Skip to main content

MOD (Data Loss)

Volume 470: debated on Monday 21 January 2008

Mr. Speaker, with your permission, I should like to inform the House about the theft of laptop computers from Ministry of Defence vehicles and premises. The MOD has clear policies, systems and procedures in place to protect the security of information, both personal data and classified information. We have software protection through encryption and a formal information security process through which individual IT systems and the databases they contain must be accredited by the appropriate MOD authorities. Our internal investigations following this theft reveal that those procedures were not followed. That was a breach of MOD security regulations.

As police investigations of the theft are at an active stage, I am limited in what I can say about the incident. It occurred on the night of Wednesday 9 January in Edgbaston, Birmingham. The laptop was left in a car that had been parked overnight and was unattended. That was a breach of security regulations. The stolen laptop contains personal information on about 600,000 people, the majority of whom had simply expressed an interest in joining the Royal Navy, the Royal Marines or the Royal Air Force.

We have no reason to believe that the theft was specifically targeted against the officer, or to acquire the laptop for the data held on it, but we cannot wholly discount that. Early in the morning after the laptop was left in the unattended car, as soon as the theft was discovered, it was reported to the local police and the relevant authorities in the MOD.

It is not clear to me why recruiting officers routinely carry with them information on such a large number of people—or, indeed, why the database retains such information at all. The information held is not the same for every individual. In some cases the record may be no more than a name, but I am advised that for about 153,000 people who progressed as far as submitting an application form to join the forces, more extensive personal data are held, including passport details, national insurance numbers, driver’s licence details, family details, doctors’ addresses and national health service numbers; for about 3,700 people, banking details were also included. The records largely date back to 2003, although some records may date back as far as 1997.

Ministers were informed of the loss of the laptop on Friday 11 January, although at that point it was believed that the data were fully encrypted. That is relevant because the level of encryption used by the Ministry of Defence on its computers is stronger than that used for commercial applications, and our IT authorities judge that a significant amount of time, resources and, in particular, expertise would be needed to access such data in a readable format.

The fact that the data were not encrypted was reported to Ministers on Monday 14 January. Subsequently, the Information Commissioner and the police authorities were informed, and as an immediate precaution all similar laptops were recalled from their users and secured. That was completed by 18 January. The theft is being investigated by the West Midlands police, assisted by the Ministry of Defence police. After consultation with the police about the impact on the investigation were the theft to become public knowledge, I decided not to make a statement to Parliament last Thursday—although I was ready to do so. Unfortunately, news of the theft of the laptop was reported in the media on Friday evening and the MOD was obliged to issue a brief statement setting out the facts of the incident, as they were being reported inaccurately.

I discussed the need to issue a brief statement on Friday with Mr. Speaker and the hon. Members for Woodspring (Dr. Fox) and for North Devon (Nick Harvey). I also attempted to speak to the right hon. Member for North-East Hampshire (Mr. Arbuthnot) and my hon. Friend the Member for Cannock Chase (Dr. Wright), without success, although I have spoken to them both today. However, steps were taken to keep the Information Commissioner fully informed and to alert the Association for Payment Clearing Services so that banks could monitor the bank accounts listed in the database to prevent unauthorised access.

The intelligence services were also informed, and asked to assess whether the incident could lead to an increased threat to our personnel. Their view, understandably, was that the risk would depend on whether the information fell into the hands of extremists, but that there was no indication that had happened. Of course, we are keeping the matter under constant review.

Letters have been sent to all 3,700 people whose bank details were included in the database, and are being sent to the 153,000 people who applied to join the Royal Navy, the Royal Marines or the Royal Air Force during the relevant periods. We have set up a free telephone helpline, an e-mail address and an address for correspondence for use by anyone who is concerned about the implications of the data loss and wishes to seek further information.

As soon as the theft was reported, the Royal Navy began an internal investigation into the incident itself, which has now been completed. Steps are being taken by the Navy to prevent a recurrence, and the chain of command is considering appropriate action against the officer concerned.

An internal investigation is also under way by the MOD’s head of security into the wider security issues raised by the loss of the data. In the time available, the investigation has established that in addition to the laptop stolen on 9 January, two further laptops potentially containing similar data have been stolen. A Royal Navy laptop similar to that stolen on 9 January was stolen from a car in Manchester in October 2006, and an Army recruiting laptop, containing details of about 500 individuals, was stolen from a careers office in Edinburgh in December 2005.

These incidents were reported at the time to the local police and to the chain of command, although neither theft was reported to Ministers. Those involved believed that the data were protected by encryption and so no steps were taken to inform those whose records were potentially at risk. That is now being done in the same manner as I have described for those affected by the most recent loss. Nor was the Information Commissioner informed, but that has now been done. There is nothing to suggest that the earlier thefts have been exploited for criminal purposes or any other purpose in the intervening period.

As I said, our internal investigation has identified weaknesses in the application of MOD security procedures to the database, which is managed by the Army recruiting and training division on behalf of all three services.

In the time available, it has not been possible to establish all the facts, but it is clear that the database files were unencrypted, in breach of MoD procedures, and that there were shortcomings in security training and awareness among the relevant staff. Further, although the MOD was a full participant in the Cabinet Office-led review following the loss of data by Her Majesty’s Revenue and Customs, the thefts and the failure to comply with agreed MOD procedures for the system were not highlighted by those responsible for the system during the first phase of that review.

Accordingly, following consultation with the Information Commissioner, I have invited Sir Edmund Burton to undertake a full investigation into how these weaknesses came about, including responsibility for any breach of security and accreditation procedures, and to review the steps that we have taken to prevent any recurrence. Sir Edmund is chairman of the Information Assurance Advisory Council and supports the Cabinet Office in the implementation of the Government’s information assurance strategy. He is also a former chairman of the Police Information Technology Organisation and former commandant of the Royal Military College of Science.

Sir Edmund will work closely with those in the Cabinet Office who have been reviewing procedures across Government, following the HMRC loss of data. His report will enable us to answer the questions that still need to be answered. The Information Commissioner has confirmed in particular that the review will be wide enough to address the questions that he has raised, including why a database of this size was thought necessary for field recruitment staff. It will also enable the chain of command to identify where responsibility lies and whether anyone needs to face action as a result. Sir Edmund’s full report will be made available to the Information Commissioner.

I take this theft of personal data extremely seriously. I am also keenly aware of the risks if the data had fallen into the wrong hands, although I emphasise that there is no evidence that they have done so. As with all parts of Government, those who have dealings with the armed forces have a right to expect that their data will be properly protected. I very much regret that that has not happened. I am determined that we should identify exactly what went wrong and learn lessons. This must never happen again, and I will keep the House informed of the outcome of the various investigations to which I have referred.

I am grateful to the Secretary of State and his permanent secretary for providing me with information in relation to the incident. I am afraid that it all adds up to a damning picture of MOD incompetence, mismanagement and poor practice. In many ways, it is worse than the loss of the child benefit records, because we know that the information fell into criminal hands as it was stolen by a criminal. As the Secretary of State says, it could be used for identity theft or, worse, for terrorism.

It is clear that the MOD did not follow its own procedures for the protection of databases. Its procedure can hardly be described as robust. It is clear that the Cabinet Office review was ignored or simply not implemented. It is clear that two similar cases occurred, but Ministers were not informed. Why not? The Secretary of State does not know why his own recruiting officers routinely carry such information, so can he at least tell us how many of them carry it? He must know by now. Why are all those categories of information needed—for example, the religion of recruits, which can be very sensitive information and could prejudice several minorities in the armed forces?

It is clear that Ministers believed that information was encrypted, but they did not know, which raises the question of whether the item was an MOD laptop—or was the information kept on the officer’s personal laptop? If so, how often has that occurred? Are Ministers sure that the other two laptops that went missing have encrypted data, and what back-up is kept to enable checks to be made when things go wrong?

Clearly, we do not know what risks will be faced by those on the database—it depends entirely on whose hands it has fallen into—but putting our troops at risk in such a way is unforgivable, because it seems as though there has been systemic failure, rather than a single act of incompetence or irresponsibility. We now know that 68 MOD laptops were stolen in 2007, 66 in 2006, 40 in 2005, and 173 in 2004. What on earth is going on? How much information on our service personnel is floating around out there? Most importantly, why has nothing been done about such incidents, when they have occurred regularly for a number of years?

Can the Secretary of State tell the House how many of the computers that have been stolen since 1998 had a classification of “confidential” or higher? What was the security classification of the laptop stolen most recently? What is his Department’s policy on classifying and storing sensitive information on MOD computers in general? More importantly, what role does he have in determining what information is classified and at what level, and who has access to that information? Will he list and publish in the Library all the departmental rules, regulations and protocols that were broken, leading to this catastrophic loss of information?

Lately, it has been shown that the Government take a cavalier approach to the confidential details of UK citizens, but in the case that we are considering, the security aspects make things worse. There will be a damaging effect on the confidence and morale of our forces, which will do nothing to solve the crisis in retention and recruitment that we face. It is a dreadful mess that the Secretary of State has outlined to the House today, and it will require total commitment to put the matter right. At this stage, even he must realise that this is no job for a part-timer.

The hon. Gentleman is right to say that this is an extremely serious matter, and I am well aware of the implications. I see that there are Members from Northern Ireland present; I am conscious of the important implications that there were on the occasions when information was stolen in Northern Ireland from various agencies, and of the effect that that had on the morale of those serving in our armed forces there, particularly those of them who lived in Northern Ireland. As I served as a Minister at the Northern Ireland Office, I am very conscious of that. That is why the MOD has such clear, strict procedures and systems in place, and they ought to be not only respected but observed meticulously. He is right to identify failure to do that as a matter of the utmost seriousness, and that is how I treat it.

Over and above that, I have to say that the MOD has a good record on maintaining security for a wide range of sensitive information through its procedures. From the information that I have, I have no reason to believe than the issue goes any wider than the handling of the database in question, but that is serious enough. I accept that there needs to be a robust, clear explanation of why such an amount of information had to be carried. I am far from satisfied that there can be such an explanation, but I am not prepared to prejudge the conclusions of the robust investigation that I have set up.

The hon. Gentleman asks about rules, regulations and protocols. I will consider doing as he requests, to the degree that that is consistent with our shared wider objectives relating to the security of those who serve our nation, and those who support them. In any event, I am absolutely certain that the investigation will need to look into all those rules, regulations and protocols. So far, I am satisfied that if they had been observed, the problems would not have happened on any of the three occasions. On his specific question on encryption, I thought that I made it clear that the data on none of the three laptops were encrypted.

The hon. Gentleman asks what provision we make for the support of the people who have to do the work. We provide them with laptops that have a facility for encryption. There were about 300 of those laptops in existence. They were all brought in and secured as of 18 January, whether or not the information on them was encrypted. I shall consider the other questions that the hon. Gentleman posed, and if I believe that any of them require an answer, in the interests of clarity and in support of the investigation, I shall ensure that they are answered in another fashion.

My right hon. Friend has appointed an extremely competent official to undertake the investigation. I have worked with Sir Edmund Burton in the Information Assurance Advisory Council on a number of subjects, so I know that his presence is a big plus. I am deeply concerned, however, that the lack of reporting to which my right hon. Friend referred may constitute a breaking of the law by officials as a result of their failure to handle matters properly within the data protection legislation. While Sir Edmund conducts the investigation, will my right hon. Friend make sure that he takes every possible step to ensure that anyone in his Department who handles personal data has undertaken proper training under the Data Protection Act before being allowed to handle any more sensitive information?

My hon. Friend is right to identify the fact that Sir Edmund Burton is well qualified to do this job. Those who know him, and his fierce reputation as an independent advocate in this area, know that he is well qualified to undertake the investigation. I have set out in short the remit for Sir Edmund’s wide-ranging investigation, and I am satisfied that, as agreed with the Information Commissioner, it addresses all the necessary questions and gives Sir Edmund the flexibility that he needs. If it transpires that there has been a breach of the law—and whatever law is breached—those who are responsible will have to live with the consequences, because they are accountable.

