PA Consulting's remorse over prison data loss

PA Consulting has said sorry over the loss of a memory stick on thousands of prisoners as the Home Office terminated its £1.5m “JTrack” contract. PA’s contract started on 1 June 2007 and was not due to end until June 2010.

It’s ironic that the Home Office said at the time of awarding the contract that its length would provide “stability” to the JTrack system.

PA said in a statement yesterday [11 September 2008]:

“PA has safely handled sensitive government information for over 60 years and this is the first incident of such a nature that PA has been involved in. It is clear from the events of recent weeks that the challenge of managing necessary confidential information held by government, and in particular of eliminating human error, is industry-wide. We are engaged in dialogue with our clients and competitors to address, and find solutions to, this challenge.

In cancelling the contract with PA Consulting – even though it’s only a small contract – the goverment is sending a signal to suppliers that high-profile disasters will not always be covered up or played down.

The Home Secretary Jacqui Smith said that her officials are “currently working with PA to take this work back in house without affecting the operation of JTrack or the PPO [Prolific and other Priority offender] programme.”

In the past the government has been conspicuously reluctant to cancel contracts with IT suppliers. But in the past six months the government has cancelled a deal with ETS Europe over problems in the marking and dissemination of SAT test papers. The termination of Fujitsu’s contract on the National Programme for IT was brought about by the supplier’s withdrawal from talks over a contract reset.

The JTrack system allows users to search a database to establish which persistent offenders are being released from prison in the next 28 days, which are frequent cross-border offenders, and have committed any offence in the past three months.

The database also contains details of police, probation officers and those working with the Crown Prosecution Service.  

In the House of Commons yesterday the Home Secretary Jacqui Smith said:

“[An] inquiry found that data were transferred to PA from the Home Office in a secure manner. These data were not handled securely by a PA employee on their premises. Data were downloaded to a data stick.

“The data stick was used to transfer data between computers on the PA premises and was not encrypted or managed appropriately. The data stick went missing and, despite extensive searches, has not been found. This was a clear breach of the robust terms of the contract covering security and data handling.

“Based on the findings of the inquiry, the Home Office have decided to terminate this contract… Data transfers to PA for JTrack were suspended immediately following the incident, data handling has now been transferred to the Home Office, and the system is fully operational. Other PA activity such as system maintenance and user training will be transferred by December.

“We are reviewing our other contracts with PA, specifically from a data handling and security perspective. Lessons learned from this incident more generally will be applied to working with suppliers on contracts involving sensitive data.

“Together with the Association of Chief Police Officers and the Ministry of Justice, we have undertaken careful assessments of the potential risks to individuals of this incident. The risk to public safety is assessed as low. The risk to individuals whose data was lost is also assessed as low. Appropriate measures are in place for individuals seeking information about the data held on them.”

PA’s statement in full:

“As is appropriate in these circumstances, PA Consulting has avoided making any comment on this incident until publication of the report of the Home Office to the Information Commissioner. This report has been published today.
 
“We have not yet had the opportunity to review the report in detail. However, we accept PA’s responsibilities in this incident. As indicated in the notification, PA has a comprehensive system of security procedures and practices in place in order to protect, in addition to government information, sensitive information from commercial clients.

“The loss of data on this project was caused by human failure, a single employee was in breach of PA’s well established information security processes. We deeply regret this human failure and apologise unreservedly to the Home Office.
 
“We have cooperated and continue to cooperate fully and willingly in the immediate reporting, ongoing investigation, and resolution of this incident.
 
“We reported the potential loss of data to the Home Office at 16:30 on 18 August 2008, the day that the loss was discovered and less than two hours after it was reported to PA’s management. We then confirmed the loss to the Home Office at midday on 19 August.
 
“PA has conducted an examination of every one of our government and private sector projects that handle personal, sensitive or protectively marked material against recognised best practice and government-approved processes.

“Our review has confirmed that, apart from in this isolated incident, we are fully compliant with robust policies and procedures and are achieving high levels of information assurance across all of our work. In addition, several government departments have carried out their own extensive audits of PA projects and in all cases have found them to be fully compliant.
 
“PA has safely handled sensitive government information for over 60 years and this is the first incident of such a nature that PA has been involved in. It is clear from the events of recent weeks that the challenge of managing necessary confidential information held by government, and in particular of eliminating human error, is industry-wide. We are engaged in dialogue with our clients and competitors to address, and find solutions to, this challenge.

**

The Home Secretary’s statement on the data loss in full

“I would like to update the House on the loss of sensitive data by PA Consulting and to inform the House that the Home Office has terminated the contract with PA Consulting that covered the handling of these data.

“On 19 August PA Consulting formally notified the Home Office of the loss of a data stick containing sensitive information relating to the JTrack system which PA manage under contract to the Home Office.

“I was informed the same day and immediately initiated an inquiry into this incident, undertaken by the Home Office Security Unit with advice and support from the Metropolitan Police. The incident inquiry has now been completed.

“The Information Commissioner and Cabinet Office have been kept fully informed. I have also today sent a full report to the Information Commissioner and have placed a copy in the House Library.

“JTrack is the operational system used by the police and Crown Prosecution Service as part of the Government’s Prolific and other Priority Offender (PPO) programme. The data on JTrack relate to prisoners and other offenders in England and Wales.

“The inquiry found that data were transferred to PA from the Home Office in a secure manner. These data were not handled securely by a PA employee on their premises. Data were downloaded to a data stick. The data stick was used to transfer data between computers on the PA premises and was not encrypted or managed appropriately.

“The data stick went missing and, despite extensive searches, has not been found. This was a clear breach of the robust terms of the contract covering security and data handling.

“Based on the findings of the inquiry, the Home Office have decided to terminate this contract. My officials are currently working with PA to take this work back in house without affecting the operation of JTrack or the PPO programme.

“Data transfers to PA for JTrack were suspended immediately following the incident, data handling has now been transferred to the Home Office, and the system is fully operational. Other PA activity such as system maintenance and user training will be transferred by December.

“We are reviewing our other contracts with PA, specifically from a data handling and security perspective. Lessons learned from this incident more generally will be applied to working with suppliers on contracts involving sensitive data.

“Together with the Association of Chief Police Officers and the Ministry of Justice, we have undertaken careful assessments of the potential risks to individuals of this incident. The risk to public safety is assessed as low. The risk to individuals whose data was lost is also assessed as low. Appropriate measures are in place for individuals seeking information about the data held on them.

“The Home Office has been very active in implementing the findings of the Hannigan Data Handling Review but as with other incidents of data loss the Government are reviewing the circumstances of this incident and will ensure that any lessons, including in relation to strengthening the delivery chain, are incorporated in the ongoing programme of work to provide support and guidance to Departments on information assurance.

“Given the seriousness of this incident, I believe it is important both to provide external assurance to the public on our response to the incident and also to enable others to benefit from the lessons learned. Hence I have commissioned Dr. Stephen Hickey to undertake an external scrutiny of our response. I will be placing a report of his findings in the House Library in due course.”

Links:

Cancelled JTrack system – Home Office website  

PA Consulting press release in 2004 – “better safe than sorry”

Contract ended over prisoner data loss – Financial Times 

Data loss firm’s contract axed – BBC website

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close