The UK Government has just announced its decision to terminate its contract with PA Consulting, the private sector contractor which it had engaged to carry out a research project on tracking offenders through the criminal justice system. This follows an inquiry by the Government into the circumstances surrounding the loss (which became public nearly three weeks ago) by PA Consulting of a memory stick containing the unencrypted personal data of all 84,000 prisoners in England and Wales. Home Secretary Jacqui Smith indicated the Government's inquiries showed PA Consulting to be in breach of the data security provisions of its contract, in that data held on a secure site was downloaded by the contractor to an insecure memory stick which was then physically lost.
* Reports suggest the memory stick was placed in an unlocked desk drawer. Presumably at the next IT event they sponsor, PA will not be handing out memory sticks as freebies.
Stop press: PA has now responded to the Home Office…
As is appropriate in these circumstances, PA Consulting has avoided making any comment on this incident until publication of the report of the Home Office to the Information Commissioner. This report has been published today.
We have not yet had the opportunity to review the report in detail. However, we accept PA's responsibilities in this incident. As indicated in the notification, PA has a comprehensive system of security procedures and practices in place in order to protect, in addition to government information, sensitive information from commercial clients. The loss of data on this project was caused by human failure, a single employee was in breach of PA's well established information security processes. We deeply regret this human failure and apologise unreservedly to the Home Office.
We have cooperated and continue to cooperate fully and willingly in the immediate reporting, ongoing investigation, and resolution of this incident.
We reported the potential loss of data to the Home Office at 16:30 on 18 August 2008, the day that the loss was discovered and less than two hours after it was reported to PA's management. We then confirmed the loss to the Home Office at midday on 19 August.
PA has conducted an examination of every one of our government and private sector projects that handle personal, sensitive or protectively marked material against recognised best practice and government-approved processes. Our review has confirmed that, apart from in this isolated incident, we are fully compliant with robust policies and procedures and are achieving high levels of information assurance across all of our work. In addition, several government departments have carried out their own extensive audits of PA projects and in all cases have found them to be fully compliant.
PA has safely handled sensitive government information for over 60 years and this is the first incident of such a nature that PA has been involved in. It is clear from the events of recent weeks that the challenge of managing necessary confidential information held by government, and in particular of eliminating human error, is industry-wide. We are engaged in dialogue with our clients and competitors to address, and find solutions to, this challenge.