Under lock and key? Government departments must not become complacent about data losses. (Image: Shutterstock.com)
For nine months last year, government officials secretly scrambled to find missing DNA samples, bank details and passport applications, which they had lost on a flight from Afghanistan.
The incident is one of thousands of data losses that took place in the first year of the Coalition government.
The Ministry of Justice (MoJ) suffered by far the most losses, with 1,807 personal data incidents. They included 154 losses which happened inside the the department’s own secured premises, and more than a thousand ‘unauthorised disclosures’.
An MoJ report admitted there has been a ‘significant increase’ in data loss, but claimed: “This is largely the consequence of increased levels of reporting.’
The data was gained through requests under the Freedom of Information Act. Of the departments which were asked for the figures, 12 gave the full details from the first year of the coalition government. Six departments, including the MoJ, agreed only to give the number of personal data protection breaches during the financial year. Three departments did not provide any information.
The Ministry of Defence (MOD) admitted it recorded 396 data losses between 2010 and 2011. They included 65 occasions when files were stolen. The MOD did not confirm how many of the documents had been marked as secret, but said that 49 of the incidents involved personal information.
In one incident computer files containing at least 50,000 people’s personal information went missing. Later in the same week, thieves stole documents with 200 people’s confidential data from MOD officials.
The MOD claimed that its size meant it was ‘almost inevitable’ that it would lose information.
It said: ‘The MOD takes any loss or theft of data very seriously and has robust procedures in place.’New processes and instructions have also been implemented to raise awareness of the need for vigilance in all aspects of Departmental security. Our procedures are constantly reviewed and internal communication is regularly updated.’
It added: ‘Investigations are undertaken into every loss or theft, and appropriate disciplinary action taken where necessary.’
Lost in Bahrain
Elsewhere, the Foreign Office reported only six data losses, but they included a period of nine months during which officials scrambled to find a missing diplomatic bag containing DNA samples from Afghanistan.
Delivery company DHL was handed the samples, along with bank details, medical records and passport application forms, which were meant to be flown from Kabul to the UK.
But the items were taken on a route via Bahrain, during the country’s political uprising, because of a ‘commercial decision’ by DHL. When staff in Bahrain realised the package was missing, the unrest meant full searches had to be delayed because of security issues.
It was only after six months of delays and worldwide searches, that the Foreign Office finally contacted all the people affected, telling them the items were missing.
One woman, whose credit card details had been lost, told officials: ‘Had someone looked into the missing bag earlier it might have been located.’
Meanwhile, DHL failed to apologise over the incident. A British Embassy official in Kabul said: ‘It would have been nice to have received something from DHL to forward on to the senders in the way of an apology but we’ve had nothing.’
Finally, in November, staff discovered the package sitting in a lost and found depot in the UK.
A Foreign Office spokesperson said: ‘We regret the delay and we take the protection of diplomatic bags very seriously. We have taken steps to ensure that this would not be repeated. There are lessons we have learned from this case.’
In other government departments hundreds of missing sensitive and personal documents were never recovered, including more recent data losses.
Bank details and national insurance numbers
Documents show that in June the Department of Communities and Local Government accidentally sent the bank details and national insurance numbers of all its 2,000 staff members to the wrong email address. The department claimed that protocols were activated immediately and said the person responsible for sending the email was retrained.
Elsewhere the Treasury Office revealed that members of staff had accidentally left ‘sensitive’ and ‘restricted’ documents on planes and trains on four occasions so far since May 2010.
Several incidents in the Department of Health saw patients’ details and prescription information sent to the wrong email addresses. In June a system shut-down was triggered when a software error allowed system users to access the personal data of other users.
Bryan Glick, editor in chief of Computer Weekly said: ‘From files being dumped in skips to memory sticks being lost, there have been regular losses from government departments. It’s difficult to deny that some is inevitable, as there is some degree of human error. Security will never be 100%, but these figures show that the government could be doing a lot better.’
He added: ‘For the MOJ to have more than a thousand data losses in one year is pretty scandalous. Because the government holds so much sensitive and confidential information, data losses are even more serious. The nature of the data means that the government should be going beyond what’s expected, but it seems like it is not even reaching the basic standards.’
Data breaches have plagued government departments and particularly the MOD, who acknowledged in November that it had lost 150 laptops in just 18 months.
In 2008 an MOD security probe criticised the department for not taking security seriously enough. The inquiry had been launched after thieves stole a laptop containing personal details of 600,000 recruits. The laptop had been left in a parked car over night in Birmingham.
Investigators found that three other similar laptops had also been stolen from cars since 2004. The report said: ‘Generally, there is little awareness of the current, real, threat to information, and hence to the Department’s ability to deliver and support operational capability. Consequently, there can be little assurance that information is being effectively protected.’
It added: ‘Outside MOD HQ, with a few notable exceptions, there is very limited understanding of the Department’s obligations under the Data Protection Act.’
The breach also led the Information Commissioner’s Office (ICO) to issue an enforcement notice to the MOD. But the ICO said that the loss of two CDs by HMRC in 2008 which contained 25 million people’s personal details remains the most serious breach investigated.
An ICO spokesman said: ‘It’s vital that organisations take this legal responsibility seriously. This is even more crucial when handling sensitive information such as people’s medical details.’
‘Any report of a loss of personal information is obviously a concern for us – that’s why we encourage bodies to put sufficient resources into ensuring they get it right, including encryption and adequate staff training.’
Sign up for email alerts from the Bureau here.