Monday, 1 June 2009

Data loss firm contract axed

Memory stick
The information contained on a memory stick was not encrypted

A company which lost the details of thousands of criminals held on a computer memory stick has had its £1.5m contract terminated after an inquiry.

Home Secretary Jacqui Smith said PA Consulting had lost the data after it was transferred securely to the firm.

PA Consulting apologised for the loss of data and had accepted its "responsibilities".

The work had now been taken in-house and PA Consulting's other Home Office contracts, worth £8m, are under review.

The Cabinet Office will also launch a review of all contracts signed by the government with private companies to ensure they were "appropriate", said Ms Smith.

"Our contract had stipulated the sort of security provisions that needed to be in place and that had not happened," added the home secretary.

"We are cancelling this contract and we are urgently reviewing the way in which PA Consulting are meeting the requirements of other contracts we have with them.

"Our investigation has demonstrated that while the information was transmitted in an appropriately secure way to PA Consulting and fed to a secure site, it was subsequently downloaded on to an insecure data stick and that data stick was then lost."

Unlocked drawer

She said the memory stick had not been encrypted or "managed properly" and had not been found despite extensive searches.

RECENT LOSSES
Nov 2007: 25m people's child benefit details, held on two discs
Dec 2007: 7,685 Northern Ireland drivers' details
Dec 2007: 3m learner drivers' details lost in US
Jan 2008: 600,000 people's details lost on Navy officer's stolen laptop
June 2008: Six laptops holding 20,000 patients' details stolen from hospital
July 2008: MoD reveals 658 laptops stolen in four years

A risk assessment was being carried out about the data that was missing, alongside the internal inquiry into what had happened, she said.

And no more information was being passed to the firm while the investigation continued and the government was "reviewing the terms of that contract and other contracts" with PA Consulting.

The memory stick contained un-encrypted details about 10,000 prolific offenders as well as names, dates of births and some release date of all 84,000 prisoners in England and Wales - and 33,000 records from the police national computer.

Cancelling the contract will not cost the taxpayer and any expenses incurred will have to be met by PA Consulting, Ms Smith said.

The memory stick contained the details of 84,000 prisoners held in England and Wales.

The device also contained the names, addresses and dates of birth of 30,000 people with six or more convictions in the last year, as well as the names and dates of birth of 10,000 criminals regarded as prolific offenders, from the police national computer.

The loss of data on this project was caused by human failure, a single employee was in breach of PA's well-established information security processes
PA Consulting

It also carried the initials of people on drug treatment programmes.

It was left in an unlocked drawer in an unsecured office at its offices in Victoria, central London.

The loss led to fears prisoners would attempt to claim compensation but Ms Smith reassured MPs that "appropriate measures are in place for individuals seeking information about the data held on them".

Critics say the mistake raises further doubts about the government's controversial ID card project, in which PA Consulting is involved.

Ms Smith said: "The inquiry that we have carried out ... suggests that the most likely thing to have happened was that the data stick was pilfered or lost.

"I think (PA Consulting) recognise that what they have done is against the terms of their contract."

'Apologise unreservedly'

In its first public statement on the data loss incident, a spokesman for PA Consulting said: "The loss of data on this project was caused by human failure, a single employee was in breach of PA's well-established information security processes.

"We deeply regret this human failure and apologise unreservedly to the Home Office."

He said the firm had carried out an examination of all of its government and private sector projects which handle sensitive data.

"Our review has confirmed that, apart from in this isolated incident, we are fully compliant with robust policies and procedures and are achieving high levels of information assurance across all of our work," the spokesman added.

Liberal Democrat home affairs spokesman Tom Brake accused minister of trying to escape criticism for data losses by "making scapegoats out of private companies".

"Barely a week goes by without the government being embroiled in another data cock-up, and yet ministers remain intent on pressing ahead with their Orwellian plans for a national identity register.

"The Government has proved it cannot be trusted with even basic information, let alone with something as intrusive and excessive as the ID cards scheme."

At the weekend, it emerged that another private contractor, EDS, mislaid a computer disc carrying personal details of thousands of employees of the National Offender Management Service in July last year.

No comments: