Home Office loses data on 84,000 prisoners

Unencrypted data on all 84,000 prisoners in England and Wales has gone missing after a Home Office contractor lost a USB stick on which it had been stored.

Contractor PA Consulting alerted the Home Office to the loss on Monday evening - and by midday Tuesday the contractor confirmed "rigorous" searches had failed to uncover the whereabouts of the memory stick and its cachet of sensitive information.

According to a Home Office statement, the missing USB stick contains:

• Data relating to all prisoners in England and Wales - 84,000 (names dates of birth and in some cases, expected prison release data and date of Home Detention Curfew)

• Data relating to prolific and other priority offenders, approximately 10,000 individuals (names and dates of birth, but not addresses)

• Drug Interventions Programme data, with offenders' initials but not full names

The Home Office statement said: "We have been made aware of a security breach at the offices of an external contractor involving the loss of personal information about offenders in England and Wales.

"A full investigation is being conducted. Police and the Information Commissioner have been informed."

It added: "The data was held in a secure format on the contractor's site. It was downloaded onto a memory stick for processing purposes which has since been lost. The transfer of data on this assignment to the external contractor has been suspended."

Following the breach, a member of PA Consulting staff has been suspended, a Home Office spokeswoman said.

The company was appointed by the Home Office in June 2007 to provide application support for tracking prolific and priority offenders through the criminal justice system.

Asked whether the Home Office will be terminating PA Consulting's contract in light of the security breach, the spokeswoman told silicon.com: "We are investigating the external contractor's contractual obligations."

The Home Office refused to comment on whether security measures should have been in place to prevent unencrypted data being transferred onto a USB stick. The spokeswoman also refused to clarify exactly what security requirements the Home Office has for external contractors who handle sensitive data.

PA Consulting - which is also working with the Home Office on the government's ID cards scheme: back in 2004 it was selected to help with design, feasibility testing, business and procurement elements for ID cards - said in a statement: "We are collaborating closely with the Home Office on this matter. We have no further comment to make at this time."

This is not the first time sensitive data held by the government has gone missing.

Just last month it emerged that the details of 45,000 people, including criminal records and banking and court information have been lost or compromised in the past year by the Ministry of Justice. And last year, two CDs containing the confidential personal details of 25 million child benefit recipients were lost by HM Revenue & Customs.

David Smith, deputy commissioner for UK data protection watchdog the Information Commissioner's Office, said in a statement: "It is deeply worrying that after a number of major data losses and the publication of two government reports on high profile breaches of the Data Protection Act, more personal information has been reported lost.

"The data loss by a Home Office contractor demonstrates that personal information can be a toxic liability if it is not handled properly and reinforces the need for data protection to be taken seriously at all levels. It is vital that sensitive information, such as prisoner records, is held securely at all times."

Smith added: "The Home Office has informed us that an internal investigation is being carried out into the data security arrangements between the Home Office and its contractor, PA Consulting. We expect the Home Office to provide us at the Information Commissioner's Office with a copy of the report and its findings. We will then decide what further action may be appropriate. Searching questions must be answered about what safeguards were in place to protect this information."