Ministry of Justice loses 45,000 records

The details of 45,000 people, including criminal records and banking and court information have been lost or compromised in the past year by the Ministry of Justice (MoJ).

The MoJ has lost laptops, portable storage devices and papers containing information on recruits, offenders, court appellants and suppliers, the department's annual resource accounts have revealed.

The MoJ didn't notify more than 30,000 of the 45,016 affected by the data breaches, first when MoJ supplier records were compromised in June 2007 and then when the names, addresses, birth dates and alleged offences relating to 3,648 people were lost in November 2007.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.

The largest loss in January 2008 saw an "inadequately protected" laptop containing the names, dates of birth, addresses, offences, and - in a fifth of cases - national insurance numbers, of 14,000 fine defaulters go missing from a "secured" government office.

The biggest breach saw about 27,000 people affected in June 2007, when a disgruntled contractor working for the MoJ gave a journalist names, addresses and bank details from a list of MoJ suppliers kept on "inadequately protected" electronic storage devices.

Two further "inadequately protected" laptops and some "inadequately protected" electronic storage devices were mislaid in 2007, leading to the loss of the names, dates of birth and national insurance numbers of 145 court appellants; names and offences committed by 138 criminals and names and assessments of 13 applicants for a judicial post.

The MoJ refused to explain exactly what "inadequately protected" meant or whether the laptops were unencrypted.

Further losses of documents between October and November 2007 saw mislaid names, offences, risk information, future job training or employment information of 48 offenders and names, dates of birth, addresses and some credit histories of 24 "customers".

The MoJ insists that it carried out a risk assessment in each of the cases to see who should be notified and said the data held by the disgruntled contractor was recovered and destroyed.

A spokeswoman for the MoJ said: "Whilst any loss of data is regrettable all MoJ incidents have been reported [to the Information Commissioner] and the necessary action taken."

This year the ministry is planning to implement a dedicated information assurance programme to oversee and ensure that electronic information and documents are "managed, stored and disposed of in a manner that inspires high levels of parliamentary and public trust and confidence".

The MoJ spokeswoman added: "No major breaches have occurred. A dedicated information assurance programme has been established for the coming year to address information risks."