(2) what steps have been taken to reduce future losses of ICT equipment;
(3) how much has been spent trying to recover the missing items referred to;
(4) which of the items of ICT equipment recorded as lost or stolen had software protection installed; and if he will make a statement;
(5) what assessment he has made of the types of data held on the ICT equipment which has gone missing from his Department since 2001; and if he will make a statement.
The Department takes very seriously its responsibilities to safeguard personal and other sensitive data. In the last 12 months, a number of major changes have been made in the way that data is handled and stored, especially insofar as items of removable equipment (such as laptop computers and memory sticks) are concerned. Significant improvements have been introduced, including the widespread deployment of encryption.
The information about lost and stolen equipment, given in response to the question referred to, was obtained from centrally maintained records of security incidents. Detail is not available from these central records to indicate the nature of disciplinary action that was taken in individual cases. Such information could be obtained only at disproportionate cost, given that the bulk of these incidents occurred a number of years ago. However, the Department is currently reviewing its disciplinary policies to better reflect the importance which it attaches to the security of valuable assets and information.
Following the Cabinet Office Review of Data Handling Procedures in Government, the Department has designated senior staff as information asset owners, who are personally accountable for providing assurance in relation to the information assets within their respective business areas. Additional steps taken to reduce future losses include measures which prevent employees from copying information to removable media, except where this has been encrypted.
Information on the costs of seeking to recover earlier lost or stolen equipment and which of such items had software protection installed is not available and could be provided only at disproportionate cost.