I thank the Secretary of State for his statement, and for calling me on Friday to brief me about this matter. Everyone would accept that the primary responsibility lies with the individual whose foolishness led to the laptop being stolen. However, the House is less ready to accept the Secretary of State’s assertion that the MOD has robust policies, systems and procedures to stop that sort of thing happening. Sir Edmund Burton may reflect on policies and procedures, but the Secretary of State will accept that the systems and controls to stop that sort of thing happening simply have not worked—if, indeed, they exist. As we have heard, this is not the first case—there have been others in recent years—so we need a fundamental rethink about the way in which data are protected in the Department.

In the light of the well-known shortages in manpower in all three of the armed forces, I suppose it is reassuring that 600,000 people wish to volunteer and join the forces. I hope that the confidence of would-be recruits is not shaken by this regrettable incident. Will the Secretary of State reflect on the comments this morning of the Information Commissioner, who said that we have further to go to understand

“the potency of personal information in a database world”?

The Secretary of State told us candidly—and I sympathise with his predicament—that he did not know why that information was kept in one place and put on to a laptop. That is the sort of thing that we have to sort out and understand. The public would be shocked to think that their records were stored in such a way, without knowing how long they were stored and who had access to them. Does he accept that we have to treat the protection of personal information as seriously as we treat official secrets, military intelligence, and, indeed, large sums of money? Is it not clear that a change of culture across Whitehall is needed, and that, as the Justice Committee has suggested, there should be a new crime of recklessly divulging data, and a new power for the Information Commissioner to perform spot checks on data controllers?

The hon. Gentleman referred to the conversation that I had with him on Friday night. In case it is not clear, I should say that I had intended, and was ready, to make this statement on Thursday. After discussions with the police, and for reasons to do with the stage of the police investigation, I made the judgment that it would be better to wait. Unfortunately, however, the media broke the story on Friday. I deeply regret that I had to put a statement into the public domain without speaking in the House about it first, but the story running in the media was wrong, and I could not leave it wrong over the weekend. I am grateful to the hon. Gentleman, the hon. Member for Woodspring and Mr. Speaker for their understanding when I contacted them on Friday night to explain what I was doing. I trust that the House will accept that my judgment was right.

The fundamental point made by the hon. Member for North Devon is right—but I did not say that the MOD had “robust” policies, systems and procedures; I said that we had clear policies, systems and procedures. The hon. Gentleman pointed to a draft of the statement—[Interruption.] I make this point advisedly. The hon. Gentleman has pointed to a draft of my statement—to be checked against delivery—that we gave him. When I was given the final draft of the statement, immediately after Defence questions, I changed that word.

The hon. Gentleman is right: the robustness of the policies and procedures depends on their being observed. The failure to observe those procedures will be the focus of the investigation that I have set up. That failure caused the need for my statement today, and the potential release of the information into the hands of people who should not have it. I deeply regret that, and I am determined to find out why it happened. I cannot give the House an explanation why information relating to 600,000 people needed to be on a laptop; frankly, and without wishing to prejudge the investigation, I do not believe that it needed to be.

I listened with care to the Information Commissioner on the radio this morning. I listened to the questions that he posed; all those questions need to be answered. I have deliberately framed the remit of the investigation so that they will be answered. I have the comfort of knowing that my senior officials spoke to him about the issue, and I understand that he is of the same view. The hon. Gentleman can be satisfied that I am taking the matter appropriately seriously. If there are consequences for individuals, those individuals will have to live with them, whatever they may be. I am not in a position to deliver such a judgment; that is for the chain of command.

Has anyone been disciplined for negligence as a result of losing a laptop containing sensitive personal information since 1997?

The right hon. Gentleman has told the House what steps he has taken to prevent a future blunder of this kind. He will know about the loss of Child Support Agency data at the back end of last year. Will he say what steps he and other Ministers personally took then to ensure that no blunder of the kind that has just occurred was perpetrated by his Department?

As the right hon. and learned Gentleman would expect, I made it clear to the permanent under-secretary that we should co-operate fully and comprehensively with the review that was being set up at the centre of Government. I said that we were to ensure that what might well have been at the heart of the Revenue and Customs problem—a culture had appeared to grow up that, at least in some regard, did not treat such information as being as valuable as it is, and people had not been observing the systems and procedures in place—was not the case in our Department.

As I said in my statement, the interim report that I received on the part of the review that my permanent under-secretary carried out on this particular issue did not identify the problem or the circumstances that I believe, and that I think the investigation will reveal, led to what we have to deal with today. Had I known, I would have taken other steps, but it was not reported to me.

My right hon. Friend has been let down by his Department. This has turned out to be not what we thought it was—the isolated action of a foolish individual—but a section of his Department failing to take elementary precautions about data protection. When he was asked about its systems by the Cabinet Secretary’s review, he was presumably given an assurance, notwithstanding the fact that there had been previous incidents, that those systems were in order. If I were him, I would be very cross about this, and want to do something about it.

I can hardly say that I am delighted about it, but there does not seem to be any point in getting angry in this job. I am often asked if I am angry or frustrated about things, but it seems to me that those are wasted emotions. My job is to get on and ensure that this never happens again—to find out exactly what happened, and to ensure that those who need to be properly trained are properly trained, and that those who were responsible for ensuring that those systems and procedures were properly applied are made properly accountable for their failure to do so.

Given the series of incredible and repeated scandals involving child benefit discs, Department for Work and Pensions data in binbags, and military laptops, has not the time come for an analysis of the problems of data protection that is more extensive, comprehensive and independent than anything that the Government have initiated so far? Should not that also cover information that they deliberately make public, which, in the case of the Land Registry information, has resulted in tens of millions of pounds of people’s freehold property being robbed? And should not the lessons of all this be learned before we proceed with identity cards?

The right hon. Gentleman tempts me into discussing the Land Registry, an area where, because of my professional experience, I may have some limited but now dated expertise—but that is not my responsibility. I accept his point. It is very important that the Government and the Government’s employees take responsibility for complying with the data protection standards for which we have legislated in this House, but it is equally important that the independent Information Commissioner’s Office can properly keep accountable all those who hold information, including the Government. That independent regulation is the right construction, and we have to ensure that it is robust enough. However, at the heart of this is the point, which has already been made, that there needs to be a cultural understanding that such data and information, particularly when it relates to individuals, is as valuable as any other property that the Government or any other institution might have, and it is obvious that that culture is not there across substantial parts of the public sector.

The Secretary of State said that he would not prejudge the very thorough investigation that he has put in hand. However, does he understand the incomprehension and fury felt by people in defence communities such as Plymouth, who think that common sense, rather than rocket science, should have stopped this sort of thing happening? Can he give the House a greater sense of how the cultural change to which he referred can be put in hand before we receive the report—and when we will receive it?

I am grateful to my hon. Friend, who speaks with justifiable passion for those whom she represents—some of whom, I have no doubt, will be receiving letters from us in the near future, and will have a degree of concern. We will endeavour, by our response to those who get in touch with us, to support them through this. It will be a vulnerable time for them; I accept that. I am not in a position to tell my hon. Friend exactly when the report will be available, because, with respect, Sir Edmund has not yet started on his work, but as soon as I am in a position to give the House some indication of when the work will be completed and how I will keep the House informed, I will tell it specifically what I plan to do. I also intend to have further conversations with the right hon. Member for North-East Hampshire (Mr. Arbuthnot) and my hon. Friend the Member for Cannock Chase (Dr. Wright), in their capacity as Chairs of the Defence Committee and the Public Administration Committee respectively, to ensure that they are kept fully informed. I am sure that both their Committees will be interested in inquiring further not only into the circumstances of this loss of data but into what we do.

I cannot make it any plainer than that. I am taking this matter with the utmost seriousness, and I intend to get to the bottom of what happened. If there is a reason, even if it is not a justification, for why that amount of information was being carried on a laptop, I will find out what it was. I intend to take the steps necessary to ensure that nothing like this ever happens again in the MOD.

Four Departments have now been responsible for losing data. Does the Secretary of State understand the serious damage done with regard to the community’s view of the Government’s competence in the protection of public records? Surely every instance of such loss reinforces the argument against ID cards.

The Secretary of State mentioned that he was sensitive to the concerns of Northern Ireland. I therefore wonder why my right hon. Friend the Member for North Antrim (Rev. Ian Paisley), the leader of my party, was not informed about this matter by the Secretary of State. Did any of the details contained in the stolen laptops refer to Army service recruits in Northern Ireland? The Secretary of State knows that there is an increased threat to security forces personnel in Northern Ireland, so it would be important to inform them if any of their names were on that laptop.

