The Ministry of Defence (MOD) said today it will act on a report by Edmund Burton into a spate of laptop thefts...
from military personnel.
The most recent theft saw the personal details of 600,000 potential recruits go missing on an unencrypted laptop, when it was stolen from a car.
Edmund Burton, who is chairman of the Information Assurance Advisory Council, was invited to conduct a full investigation into the circumstances that led to the loss of this data in January 2008, and consider the broader MOD approach to data protection.
Burton found that MOD policies and procedures "are generally fit for purpose", said the MOD, and cited examples of good practice by the MOD.
But he identified a number of areas where the MOD "needs to do better" in protecting personal data.
The MOD has accepted all of Burton's 51 recommendations and has prepared an action plan to implement them.
The MOD Action Plan:
Only qualified users are authorised to handle personal data
All losses of laptops and other IT kit to be reported and acted upon
The MOD and its IT contractors understand record management and "the consequences of failure"
Data retention that complies strictly with the Data Protection Act
New system security procedures followed through by audits
The MOD retains only the minimum amount of information necessary
Potential risks to information to be regularly reviewed
The Burton report was passed to the MOD in April and made public today, when other reports into the public sector loss of data were published.