Worker suspended over loss of prisoner data

A staff member at PA Consulting Group has been suspended after the contractor lost details on all prisoners in England and Wales, along with those of tens of thousands of offenders.

The data was being held, unencrypted, on a memory stick for processing purposes, the Home Office said in a Friday statement, saying that precisely how that stick was lost is now the subject of an internal investigation. A Home Office spokesperson told ZDNet.co.uk that PA Consulting had been "appointed by the Home Office in June 2007 to provide application support for tracking prolific and other priority offenders through the criminal justice system".

Following the discovery of the loss, the Home Office has suspended the transfer of data from the same assignment to PA Consulting. The government department is investigating PA Consulting's contractual obligations, the spokesperson said. In addition, a "member of [PA Consulting's] staff has been suspended", the Home Office spokesperson confirmed.

A spokesperson for PA Consulting would say only that the London-based firm was "collaborating closely with the Home Office on this matter". The contractor also undertakes other work for the Home Office, including providing biometric systems. The firm also has a logistics research contract with the Ministry of Defence, and provides web design for the Foreign and Commonwealth Office.

According to the Home Office statement, the lost memory stick carried "data from the Police National Computer, containing personal information about 33,000 individuals with six or more recordable convictions in the last 12 months (names, addresses and dates of birth); data relating to [approximately 10,000] prolific and other priority offenders (names and dates of birth, but not addresses); data relating to all [84,000] prisoners in England and Wales (names, dates of birth and, in some cases, expected prison release date and date of Home Detention Curfew); and Drug Interventions Programme data, with offenders' initials but not full names".

The police and the Information Commissioner's Office (ICO) have been informed of the breach. Deputy information commissioner David Smith said in a statement that it is "deeply worrying that, after a number of major data losses and the publication of two government reports on high-profile breaches of the Data Protection Act, more personal information has been reported lost".

"The data loss by a Home Office contractor demonstrates that personal information can be a toxic liability if it is not handled properly, and reinforces the need for data protection to be taken seriously at all levels," Smith said. "It is vital that sensitive information, such as prisoner records, is held securely at all times."

The ICO said it is awaiting a report following the Home Office's internal investigation, and will then decide on further action.

Security companies were quick to offer their thoughts on the data loss. Andrew Clarke, a senior vice president at Lumension Security, called on the government to institute "device-control policies… that enforce assigned permissions to individuals and devices".

"It is about putting the eyes of the management team on people's PCs. After all, if people know they are being watched, they are more likely to think again," Clarke added.

F5 Networks' security technology sales manager, Bill Beverley, said in a statement that public bodies should have similar security controls to those imposed on the financial sector. "Guidance measures, such as the [Payment Cards Industry] directive… are successful because they... provide effective and comprehensive methodology to protect data and... they are enforced," he said, adding that such controls would bring about a dramatic reduction in the incidence of data loss in the public sector.

The UK public sector has suffered numerous data breaches over the last year, the most notable being the loss of 25 million child-benefit claimant details by HM Revenue & Customs in November 2007. This month, the Foreign and Commonwealth Office reported five data breaches since 2007, and the Ministry of Justice reported nine incidents, affecting 45,000 people.