The Times and the BBC report this morning that contractor PA Consulting have lost an unencrypted memory stick containing:
- personal details and intelligence on 33,000 serious offenders
- dossiers on 10,000 “priority criminals”
- the names and dates of birth of all 84,000 prisoners in England and Wales.
- information on an unspecified number of people enlisted on drug intervention programmes.
The data had been entrusted to them by the Home Office.
The rash of recent data protection reports in the UK, arising from the high profile data losses by the HMRC and the Ministry of Defence, all cited the use of removable storage devices (memory sticks, CDs, laptops etc.) to store personal data as a major information security risk.
In the months after the data losses most central government Departments clamped down on the downloading of personal data from databases. Many Departments eliminated the risk of human error by putting controls into their systems that denied staff the ability to download data to removable devices.
The Cabinet Office's Data Handling Review published this June came up with a minimum set of measures that Central Government departments must abide by when handling large aggregations of personal data. The Review stated that transferring personal data out of its host database increased the risk of information loss. Wherever possible data should remain in situ. Controlled remote access to data is preferable to physical transfers of data on removable media such as disks and memory sticks.
The measures state that if personal data needs to moved and can only be moved by removable media then the data must be encrypted and minimised.
If contractors are handling personal data on a government Department's behalf then the Department must write in contractual clauses to ensure that the contractor protects the data to the government's minimum standards.
According to the Times the Home Office did encrypt the data when they sent it to PA consulting. PA consulting then had to unencrypt the data to use it. The loss appears to have happened after a member of PA consulting's staff was able to download the data onto a memory stick without first encrypting the data. PA consulting at the time of writing are yet to comment on why this unencrypted download to memory stick was allowed to happen.
The Home Secretary told the BBC that the Home Office had written clauses into PA Consulting's contract that required PA to follow the Government's standards for the handling of data.
If this is true then the loss appears to be more PA Consulting's fault than the Home Office's. However I am wary of coming to conclusions at this stage as experience of previous data losses shows that a fuller picture only emerges days and even weeks after the incident is first reported.
This incident is likely to call into question whether contractual clauses are a strong enough protection for personal data being processed on the government's behalf by contractors. PA Consulting are an established reputable firm who perform a lot of work in the military and security sector: if they are making these errors then one presumes that other contractors will have similar weaknesses.
James Lappin
Comments