My honourable friend the Parliamentary Under-Secretary of State for Transport (Jim Fitzpatrick) has made the following Ministerial Statement.
Subsequent to Written Answers I gave on 29 January, 11 March and 2 April 2008, to Parliamentary Questions on data handling, I would like to inform the House that further investigation has revealed additional information.
The response to the honourable Member for Chipping Barnet (Question 175768) [Official Report, Commons 29 January 2008; col. 197W] should have included reference to three further instances of data being accessible overseas:
First, the Vehicle Operator Services Agency has an IT contract with Siemens covering the computerisation of the MoT Scheme. The Siemens data centre is based in the UK and all operational data are stored in the UK. However, some of the data were processed by Siemens staff in India on a controlled basis for the purpose of correcting and updating software code. The data were not transferred to a physical storage device outside the UK, and the data could not be saved, amended or copied to any device in India.
The information that was potentially viewable on this basis was as follows:
information relating to the construction/specification and the registration mark of all vehicles in Great Britain that are subject to the MoT scheme. This does not include any details in relation to the registered keeper of the vehicle;
details of 65,500 nominated testers under the MoT scheme comprising individual's name, home address, date of birth, telephone number and driving licence number; and
details of 16,500 individual authorised examiners under the MoT scheme comprising individual's name, business address, business telephone and fax number.
Siemens was instructed to revoke all access to operational data from India in relation to the MoT computerisation system on 12 June 2008.
Separately, the central department has a contract with Siemens for a public inquiry service that uses a system provided under contract by RightNow Technologies. That company backs up the information transporting the data electronically via an encrypted channel to its disaster recovery centre in Chicago where it is held in an unencrypted form in a physically secure environment. A further unencrypted tape backup is maintained by Iron Mountain in a vault in New Jersey. The information includes business contact details of DfT staff, and details of calls and callers’ name and telephone number for queries that have been referred to the DfT internal team for answer.
Finally the central department uses an online survey site hosted by SurveyMonkey.com, a US company whose site is hosted in the United States. This facility has been used by the department to conduct surveys including staff surveys. Personal information relating to DfT staff included name, workplace address, qualifications and employment experience. It was also used by VOSA to get feedback on staff events such as their annual conference.
The response to Question 179889 from the honourable Member for Pendle [Official Report, Commons, 11 March 2008; cols. 211-13W] should have included:
In addition to Fujitsu database administrators, IBM database administrators also have direct access to the Driver and Vehicle Licensing Agency’s registers.
Finally, in response to Question 197148 from the honourable Member for Carmarthen East and Dinefwr [Official Report, Commons 2 April 2008; cols. 1010-11W] the following should have been included:
The central department uses an online survey site hosted by SurveyMonkey.com, a US registered company whose site is hosted in the United States. This facility has been used by the department to conduct surveys including staff surveys. Personal information relating to DfT staff included name, workplace address, qualifications and employment experience. It was also used by VOSA to get feedback on staff events such as their annual conference.