On 10 September the Government announced its decision to terminate its contract with PA Consulting, the private sector contractor which it had engaged to carry out a research project on tracking offenders through the criminal justice system. This followed an inquiry by the Government into the circumstances surrounding the loss by PA Consulting of a memory stick containing the unencrypted personal data of all 84,000 prisoners in England and Wales. The loss had became public nearly three weeks earlier)
What was the legal basis for this?
The Home Secretary Jacqui Smith indicated that the Government’s inquiries had shown PA Consulting to be in breach of the data security provisions of its contract with the Government, in that data held on a secure site was downloaded by the contractor to an insecure memory stick which was then physically lost.
Contracts of this sort should be as clear and precise as possible as to the technical and physical security measures which the outsourcing data controller requires its contractor to adopt to ensure the integrity of its data. General requirements to take appropriate measures are not enough. If the Government expressly prohibited in the contract the downloading of data to portable devices, it will have a clear argument here that PA Consulting breached the contract. If it stopped short of that, it may now suffer the consequences of that, in the form of an ongoing argument with PA Consulting as to the Government’s right to terminate.
Will the Government have the right to sue PA Consulting?
In principle the Government would have the right to claim compensation from PA Consulting for any loss or damage suffered by it as a result of PA Consulting’s breach of contract. However the precise extent of that right, including the nature of the loss and/or damage in respect of which the Government could recover and the amounts up to which such compensation would be available, would be governed by the terms of the contract itself.
It is common, for example, for suppliers to seek to exclude all liability for ‘loss of data’ arising in connection with their performance of a contract. Whilst this is commonly taken to mean the corruption or deletion of data other than personal data (arising in particular from Internet or system problems), a supplier could potentially argue (depending on the wording of the contract) that it extended to a situation such as this, involving physical loss of personal information.
The fact that any actual loss or damage arising from the loss of the memory stick is likely to be suffered by the prisoners, if their information ultimately falls into the wrong hands, rather than the Government itself may also (again depending on what the contract says) pose a problem here, as any resultant loss on the part of the Government (eg in compensating the prisoners – see below) may be deemed indirect loss which may not be recoverable under the contract.
The terms of its contract with PA Consulting will be crucial in determining the strength of the Government’s position here. These are the sorts of issues on which the Government must focus in its review (apparently ongoing) of PA Consulting’s other Home Office contracts, and indeed in addressing data security properly in any other contractual arrangements, existing or future.
Can individual prisoners claim compensation from PA Consulting?
Theoretically individual prisoners may have a claim against PA Consulting for negligence, but it is likely to be simpler (and legally more certain) to pursue the Government under statute (see below).
Can individual prisoners claim compensation from the Government?
Any of the individuals whose information has been compromised would have a right under the Data Protection Act 1998 to claim compensation from the Government (as the data controller of the lost information) in respect of any loss or damage suffered by them as a result of the apparent breach of data protection legislation which has arisen here. However they would need to show that they had suffered actual loss or damage (eg financial or physical) – mere distress at the knowledge their information had been lost would not be sufficient.
To date, awards of compensation under data protection legislation have not been particularly generous.
Will taking the service back ‘in-house’ make a difference?
Ultimately, cutting out the external contractor will only make a real difference if the Government is successful in implementing a whole new organisational data security culture. Many of the data security incidents which have come to light in the last 18 months or so (and in particular the major HMRC incident of November last year) have not involved external contractors in any way, but rather have arisen from internal failings.
More than ever, the role of the Information Commissioner, as the independent body charged with policing and enforcing data protection legislation, would appear to be crucial in forcing that culture change on the Government.
The Information Commissioner already has a non-statutory power (based on a standing consent from the Prime Minister) to carry out spot checks of Government departments for data protection compliance purposes. However it is widely hoped (and expected) that the Information Commissioner will shortly be granted much strengthened statutory powers to inspect and audit all data controllers, following a Ministry of Justice consultation exercise which concluded at the end of August.
The Information Commissioner’s new power to fine will also play a vital role, with the threat of fines (possibly of the same magnitude as those which the FSA is entitled to impose) providing a strong incentive to ensure compliance. That power is not currently expected to become operational before the end of this year, but its potential significance is growing with every new public sector data security incident that emerges.
Andrew Rigby is a Partner at Brodies LLP and is recognised as one of the UK’s leading outsourcing specialist: www.brodies.co.uk
© Andrew Rigby, Brodies LLP 2008
