The Home Office has terminated one of its contracts with PA Consulting, following the loss of 84,000 prisoners' data.
The termination of the contract to administer the prisoner-tracking JTrack system, worth £1.5m, was announced by the Home Office on Wednesday.
"The Home Office has terminated the contract with PA Consulting that covered the handling of this data," Jacqui Smith, the home secretary, said in a speech to parliament on Wednesday.
PA Consulting notified the Home Office on 19 August that it had lost data on the entire prison population of England and Wales. Smith said in her speech that an inquiry into the incident had found that the data had not been handled securely by PA Consulting.
The data had been downloaded onto a memory stick at the company offices. The stick was intended to be used to transfer the information between two PCs. The memory stick was "not encrypted or managed effectively", said Smith, and was subsequently lost.
"This was a clear breach of the robust terms of the contract covering security and data handling," Smith added.
A PA Consulting staff member was suspended in August following the loss of the USB stick. The administration of JTrack is currently being handed over to the Home Office by PA Consulting.
Data transfers to PA Consulting for JTrack were suspended following the incident. System maintenance and user training will be transferred to the Home Office by December, said Smith.
Further contracts that PA Consulting has with the Home Office, worth £8.5m, are currently being reviewed, "specifically from a data-handling and security perspective", said Smith. The company has been involved in the government's ID cards scheme, having been awarded an £18.75m, two-year contract in 2004.
The Ministry of Defence has also admitted that one of its employees has lost an unencrypted data stick, containing staff and training details, on the floor of a Cornish nightclub. News-agglomeration site ThisIsCornwall.co.uk reported on Tuesday that the stick was lost in The Beach nightclub in Newquay in May.
Paul Davie, founder of security company Secerno, said: "The question needs to be asked: why is such sensitive data ever kept on USB memory sticks, which are so easy to lose? It's ridiculous."
Talkback
Such cavalier attitude to data storage handling and protection should by now be a thing of the past. One would have expected that competent management would have introduced very effective systems and controls to prevent copying of data onto portable storage with severely limited exception. Such exceptions should always be the personal and legal responsibility of a senior person until wiped. Where back up is required it should be made to a distant non-portable storage device in a secure location where it can not be physically accessed.
Loss of data must be made a criminal offence. Not only must heads roll in this instance, the Company concerned must be banned from all public contracts for 10 years.