The Information Commissioner's Office (ICO) has taken enforcement action against the Home Office after its contractor PA Consulting lost offender data last year.
The ICO has found the Home Office in breach of the Data Protection Act after PA Consulting lost an unencrypted memory stick, holding sensitive personal details of thousands of individuals in August 2008.
Details lost included information about individuals serving custodial sentences and those who had previously been convicted of criminal offences.
After the loss, the Home Office sacked PA Consulting as a contractor.
The ICO has now required the Home Office to sign a formal undertaking outlining that the department will process personal information securely in future.
The undertaking has been signed on behalf of the Home Office by David Normington, the permanent secretary.
The Home Office will implement a number of security measures to protect personal information more effectively. With immediate effect, all portable and mobile devices which are used to store and transmit personal information must be encrypted.
Any organisation processing personal information on behalf of the Home Office must also use encryption software, a requirement which must be clearly stated in all contracts.
Mick Gorrill, assistant Information Commissioner at the ICO, said, "We are investigating a number of the most serious reported data breaches. This case was serious because it involved thousands of individual records, which contained sensitive information on people serving custodial sentences and others previously convicted of criminal offences.
"This breach illustrates that even though a contractor lost the data, it is the data controller (the Home Office) which is responsible for the security of the information."
Failure to meet the terms of the undertaking is likely to lead to further enforcement action by the ICO.