The Home Office has promised the Information Commissioners Office that it will handle data securely after being found in breach of the Data Protection Act.
Following the incident where PA Consulting, a contractor to the Home Office, lost an unencrypted memory stick containing the sensitive personal information of thousands of people last year, the Information Commissioner's Office has now made the Home Office sign a formal undertaking to protect citizens' data.
The Home Office has promised that from now on, all mobile or portable machines that carry personal data will be encrypted, and that any contractor will also use encryption.
Assistant commissioner Mick Gorrill, said: “The Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure. The Home Office recognises the seriousness of this data loss and has agreed to take immediate remedial action. It has also agreed to conduct future audits to ensure compliance with the Act.
“This case was serious because it involved thousands of individual records, which contained sensitive information on people serving custodial sentences and others previously convicted of criminal offences.
“This breach illustrates that even though a contractor lost the data, it is the data controller (the Home Office) which is responsible for the security of the information. It is vital that sensitive personal information is handled properly and held securely at all times.”
The Home Office has avoided an enforcement notice against it, a breach of which would be a criminal offence carrying a fine of up to £5,000, by agreeing to the undertaking ‘in consideration of the Commissioner not exercising his powers to serve an enforcement notice'.
The Information Commissioner's Office has also taken similar action against Abertawe Bro Morgannwg University NHS Trust and Tees, Esk and Wear Valleys NHS Foundation Trust.