Defence Minister explains how sensitive laptop data was lost by his Department
Printer friendly
"On 21 January 2008 and 7 February 2008, I informed the House about the theft of laptop computers containing a database with personal records relating to individuals who had expressed interest in joining the Armed Forces, and that I had invited Sir Edmund Burton to conduct a full investigation into: the circumstances that led to the MOD's loss of this personal data; the effectiveness of the immediate measures we introduced to prevent any recurrence; and the adequacy of the Department's policy, practice and management arrangements for the protection of personal data more generally.
Sir Edmund has reported, and I have placed a copy of his report in the library of the House and published it on the Department's website (at www.mod.uk), I am very grateful for the effort that Sir Edmund and his team have put into this Review. The report is in two parts with an executive summary. Part One sets out the events leading up to the loss of data on 9 January 2008, covering the relevant issues surrounding the Training Administration and Financial Management Information System (TAFMIS) system and the attendant policies and procedures. Part Two considers the broader MOD approach to personal data protection, drawing on the emerging findings of the Cabinet Office Review of Data Handling Procedure in Government, whose final report is also being published today. Further detail and a summary of Sir Edmund's fifty-one recommendations are given in the annexes to the report. These have been published in full, although the names of those consulted have been redacted.
I accept all fifty-one of Sir Edmund's recommendations, and am determined that we should learn the wider lessons to be drawn from this incident. At the direction of the Defence Board, an action plan has been prepared to implement the recommendations, and this is being published today also. The senior management of the MOD, in the form of the Defence Board, accepts that it has ultimate responsibility for the effectiveness of the Department's information management and assurance, and will supervise the implementation of the action plan.
The action plan has been shown to Sir Edmund, who has indicated that it has his support and is in his view capable of delivering the improvements in practice which his report concludes are necessary. Sir Edmund's report, and the action plan including the immediate steps we have taken to bring the TAFMIS system into compliance with the Data Protection Act have also been shared with the Information Commissioner; we will keep his office appraised of progress.
On the TAFMIS recruitment system, Sir Edmund's report has set out, to the extent that he has been able to establish the facts, the sequence of events that led to the Royal Navy and Royal Air Force version of the system being unencrypted. This confirms that efforts were made to encrypt the system through an encryption upgrade; that this was successful for most of the system; but that in August 2006 the 55 TAFMIS laptops containing the Royal Navy/Royal Air Force recruit database were reported not to be working. Despite examining all the available papers and interviewing relevant personnel from the Army Recruiting and Training Division (ARTD), who manage the contract for the system on behalf of all three Armed Services, and the system provider, EDS, Sir Edmund has been unable to find an explanation of why encryption of these 55 was not pursued by another means, and those using the system came to believe that it was encrypted when it was not. His main conclusions are that aspects of the TAFMIS project were poorly managed both by the ARTD's internal project manager and EDS; that for periods in 2006 and 2007 the laptops in question were being used in breach of MOD laptop encryption security policy; and that in certain key respects, detailed in the report, the TAFMIS system is still in breach of data protection regulations. His findings have confirmed my own suspicion that there was no robust business reason for so much personal data to be carried around by recruiting officers on their laptops. Action is already in hand to remedy this position.
After studying the report, the Chief of the General Staff has ordered an inquiry to investigate whether there are grounds to pursue either disciplinary or administrative action in respect of the management of the contract between the Army and EDS.
On the more general aspects of his review, Sir Edmund finds that Departmental policies and procedures generally are fit for purpose and he gives some examples of good practice by the Department (the role of the MOD's Senior Information Risk Owner; the emergency measures introduced after the loss which have been effective in preventing similar damaging losses; the network of Data Protection Officers; and the good security data protection and information risk management procedures of the organisations within the Department for whom handling of large volumes of personal data is core business); but he is highly critical of the Department's general treatment in practice of information, knowledge and data as key operational and business assets, and of low levels of awareness of the threats to information and of the requirements of data protection legislation. Therefore, his recommendations focus on training and steps to raise awareness and compliance, and to raise the profile of the issue within our various management boards.
Sir Edmund's investigation and other internal inquiries have established more of the facts than were available when I made my statement to the House on 21 January. Of the 600,000 recruits or potential recruits who were in the TAFMIS data base, about 1,000 dated back to 1977. In a substantial proportion of cases, the records included more limited information about next of kin and contact details for referees.
We have also established that, in addition to the three stolen TAFMIS laptop computers referred to in the statement, a further two laptops similar to those stolen in January 2008 and October 2006 were stolen from cars: a Royal Navy laptop in Bristol in August 2004 and a Royal Air Force laptop in Leeds in July 2006. In both cases the laptops were believed at the time to have been encrypted and Ministers were not informed of the losses. The personal data held on these laptops was a subset of that held on the laptop stolen on 9 January 2008 and so does not affect anyone not already affected by that incident.
Following the theft of the laptop on 9 January, the Department conducted a full internal investigation into the details of computer and other electronic storage media lost or stolen since 2003 when mandatory reporting of such incidents was introduced. This investigation has now been completed and the collated data was provided to Sir Edmund Burton as part of his Review. He has summarised key elements of the data in his Report.
Prior to 2003 the reporting of lost and stolen laptops was not centrally collated and it has been found that the figures for the period 1995 to 2002 may be incomplete and therefore unreliable. As the details of incidents for this period are no longer available it is not possible to provide updated figures.
Following my statement on 21 January I was asked a number of Parliamentary Questions (PQs 182359, 182387, 182390, 184322, 185276, and 186051) which I was unable to answer fully until the Burton Review had reported but will now be able to do so.
In conclusion, I reiterate my deep regret over both the losses of personal data and the systemic weaknesses within parts of the MOD that led to this situation. As the Cabinet Office report also published today highlights, these reflect challenges faced by all parts of Government but that does not make them any more acceptable. Both I and senior MOD management are determined to act quickly and decisively on Sir Edmund's recommendations and bring about an early significant improvement in practice within the Department in this important area."
Related links to this article:
Ministry of Defence
Report into the Loss of MOD Personal Data PDF [1.1 MB]
MOD Action Plan in response to Burton Report PDF [341.2 KB]
Information Commissioner's Office
- Login or Register to comment
- Add to a social bookmarking site
Editor's Manifesto: Tales of the entirely expected
"Several weeks into the new era of Coaltiion Government and certain key themes are emerging. First up, it's clear that the battle of the 'who can get their memoirs out the door quick enough to steal a march in the revisionist history stakes' has been triumphantly won by M'Lord Mandelson (Weren't those TV ads scary – the velvet smoking jacket, the leather fireside chair, all that Brillcream! The only thing missing was the theme tune to Tales of the Unexpected and the accompanying prancing sillouette of Harriet Harman or Diane Abbott dancing!)” Read more
The Dispatch Box: Data quality and the public sector
Colin Rickard, managing director EMEA at SAS subsidiary Dataflux, argues public sector data must be of high quality if the efficiencies promised with ICT and infrastructure is to be realised.
"Tackling the public sector’s data integration and data quality challenges is a tough prospect. The challenge may require more effort than a comparative project in a large private company. Data must be governed according to a strategy that necessitates bringing interested parties together.” Read more
Innovation: A step too far in the austerity age?
Complete and enter our draw to win a free seat at the e-Government Awards. The public sector is already perceived to be lacking in innovation, but is that a fair assessment, and what role could it play in helping the government meet efficiency targets? What do people working on the frontline of ICT in public sector organisations think? Take part and share your views
James Gardner, CTO at the Department for Work and Pensions discusses his thoughts on innovation in the public and commercial sectors.
Source: K2 Advisory