Skip to main content

Departmental Data Protection

Volume 470: debated on Monday 7 January 2008

To ask the Secretary of State for Justice what reviews have been undertaken of his Department's rules on data protection in the last two years; if he will place in the Library a copy of the report of the last review of his Department's compliance with data protection laws; and if (a) his Department and (b) his Department's agencies will undertake a review of their compliance with data protection laws. (168078)

I refer the hon. Member to the statement made by right hon. Friend the Prime Minister on 21 November 2007, Official Report, column 1179. The review by the Cabinet Secretary and security experts is looking at procedures within Departments and agencies for the storage and use of data. A statement on Departments' procedures will be made on completion of the review. An interim progress report on the review was published on 17 December by the Cabinet Office through a written ministerial statement, column 98WS.

My Department is reviewing the way it handles data alongside the work being carried out by the Cabinet Secretary which will be published in due course.

To ask the Secretary of State for Justice on how many occasions in (a) his Department and (b) its agencies confidential data have been downloaded on to compact discs (i) without and (ii) with encryption in the last 12 month period for which figures are available; how many of those discs have been posted without using recorded or registered delivery; what procedures his Department has in place for the (A) transport, (B) exchange and (C) delivery of confidential or sensitive data; what records are kept of information held by his Department being sent outside the Department; what changes have been made to his Department's rules and procedures on data protection in the last two years; on how many occasions his Department's procedures and rules on data protection have been breached in the last five years; what those breaches were; what procedures his Department has in place on downloading confidential data on to computer discs before its transfer; what technical protections there are in his Department's computer systems to prevent access to information held on those systems which is not in accordance with departmental procedures; and if he will place in the Library a copy of each of his Department's rules and procedures on the protection of confidential data on individuals, businesses and other organisations. (168259)

I refer the hon. Member to the statement made by right hon. Friend the Prime Minister on 21 November 2007, Official Report, column 1179. The review by the Cabinet Secretary and security experts is looking at procedures within Departments and agencies for the storage and use of data. A statement on Departments' procedures will be made on completion of the review. An interim progress report on the review was published on 17 December by the Cabinet Office through a written ministerial statement, column 98WS.

No information is available on the number of times that confidential data has been downloaded onto compact discs. Downloading, transport, exchange and delivery of sensitive data, and the recording of these actions, is governed by agreed procedures in line with HM Government standards. My Department's main information systems have been designed to operate at a level of security that covers the requirements for handling personal information.

There is no standard set of rules and procedures required for compliance with the Data Protection Act 1998. What is appropriate will depend on the circumstances and the nature of the personal data itself. Accordingly, data protection measures are specific to location, type and sensitivity of the data in question. There is no overarching set of rules and the Department follows HM Government procedures for assessing risks and establishing controls. Therefore the information requested is not held centrally and could be provided only at disproportionate cost.

The definition of ‘breach' in data protection rules and procedures can be broad. Depending on their nature, breaches by Government Departments of the Data Protection Act can be dealt with by the information commissioner, the courts or by Departments at an informal local level. The information requested is not held centrally and could be provided only at disproportionate cost.

To ask the Secretary of State for Justice how many employees of each grade in his Department (a) have access to confidential or sensitive data and (b) are authorised to download such data to disk; how many of his Department's employees have undergone data protection training in the last 12 months; what the average length of time is that each employee of (i) his Department and (ii) his Department's agencies has spent on data protection training; how many investigations of employees of his Department for improperly accessing confidential information have taken place in the last 12 months; how many such investigations resulted in cases of disciplinary action; and what the circumstances of each of those cases were. (168279)

I refer the hon. Member to the statement made by right hon. Friend the Prime Minister on 21 November 2007, Official Report, column 1179. The review by the Cabinet Secretary and security experts is looking at procedures within Departments and agencies for the storage and use of data. A statement on Departments' procedures will be made on completion of the review. An interim progress report on the review was published on 17 December by the Cabinet Office through a written ministerial statement, column 98WS.

Like all Government Departments, mine provides training to members of staff. It is included in induction for new staff and ad hoc training events where a specific need exists. The information requested on data protection training at (i) and (ii), and for parts (a) and (b) of this question is not held centrally and could be provided only at disproportionate cost.

There are no recorded instances of employees in my Department being investigated for improperly accessing confidential information in the last 12 months.

To ask the Secretary of State for Justice what procedures are in place in his Department to ensure that personal information relating to members of the public is (a) stored and (b) transported securely. (168471)

I refer my right hon. Friend to the statement made by right hon. Friend the Prime Minister on 21 November 2007, Official Report, column 1179. The review by the Cabinet Secretary and security experts is looking at procedures within Departments and agencies for the storage and use of data. A statement on Departments' procedures will be made on completion of the review. An interim progress report on the review was published by the Cabinet Office through a written ministerial statement on 17 December 2007, Official Report, column 98WS.

Our new DISC contract, which covers the main HQ, court and tribunal systems, covers security requirements, referring to HMG standards and ISO 17799 (and updates to both) and includes operating procedures covering the carriage of bulky protectively marked assets.

Paper records, when no longer current, are stored in a secure archive. After no later than 30 years, they are reviewed and either transferred under controlled transport arrangements to the National Archive or destroyed.

To ask the Secretary of State for Justice whether his Department's information technology and data management systems are BS7799 compliant. (168743)

I refer the hon. Member to the statement made by right hon. Friend the Prime Minister on 21 November 2007, Official Report, column 1179. The review by the Cabinet Secretary and security experts is looking at procedures within Departments and agencies for the storage and use of data. A statement on Departments' procedures will be made on completion of the review. An interim progress report on the review was published by the Cabinet Office through a written ministerial statement on 17 December 2007, Official Report, column 98WS.

All Government Departments are required to ensure that their information technology and data management systems meet the Government standard (known as HMG Infosec Standard 2) which is aligned to BS7799. All MoJ systems comply with the government standard, and are therefore BS7799 compliant.

To ask the Secretary of State for Justice on how many occasions the Information Commissioner was contacted by his Department to report breaches of data protection security in each of the last five years. (168815)

I refer the hon. Member to the statement made by right hon. Friend the Prime Minister on 21 November 2007, Official Report, column 1179. The review by the Cabinet Secretary and security experts is looking at procedures within Departments and agencies for the storage and use of data. A statement on Departments’ procedures will be made on completion of the review. An interim progress report on the review was published by the Cabinet Office through a written ministerial statement on 17 December 2007, Official Report, column 98WS.

My Department does not maintain a central record of breaches of data protection security reported to the Information Commissioner. However, in the last year, I can say that my Department has reported three potential breaches to his office.

The Information Commissioner’s office does not keep records of referrals referenced by Department.

The information requested about the last five years is not held centrally and could be provided only at disproportionate cost.

To ask the Secretary of State for Justice how many breaches of data protection security there were in (a) his Department and (b) his Department’s agencies in each of the last five years; and if he will provide details of each breach. (168839)

I refer the hon. Member to the statement made by right hon. Friend the Prime Minister on 21 November 2007, Official Report, column 1179. The review by the Cabinet Secretary and security experts is looking at procedures within Departments and agencies for the storage and use of data. A statement on Departments’ procedures will be made on completion of the review. An interim progress report on the review was published by the Cabinet Office through a written ministerial statement on 17 December 2007, Official Report, column 98WS.

Depending on their nature, breaches by my Department of the Data Protection Act 1998 can be dealt with by the Information Commissioner, the courts or by my Department at an informal local level. The information requested about the last five years is not held centrally and could be provided only at disproportionate cost.

However, in the last year, I can say that my Department has reported three potential breaches to the Information Commissioner’s office.

To ask the Secretary of State for Justice whether he proposes to review how his Department transports data; and whether his Department uses TNT to transport data. (169219)

I refer the hon. Member to the statement made by right hon. Friend the Prime Minister on 21 November 2007, Official Report, column 1179. The review by the Cabinet Secretary and security experts is looking at procedures within Departments and agencies for the storage and use of data. A statement on Departments' procedures will be made on completion of the review. An interim progress report on the review was published by the Cabinet Office through a written ministerial statement on 17 December 2007, Official Report, column 98WS.

The review will include data transport arrangements.

We use TNT as the provider of an archive service for paper records. This is an MoD contract that provides a secure storage facility and is used by MoJ Headquarters, the courts, some tribunals and the prison service. After no later than 30 years, records are reviewed and either transferred under controlled arrangements to the National Archive or destroyed.

Business units select a delivery firm to take records to the Archive and there is a tight security control to ensure all records are accounted for. TNT are only involved in transport if business units have requested old records back or when they are being returned to our Records Management Service for review.

To ask the Secretary of State for Justice how many confirmed security breaches of databases controlled by his Department occurred in each of the last five years; whether the breach resulted from internal or external action in each case; how many records were compromised on each occasion; and what estimate was made of the total number of records accessible to the individuals concerned. (173710)

A small number of incidents have been investigated and no security breach involving loss of information from the Department was found to have occurred.