My right honourable friend the Minister of State for Defence (Bob Ainsworth) has made the following Written Ministerial Statement.
The House will be aware that the Ministry of Defence is investigating the disappearance of a computer hard drive from the premises of a contractor, EDS, at Hook. This incident has happened in part as a result of the work that the MoD has been doing in partnership with EDS to implement the requirements of the Cabinet Office’s data handling review (DHR) and our own action plan following Sir Edmund Burton’s review into data handling in the MoD. This process of departmental improvement will continue to root out and expose areas where shortcomings need to be tackled.
In this most recent case, while conducting an audit of storage media, EDS found that it could not find a removable hard disk drive. Under the terms of its contract EDS is required to protect all personal information in its care. The hard drive had been used with the TAFMIS recruitment system and may, in the worst case, contain details relating to 1.7 million individuals who have inquired about joining the Armed Forces. For casual inquiries this will include no more than a name and contact details. But for those who applied to join the forces more extensive personal data may be held. In some cases this will include personal information such as next-of-kin details, passport and national insurance numbers, drivers’ licence and bank details and National Health Service numbers. EDS assesses that it is unlikely that the device was encrypted because it was stored within a secure site that exceeded the standards necessary for restricted information. An investigation is being conducted by the MoD Police. The MoD has set up a helpline for those who may be affected by this incident, and for those individuals whose financial details may be involved, action has been taken through APACS (the Association for Payment Clearing Services) to inform banks so that the relevant accounts can be flagged for scrutiny against unauthorised access.
As a result of the review conducted earlier this year by Sir Edmund Burton, the MoD is clear about the crucial need to implement wholesale improvements in how we store, protect and manage the use of personal data. We are also clear that we need to effect a significant behavioural change among our people at all levels. We are currently engaged in a comprehensive programme to do all of this. The MoD is a large department operating many complex data systems worldwide, often at very short notice and under extreme conditions. This presents additional challenges and risks in the implementation of rapid change—however, we are determined to ensure that we effect that change.
We have pursued the task with urgency and commitment and in the process we have identified further opportunities for improvement. The progress that the department has made to date is consistent with that required by the DHR timetable and the commitments we have made to the Information Commissioner. Some of the greatest challenges that we have had to overcome relate to incorporating stricter data handling standards into existing contracts and their related systems retrospectively.
We have undertaken a series of comprehensive reviews into our personal data holdings, looking wider than our personnel systems, and assess that we hold in excess of 200 million records. By the end of October, as agreed, all personal data held by the MoD will be under the new governance regime required by DHR. This work relies heavily on reciprocal commitment from our key suppliers. Central to it is our continuing detailed census of storage as part of our commitment to good data management. In line with this, it is intended to reveal whether any storage devices cannot be accounted for. Such cases are treated very seriously with immediate action to investigate the loss, engage individuals who might be at risk of compromise and alert the Information Commissioner. This process led to the discovery of the missing hard drive at the EDS site in Hook.
The fact that this event, and another involving a suspected theft at Innsworth, has occurred on a high-security site manned by cleared personnel illustrates the need continually to review and enhance our arrangements for personal data. This work relies heavily on reciprocal commitment from our partners.
The Information Commissioner’s Office recognises that we may uncover further issues as we implement our assurance regime. This is a direct result of emplacing an effective approach to data security. The implementation of our action plan remains on track to be compliant with the requirements of the Burton review by the end of March 2009 and likewise the requirements of DHR by October 2009. We will update the House as required.