with those of tens of thousands of offenders.
The data was being held, unencrypted, on a memory stick for processing purposes, the Home Office said in a Friday statement, saying that precisely how that stick was lost is now the subject of an internal investigation. A Home Office spokesperson told ZDNet.co.uk that PA Consulting had been "appointed by the Home Office in June 2007 to provide application support for tracking prolific and other priority offenders through the criminal justice system".
Following the discovery of the loss, the Home Office has suspended the transfer of data from the same assignment to PA Consulting. The government department is investigating PA Consulting's contractual obligations, the spokesperson said. In addition, a "member of [PA Consulting's] staff has been suspended", the Home Office spokesperson confirmed.
A spokesperson for PA Consulting would say only that the London-based firm was "collaborating closely with the Home Office on this matter". The contractor also undertakes other work for the Home Office, including providing biometric systems. The firm also has a logistics research contract with the Ministry of Defence, and provides web design for the Foreign and Commonwealth Office.
According to the Home Office statement, the lost memory stick carried "data from the Police National Computer, containing personal information about 33,000 individuals with six or more recordable convictions in the last 12 months (names, addresses and dates of birth); data relating to [approximately 10,000] prolific and other priority offenders (names and dates of birth, but not addresses); data relating to all [84,000] prisoners in England and Wales (names, dates of birth and, in some cases, expected prison release date and date of Home Detention Curfew); and Drug Interventions Programme data, with offenders' initials but not full names".
The police and the Information Commissioner's Office (ICO) have been informed of the breach. Deputy information commissioner David Smith said in a statement that it is "deeply worrying that, after a number of major data losses and the publication of two government reports on high-profile breaches of the Data Protection Act, more personal information has been reported lost".
"The data loss by a Home Office contractor demonstrates that personal information can be a toxic liability if it is not handled properly, and reinforces the need for data protection to be taken seriously at all levels," Smith said. "It is vital that sensitive information, such as prisoner records, is held securely at all times."
The ICO said it is awaiting a report following the Home Office's internal investigation, and will then decide on further action.
Security companies were quick to offer their thoughts on the data loss. Andrew Clarke, a senior vice president at Lumension Security, called on the government to institute "device-control policies… that enforce assigned permissions to individuals and devices".
"It is about putting the eyes of the management team on people's PCs. After all, if people know they are being watched, they are more likely to think again," Clarke added.
F5 Networks' security technology sales manager, Bill Beverley, said in a statement that public bodies should have similar security controls to those imposed on the financial sector. "Guidance measures, such as the [Payment Cards Industry] directive… are successful because they... provide effective and comprehensive methodology to protect data and... they are enforced," he said, adding that such controls would bring about a dramatic reduction in the incidence of data loss in the public sector.
The UK public sector has suffered numerous data breaches over the last year, the most notable being the loss of 25 million child-benefit claimant details by HM Revenue & Customs in November 2007. This month, the Foreign and Commonwealth Office reported five data breaches since 2007, and the Ministry of Justice reported nine incidents, affecting 45,000 people.
Talkback
It could be worse ... <a href="http://notnews.today.com/?p=36">maybe</a>.
When I was taught management principles, I was taught to make thorough enquiries not to pass blame but to look for endemic failures that can be rectified.
Since the advent of NuLab it is all a case of:
Find someone else, preferably cannon fodder, to hang out to dry, (suspend), sweep it under the carpet (terminology is something like "draw a line under it" I seem to recall) and let's move on.
So we have constant reminders and indicators that any attempt at a massive ID system is going to hit a pretty big fan, but they are all ignored provided some minion can be strung up for it.
We need accountability so that the MPs/ministers responsible are still considered responsible when it fails and they have to carry the can via financial penalty.
PS: How long until NuLab is officially rebranded "TeamGB"?
I trust the ICO will require the police to investigate with a definite intent to prosecute the responsible employee. I further hope that the responsible persons immediate superior is disciplined and demoted for failing to prevent the loss being possible.
This post has been removed by a moderator.