Reports in full: HMRC and MoD data breaches

Burton Review

Chairman of the Information Assurance Advisory Council Sir Edmund Burton looked into the theft on 9 January 2008 of a Ministry of Defence (MoD) laptop containing the personal details of 600,000 armed forces recruits and potential recruits and considered the broader MoD approach to data security.

The report's findings were:

• The report is highly critical of the department's general treatment of information, lack of awareness of the threats to data and of the requirements of data protection legislation.
• Both the Royal Navy and Royal Air Force version of the Training Administration and Financial Management Information System (TAFMIS) recruitment system were unencrypted at the time of the loss.
• An earlier attempt to encrypt the system through an upgrade was successful for most of the system apart from 55 TAFMIS laptops containing the Royal Navy/Royal Air Force recruit database.
• The review was unable to pinpoint why these 55 laptops were not encrypted and why those using the system falsely believed they were.
• For periods in 2006 and 2007 the 55 unencrypted laptops were being used in breach of MOD laptop encryption security policy.
• In certain respects the TAFMIS system is still in breach of data protection regulations.
• The stolen laptop on 9 January is one of 51 TAFMIS laptops with 600,000 people's details on. The report found there was "no robust reason for so much personal data to be carried around on laptops by recruiting officers".
• A total of 10 MoD laptops were stolen or lost, including the one on 9 January, since 2003, at least five of which were unencrypted.
• These included a Royal Navy laptop stolen in Bristol in August 2004 and an RAF laptop stolen in Leeds in July 2006, both containing a subset of the 600,000 people's details on the 9 January laptop. A Royal Navy laptop was also stolen in Manchester in October 2006 and an Army laptop was stolen from a recruiting office in Edinburgh in 2005.
• Such data loss incidents cause significant operational and reputation damage.
• A substantial proportion of cases in the 600,000 records, included limited information about next of kin and contact details for referees and 1,000 of the records dated back to 1977.
• Aspects of the TAFMIS project were poorly managed both by the Army Recruiting and Training Division internal project manager and contractor EDS and the chief of general staff has ordered an inquiry into this.
• There is a shortage of IT expertise across government and its private-sector contractors, posing a significant risk to the MoD.
• MoD data security policies and procedures are generally fit for purpose. Examples were measures introduced after the loss, which were effective in preventing similar damaging losses.
• Burton made 51 recommendations and the MoD has prepared an action plan to implement them.

Recommendations:

• Increase individual and collective awareness of legal liabilities.
• Introduce risks and mitigation procedures.
• Keep data on any particular systems to a minimum.
• Adopt a disciplined approach to carrying data on mobile devices.
• Put the strongest feasible encryption on data.
• Ensure effective audit and compliance procedures.
• Focus on training to raise awareness and compliance.

Changes:

• The MoD took immediate steps to bring the TAFMIS system into compliance with the Data Protection Act.
• Introduced an enforced policy exists on the sharing of personal data outside the MoD.
• Controled access to personal data, reported and dealt with all IT equipment losses.
• Set out the importance of record management for staff and contractors.
• Implemented a data retention policy that complies with the Data Protection Act.
• Introduced new personal data management and system security procedures.
• Retained only the minimum amount of information necessary and reviews potential risks to information regularly.