By Natasha Lomas, 22 August 2008 14:57
NEWS
Unencrypted data on all 84,000 prisoners in England and Wales has gone missing after a Home Office contractor lost a USB stick on which it had been stored.
Contractor PA Consulting alerted the Home Office to the loss on Monday evening - and by midday Tuesday the contractor confirmed "rigorous" searches had failed to uncover the whereabouts of the memory stick and its cachet of sensitive information.
According to a Home Office statement, the missing USB stick contains:
- Data relating to all prisoners in England and Wales - 84,000 (names dates of birth and in some cases, expected prison release data and date of Home Detention Curfew)
- Data relating to prolific and other priority offenders, approximately 10,000 individuals (names and dates of birth, but not addresses)
- Drug Interventions Programme data, with offenders' initials but not full names
The Home Office statement said: "We have been made aware of a security breach at the offices of an external contractor involving the loss of personal information about offenders in England and Wales.
"A full investigation is being conducted. Police and the Information Commissioner have been informed."
It added: "The data was held in a secure format on the contractor's site. It was downloaded onto a memory stick for processing purposes which has since been lost. The transfer of data on this assignment to the external contractor has been suspended."
Following the breach, a member of PA Consulting staff has been suspended, a Home Office spokeswoman said.
The company was appointed by the Home Office in June 2007 to provide application support for tracking prolific and priority offenders through the criminal justice system.
Asked whether the Home Office will be terminating PA Consulting's contract in light of the security breach, the spokeswoman told silicon.com: "We are investigating the external contractor's contractual obligations."
The Home Office refused to comment on whether security measures should have been in place to prevent unencrypted data being transferred onto a USB stick. The spokeswoman also refused to clarify exactly what security requirements the Home Office has for external contractors who handle sensitive data.
PA Consulting - which is also working with the Home Office on the government's ID cards scheme: back in 2004 it was selected to help with design, feasibility testing, business and procurement elements for ID cards - said in a statement: "We are collaborating closely with the Home Office on this matter. We have no further comment to make at this time."
This is not the first time sensitive data held by the government has gone missing.
Just last month it emerged that the details of 45,000 people, including criminal records and banking and court information have been lost or compromised in the past year by the Ministry of Justice. And last year, two CDs containing the confidential personal details of 25 million child benefit recipients were lost by HM Revenue & Customs.
David Smith, deputy commissioner for UK data protection watchdog the Information Commissioner's Office, said in a statement: "It is deeply worrying that after a number of major data losses and the publication of two government reports on high profile breaches of the Data Protection Act, more personal information has been reported lost.
"The data loss by a Home Office contractor demonstrates that personal information can be a toxic liability if it is not handled properly and reinforces the need for data protection to be taken seriously at all levels. It is vital that sensitive information, such as prisoner records, is held securely at all times."
Smith added: "The Home Office has informed us that an internal investigation is being carried out into the data security arrangements between the Home Office and its contractor, PA Consulting. We expect the Home Office to provide us at the Information Commissioner's Office with a copy of the report and its findings. We will then decide what further action may be appropriate. Searching questions must be answered about what safeguards were in place to protect this information."
Comments
There are 2 comments. Join the discussion
1. anonymous
If they do terminate PA's contract, I hope they will take things to the logical next step and terminate the contract of HM government for their numerous similar screwups.
2. Karen Challinor
so despite a "Cast Iron" guarantee from ministers that no further data would be lost, the details of 84000 prisoners are now up for grabs
these people didn't see fit to encrypt the data, put it on some secure portable device - providing it was necessary to put it on a portable device at all and finally it's on a device so small it could be swallowed by the family pet
the data is probably down the back of a sofa, but until it is found this cannot be verified nor can it be verified that copies have not been made and are currently for sale on the black market
and these are the same supermen who are helping to decide the future of every man woman and child in the country, who say you can trust us with the cradle to grave information of your life for we are incorruptible and we never make mistakes
"PA Consulting - which is also working with the Home Office on the government's ID cards scheme"
do I really need to make further comment about the ID card scheme being being a bad idea ?