The Information Commissioner's Office (ICO) has taken
enforcement action against the Home Office after its contractor PA
Consulting lost offender data last year.
The ICO has found the Home Office in breach of the Data
Protection Act after PA Consulting lost an unencrypted memory
stick, holding sensitive personal details of thousands of
individuals in August 2008.
Details lost included information about individuals serving
custodial sentences and those who had previously been convicted of
criminal offences.
After the loss,
the Home Office sacked PA Consulting as a contractor.
The ICO has now required the
Home Office to sign a formal undertaking outlining that the
department will process personal information securely in
future.
The undertaking has been signed on behalf of the Home Office by
David Normington, the permanent secretary.
The Home Office will implement a number of security measures to
protect personal information more effectively. With immediate
effect, all portable and mobile devices which are used to store and
transmit personal information must be encrypted.
Any organisation processing personal information on behalf of
the Home Office must also use encryption software, a requirement
which must be clearly stated in all contracts.
Mick Gorrill, assistant Information Commissioner at the ICO,
said, "We are investigating a number of the most serious reported
data breaches. This case was serious because it involved thousands
of individual records, which contained sensitive information on
people serving custodial sentences and others previously convicted
of criminal offences.
"This breach illustrates that even though a contractor lost the
data, it is the data controller (the Home Office) which is
responsible for the security of the information."
Failure to meet the terms of the undertaking is likely to lead
to further enforcement action by the ICO.