Quis custodiet ipsos custodes?

It’s a corny title but an appropriate one: the Home Office has admitted to the loss of a memory stick containing personal information about every one of the 84,000 prisoners in England & Wales. This time the loss wasn’t by a ‘junior official‘ but by an organisation that should have known much better – PA Consulting did the lion’s share of planning for the National Identity Scheme. Their staff have been immersed in HM Government Information Assurance procedures for some years now, so the very existence of an unencrypted memory stick with that data on it is inexcusable. The questions that need to be answered – and I hope this is by an independent enquiry – include:

  • why was such a data set allowed to exist at all outside of the Home Office?
  • what was it doing on an unencrypted media device?
  • who authorised that transfer?
  • what procedures did PA apply to protect the device?
  • how do those procedures compare with CESG’s requirements for securing data?
  • why has it taken (allegedly) several days to reveal the loss?
  • what penalties will be applied to the individual, company and department concerned?

At least in the post-HMRC world we’ve been told about the incident (although the cynic in me asks why – is it possible that someone has found it and coerced them into revealing the loss?). As Deputy Information Commissioner David Smith said, this shows how personal information can become a “toxic liability” if not handled properly. We expect to see a rigourous and transparent clean-up after this particular spill.