I am very aware of the issues the hon. Gentleman raises, and I cannot make it any clearer how seriously I take this matter. He knows how seriously I take such issues, from the time that I served as a Minister in Northern Ireland, when I dealt with him, his party colleagues and others in relation to similar matters. I am well aware of the potential security implications.

It is clear that the protection of data is relevant to the identity cards scheme, but as the hon. Gentleman is probably aware, the scheme is underpinned by biometric data that will protect people’s identities from being taken and/or used. That is the fundamental problem with loss of data, although there is a specific personal security problem in relation to the data in this case, which I understand. I do not think that the read-across that people constantly suggest with ID cards is robust.

I understand how important the issues that the hon. Gentleman raises are and I give him my word that I will do everything to ensure that they are taken seriously. As far as those who may be living and/or serving in Northern Ireland are concerned, I am not in a position to answer his question at this stage, but I am certain that some of the people concerned must be in Northern Ireland, and if they are exposed to any degree of risk, they will receive a letter from us, just as others involved will.

Most hon. and right hon. Members find it mind-boggling that 600,000 names were on a laptop in the back of a car in Birmingham. My hon. Friend the Member for Cannock Chase (Dr. Wright) raised the point that we are not looking at the actions of just one individual, but a systemic failure in procedures. Will my right hon. Friend assure me that the lowly naval recruitment officer concerned will not be made a scapegoat for this mistake, and that those further up who are responsible for the systems in question will take responsibility for this incident as well?

My hon. Friend makes some good points. Wherever responsibility, or any part of it, falls, that is where responsibility should be taken. Clearly, the person responsible for the immediate security of the laptop was in breach of regulations in leaving it where he did. I accept that he is not wholly responsible for the circumstances, but whatever the Navy chooses to do to him through its disciplinary procedures will be a matter for its chain of command, and the same applies to everyone else involved. I have no intention of protecting anyone from the consequences of the decisions that they have taken, if they were in breach of regulations.

It is completely unacceptable for the Secretary of State to inform only some parties in the House about major events and to overlook others, especially parties of Government in Scotland, Wales and Northern Ireland. He has been able to give a breakdown of some of the data, so will he tell the House how many of the people in question are domiciled in Scotland, Wales and Northern Ireland? What notice was given about the data loss, and when, to the devolved Administrations of Scotland, Wales and Northern Ireland?

This is the United Kingdom and we are the Government of the United Kingdom. It may well have escaped the notice of the hon. Gentleman during his obsession of the past few months, but our writ runs across the whole United Kingdom. We are perfectly capable of communicating with the citizens of the United Kingdom, whatever part of the United Kingdom they are in, via Royal Mail and other methods. [Interruption.] Let me just deal with that issue; I apologise for not doing so earlier.

The story was running on Friday night. I had to get this statement out, because I could not let the story run dishonestly, as it were—in terms of the facts—for very long. I set out to speak to certain people, and had then to get the statement out. I accept that I did not speak to representatives of every party in this House. I regret that I was not able to, but I had to correct the misinformation that was running in the public domain.

Having used the Front-Bench spokespersons and Mr. Speaker as a test of the mood of the House on the subject, I took the decision and took responsibility for that. Thereafter, I determined that I would not put any other information anywhere else until I was able to come to the House to give a statement. That is the decision I took. I suspect that that will not cause offence to the people of Scotland, but the hon. Member for Moray (Angus Robertson) can rest assured that if I think that any issue requires the engagement of the devolved Administrations, including the minority Administration in Scotland, they will be told. At the moment, my Department and the UK Government are perfectly capable of dealing with the matter.

If the press reports are right, the theft occurred at institutions where the MOD works together with the NHS, which takes us to a wider issue that does not concern only the systematic protection of MOD data. When the MOD has to work with other institutions, such as the NHS, the Secretary of State ought to look carefully at the sheer extent of access to the databases with which they work and the systemic structures when one Department has access to another’s large database. Will he take that as part of the review’s remit?

