The full Ministerial Statement on the PA Consulting termination reads as follows.
I would like to update the House on the loss of sensitive data by PA consulting and to inform the House that the Home Office has terminated the contract with PA Consulting that covered the handling of this data.
On 19 August PA Consulting formally notified the Home Office of the loss of a data stick containing sensitive information relating to the JTrack system which PA manage under contract to the Home Office. I was informed the same day and immediately initiated an inquiry into this incident, undertaken by the Home Office Security Unit with advice and support from the Metropolitan Police. The incident inquiry has now been completed. The Information Commissioner and Cabinet Office have been kept fully informed. I have also today sent a full report to the Information Commissioner and have placed a copy in the House Library.
JTrack is the operational system used by the police and Crown Prosecution Service as part of the Government’s Prolific and other Priority Offender (PPO) programme. The data on JTrack relates to prisoners and other offenders in England and Wales.
The inquiry found that data was transferred to PA from the Home Office in a secure manner. This data was not handled securely by a PA employee on their premises. Data was downloaded to a data stick. The data stick was used to transfer data between computers on the PA premises and was not encrypted or managed appropriately. The data stick went missing and, despite extensive searches, has not been found. This was a clear breach of the robust terms of the contract covering security and data handling.
Based on the findings of the inquiry, the Home Office have decided to terminate this contract. My officials are currently working with PA to take this work back in house without affecting the operation of JTrack or the PPO programme. Data transfers to PA for JTrack were suspended immediately following the incident, data handling has now been transferred to the Home Office, and the system is fully operational. Other PA activity such as system maintenance and user training will be transferred by December.
We are reviewing our other contracts with PA, specifically from a data handling and security perspective. Lessons learned from this incident more generally will be applied to working with suppliers on contracts involving sensitive data.
Together with the Association of Chief Police Officers and the Ministry of Justice, we have undertaken careful assessments of the potential risks to individuals of this incident. The risk to public safety is assessed as low. The risk to individuals whose data was lost is also assessed as low. Appropriate measures are in place for individuals seeking information about the data held on them.
The Home Office has been very active in implementing the findings of the Hannigan Data Handling Review but as with other incidents of data loss the Government is reviewing the circumstances of this incident and will ensure that any lessons, including in relation to strengthening the delivery chain, are incorporated in the ongoing programme of work to provide support and guidance to departments on information assurance.
Given the seriousness of this incident, I believe it is important both to provide external assurance to the public on our response to the incident and also to enable others to benefit from the lessons learned. Hence I have commissioned Dr Stephen Hickey to undertake an external scrutiny of our response. I will be placing a report of his findings in the House Library in due course.
The text of the notification by the Home Office to the ICO can be read here.
For Andrew Rigby’s take on the legal implications, click here.
PA Consulting has issued a statement which reads as follows:
MEDIA STATEMENT FROM PA CONSULTING GROUP IN RELATION TO HOME OFFICE DATA LOSS
As is appropriate in these circumstances, PA Consulting has avoided making any comment on this incident until publication of the report of the Home Office to the Information Commissioner. This report has been published today.
We have not yet had the opportunity to review the report in detail. However, we accept PA’s responsibilities in this incident. As indicated in the notification, PA has a comprehensive system of security procedures and practices in place in order to protect, in addition to government information, sensitive information from commercial clients. The loss of data on this project was caused by human failure, a single employee was in breach of PA’s well established information security processes. We deeply regret this human failure and apologise unreservedly to the Home Office.
We have cooperated and continue to cooperate fully and willingly in the immediate reporting, ongoing investigation, and resolution of this incident.
We reported the potential loss of data to the Home Office at 16:30 on 18 August 2008, the day that the loss was discovered and less than two hours after it was reported to PA’s management. We then confirmed the loss to the Home Office at midday on 19 August.
PA has conducted an examination of every one of our government and private sector projects that handle personal, sensitive or protectively marked material against recognised best practice and government-approved processes. Our review has confirmed that, apart from in this isolated incident, we are fully compliant with robust policies and procedures and are achieving high levels of information assurance across all of our work. In addition, several government departments have carried out their own extensive audits of PA projects and in all cases have found them to be fully compliant.
PA has safely handled sensitive government information for over 60 years and this is the first incident of such a nature that PA has been involved in. It is clear from the events of recent weeks that the challenge of managing necessary confidential information held by government, and in particular of eliminating human error, is industry-wide. We are engaged in dialogue with our clients and competitors to address, and find solutions to, this challenge.
