Data loss consultants sacked by Home Office

The Home Office has dumped the firm that lost details of 84,000 prisoners last month and says it will push to recover its costs.

PA Consulting Group (PA) has become the first company to have a government contract terminated for losing public information after the August breach.

Now the Home Office says it will seek to recover costs associated with the termination of the three-year contract, worth £500,000 per year.

The firm was contracted to run the JTrack system, a database used by the Home Office and the police to keep track of offenders.

silicon.com's Full Disclosure campaign - what we are asking for...

silicon.com wants the government to review its data protection legislation and improve the reporting of information security breaches in the public and private sectors.

We are calling for greater public debate and for the government to consider legislation that would require organisations that suffer information security breaches to alert their customers if there is a chance the breach has put individuals' sensitive personal data at risk.

We want to hear your views about this campaign and the issues it raises. Make your voice heard by leaving a Reader Comment below or emailing us at editorial@silicon.com.

The information lost included names, convictions, prisoner ID codes and details of drug treatment programmes of 84,000 prisoners in England and Wales.

Home Secretary Jacqui Smith said in a statement to parliament that the loss of the memory stick containing the data, which went missing after being left in an unsecured place in PA's offices, was "a clear breach of the robust terms of the contract covering security and data handling".

She said: "Based on the findings of the inquiry, the Home Office have decided to terminate this contract.

"My officials are currently working with PA to take this work back in house without affecting the operation of JTrack or the PPO [prolific and other priority offenders] programme.

"Data transfers to PA for JTrack were suspended immediately following the incident, data handling has now been transferred to the Home Office, and the system is fully operational."

The management consultancy firm has been paid almost £100m over three years for its services by the Home Office and its agencies, with individual consultants from the company being charged to the department at an average of more than £1,000 per day.

Since 2004 the company had been contracted as a development partner for the government's national identity cards scheme - to help with design, feasibility testing, business and procurement elements of the project.

Smith continued: "We are reviewing our other contracts with PA, specifically from a data handling and security perspective."

Reporting the incident to the Information Commissioner the Home Office judged the risk from the data loss to be "low" but the government has commissioned a separate report into the incident and is reviewing the way it regulates data security among its contractors.

A spokeswoman for the Home Office said: "As the contract was terminated the Home Office is applying the right to recover the costs associated with the termination.

"This is estimated to be within the costs payable to PA to run JTrack, so it should be at least cost-neutral if not beneficial to the Home Office."

In a statement, a PA spokesman attributed the loss to "human failure".

He said: "A single employee was in breach of PA's well established information security processes."

He added the Home Office had confirmed that PA's information and security management were robust, with the "exception of this single incident".