The information that I have—I have not physically and personally checked the database—is that this is our stand-alone database. I have no information to suggest that it is in any way connected with the database of any other organisation. I am quite surprised that my hon. Friend raises that issue. If it arises from the physical proximity of the work, then to be candid with my hon. Friend I am saying the minimum possible in the public domain about the circumstances of the theft. The ongoing police investigation is at a critical point and I do not want to put any information into the public domain that might interfere with or degrade it.

The Secretary of State’s statement paints a picture of blatant disregard and breach of not only MOD procedures but Data Protection Act principles, too. That is most notable in the size of the database that has been created. Obviously, that is of concern to not only the Secretary of State but the Information Commissioner. The Secretary of State said that other laptops had been secured. What analysis of those laptops has been undertaken to see whether they, too, contain unencrypted databases of such a size and nature? Are any other officers or personnel subject to disciplinary proceedings as a consequence of such actions?

The hon. Gentleman asks a good question, to which the good answer is that securing the laptops was the principal objective. I am not in a position today—although I trust that Sir Edmund’s investigation will reveal the detail—to say how many of the approximately 300 laptops that we have secured had such unencrypted data on them. I am sure that some did and, to the extent that they did, that is a breach of regulations. It is for the chain of command to investigate that and determine whether the existence of those laptops in that state supports any disciplinary action. However, as the hon. Gentleman will understand, it is not for me as Secretary of State to tell disciplined organisations, which have their own structure and, indeed, law how to conduct their affairs. They have procedures for conducting them and I am confident that they will.

May I express a small measure of sympathy for the Secretary of State? He is in an embarrassing position today as a result of a culture among public servants that frankly lacks the proper respect for our personal information. With that in mind, will the review consider not only why the information was held on a database but why it was obtained in the first place? Will the Department operate in future on a presumption that the information obtained should be the minimum amount, held for the shortest possible time?

I am grateful for the hon. Gentleman’s sympathy but I do not seek it, certainly not for some of the more difficult things that I have had to do in my job. It is my job to get on with the matter and resolve the problems robustly, if possible.

The information gathered should be considered carefully and the necessity for holding each item should be tested. I understand why, at the point of recruitment, it is appropriate to gather specific and detailed information about recruits for transfer to the unit where they are posted or the relevant training organisation. However, after recruitment, the reason for the recruitment authority’s keeping the information once it has been transferred to those who are responsible for the individuals defeats me. The question needs to be asked—and it needs to be answered compellingly for me to accept the answer.

Following the comments of the hon. Member for Pendle (Mr. Prentice) that no officer or individual has been disciplined for previous losses, and given that it is and always has been an offence under section 8 of the Official Secrets Act to fail to take care to prevent the unauthorised disclosure of similar information, will the Secretary of State give an undertaking that, should the officers concerned be found to be in breach of the Act, they will be charged with an offence? Only then will the House believe that the Department is taking data protection seriously.

That is a false test for my Department. There is a constitutional principle in this country that decisions about whether people are prosecuted for criminal offences are made independently of politicians. I would go to some length to honour that. I am not, therefore, prepared to give the hon. Gentleman the undertaking that he seeks. However, I am prepared to give an undertaking that, so far as it is in my power to do so, the matter will be exhaustively investigated. If reports have to go to another authority to determine whether a prosecution is needed beyond the actions that the chain of command of a particular service may take, that will be done. However, I cannot promise that anybody will be prosecuted—no Executive Minister should ever do that.

Of the 347 laptop computers lost or stolen from the Ministry of Defence in the past three years, how many have been recovered? If the Secretary of State does not have that figure at his fingertips, will he write to me and place a copy of his reply in the Library of the House?

The hon. Gentleman properly predicts that I do not have that information—to be honest, I do not know whether it exists. However, I shall endeavour to the best of my ability to find it. If that is in the bounds of reasonable expense, I will write to him and make the letter available to all hon. Members.

Had the database been on paper, we would be considering approximately 1 million sheets of paper weighing about 5 tonnes—not so easy to steal. Large databases are easy to copy and they come with large risks. Does the Secretary of State accept that the Government need to review seriously the holding of and access to large databases?

I accept that, and as I far as I understand it, that is exactly the review that the Cabinet Office is conducting. Hon. Members have asked today whether that review needs a more robust, independent element to it. That is a matter that I shall consider.