Government Review of Data Processing Contracts

September 9, 2008

I write this on the day (10 September 2008) that the Government has announced its decision to terminate its contract with PA Consulting, the private sector contractor which it had engaged to carry out a research project on tracking offenders through the criminal justice system. This follows an inquiry by the Government into the circumstances surrounding the loss (which became public nearly three weeks ago) by PA Consulting of a memory stick containing the unencrypted personal data of all 84,000 prisoners in England and Wales.

What is the legal basis for the termination of the contract?

The Home Secretary Jacqui Smith has indicated that the Government’s inquiries showed PA Consulting to be in breach of the data security provisions of its contract with the Government, in that data held on a secure site was downloaded by the contractor to an insecure memory stick which was then physically lost.

Contracts of this sort should be as clear and precise as possible as to the technical and physical security measures which the outsourcing data controller requires its contractor to adopt to ensure the integrity of its data. General requirements to take appropriate measures are not enough. If the Government expressly prohibited in the contract the downloading of data to portable devices, it will have a clear argument that PA Consulting breached the contract. If it stopped short of that, it may now suffer the consequences of that lack of clarity, in the form of an ongoing argument with PA Consulting as to the Government’s right to terminate.

Will the Government have the right to sue PA Consulting?

In principle the Government would have the right to claim compensation from PA Consulting for any loss or damage suffered by it as a result of PA Consulting’s breach of contract. However the precise extent of that right, including the nature of the loss and/or damage in respect of which the Government could recover and the amounts up to which such compensation would be available, would be governed by the terms of the contract itself.

It is common, for example, for suppliers to seek to exclude all liability for ‘loss of data’ arising in connection with their performance of a contract. Whilst this is commonly taken to mean the corruption or deletion of data other than personal data (arising in particular from Internet or system problems), a supplier could argue (depending on the wording of the contract) that it extended to a situation such as this, involving physical loss of personal information.

The fact that any actual loss or damage arising from the loss of the memory stick is likely to be suffered by the prisoners (if their information ultimately falls into the wrong hands) rather than the Government itself may also (again depending on what the contract says) pose a problem here, as any resultant loss on the part of the Government (eg in compensating the prisoners – see below) may be deemed indirect loss which may not be recoverable under the contract.

The terms of its contract with PA Consulting will be crucial in determining the strength of the Government’s position here. These are the sorts of issues on which the Government must focus in its review (currently ongoing) of PA Consulting’s other Home Office contracts, and indeed in addressing data security properly in any other contractual arrangements, existing or future.

Will individual prisoners have the right to claim compensation:
(i)    from PA Consulting?

Theoretically individual prisoners may have a claim against PA Consulting for negligence, but it is likely to be simpler (and legally more certain) to pursue the Government under statute (see below).

(ii)   from the Government?

Any of the individuals whose information has been compromised would have a right under the Data Protection Act 1998 to claim compensation from the Government (as the data controller of the lost information) in respect of any loss or damage suffered by them as a result of the apparent breach of data protection legislation which has arisen here. However they would need to show that they had suffered actual loss or damage (eg financial or physical) – mere distress at the knowledge their information had been lost would not be sufficient.

To date, awards of compensation under data protection legislation have not been particularly generous.

Will taking the service back in-house make a difference?

Ultimately, cutting out the external contractor will make a real difference only if the Government is successful in implementing a whole new organisational data security culture. Many of the data security incidents which have come to light in the last 18 months (and in particular the major HMRC incident of November last year) have not involved external contractors in any way, but rather have arisen from internal failings.
More than ever, the role of the Information Commissioner, as the independent body charged with policing and enforcing data protection legislation, would appear to be crucial in forcing that culture change on the Government. New powers to fine (expected to go ‘live’ around November this year) and the possibility of much strengthened powers to inspect and audit (not yet enacted but being actively sought by the Information Commissioner) will be vital in equipping the Information Commissioner for this task.

Andrew Rigby is a Partner at Brodies: