Home Office rapped over data-protection breach
Privacy watchdog the Information Commissioner's Office has found the Home Office to have breached data-protection law over the loss of 84,000 prisoners' data.
Although the data was lost by contractor PA Consulting, as the relevant data controller the Home Office was ultimately accountable for the loss under the Data Protection Act, said assistant information commissioner Mick Gorrill.
"This case was serious because it involved thousands of individual records, which contained sensitive information on people serving custodial sentences and others previously convicted of criminal offences," said Gorrill in a statement. "This breach illustrates that, even though a contractor lost the data, it is the data controller (the Home Office) which is responsible for the security of the information. It is vital that sensitive personal information is handled properly and held securely at all times."
The Information Commissioner's Office (ICO) will now require the Home Office to sign a formal undertaking to ensure that the government department will process information "securely" in the future. All portable and mobile devices that store and transmit personal information must be encrypted. Any contractor processing personal information on behalf of the Home Office must also use encryption software, which must be "clearly stated in all contracts", said the ICO.
If the Home Office fails to meet the terms of the undertaking, then it will be subject to "further enforcement action", the ICO added.
A Home Office spokesperson said on Friday that the department was committed to keeping information "safe and secure". "We have made good progress to improve data security and we will continue to work closely with the Information Commissioner's Office to ensure that our systems are as robust as possible," the spokesperson told ZDNet UK.
Contractor PA Consulting lost its £1.5m contract to administer the JTrack prisoner-tracking data for the Home Office following the loss of a flash memory stick last summer. The memory stick contained details of the entire 84,000-person UK prison population. At the time, the Home Office axed the relevant contract with PA Consulting and said it was also reviewing its other contracts with the firm. ZDNet UK understands that those contracts are still under review.