The events that led to the complaints
Jump to
How the data loss happened
On 18 August 2008 an employee of a Home Office contractor lost a memory stick containing information about offenders, some of whom, but not all, are still in prison. The contractor had been contracted to administer the JTrack[2] system for the Prolific and Priority Offender programme. The contractor warned the Home Office of a possible loss late on 18 August and this was confirmed on 19 August. The Home Office notified the Information Commissioner about the loss during a telephone conversation on 21 August and provided formal notification to the Information Commissioner, in the form of a report, on 10 September. The loss was reported extensively in the media on 22 August.
In their notification report of 10 September 2008 to the Information Commissioner, the Home Office said that there were 10,000 to 11,000 prolific and priority offenders being actively managed in England and Wales. They explained that the contractor provided the JTrack hardware, software and system support under contract to them and that the contractor regularly received information from the Home Office and the National Policing Improvement Agency. The Home Office said they were satisfied that all information transferred by them was appropriately secure but that an employee of the contractor transferred data on to an unencrypted memory stick in breach of the contractor’s own security policy.
It seems that the contractor’s employee received (via secure email from the Home Office) two data sets – Prisoner data and Prolific Offender data – and downloaded them in a non-secure area and transferred them on to an unencrypted memory stick. The employee then received a third data set from the National Policing Improvement Agency by way of encrypted CD ROMs and transferred it again to the same memory stick in a non-secure area of the office. As part of a separate process, a fourth dataset was downloaded directly from the JTrack system to the same memory stick in order to send this information by way of secure email to another contractor involved with processing Drug Intervention Programme data. The Home Office told the Information Commissioner that they were satisfied that the contractor had breached their contract with them and so they had terminated it. They explained that they are now supporting the JTrack system in-house.
The Home Office’s position on the information contained on the data stick
In their notification to the Information Commissioner, the Home Office also explained that it was not possible to confirm categorically the extent of the information on the missing memory stick. They estimated (based on the recollections of the contractor, their regular processes and knowledge of what was sent to the contractor by the Home Office or National Policing Improvement Agency) that the memory stick contained:
- data from the Police National Computer, including the personal details of individuals with six or more recordable convictions in the preceding 12 months;
- names of prisoners in custody in England and Wales with prisoner and prison identity codes, expected release dates and Home Detention Curfew dates in some cases;
- details of prolific and priority offenders; and
- details of individuals on Drug Intervention Programmes.
That concurs with the information that the Permanent Secretary to the Home Office gave me in his letter of 13 November 2009. He also pointed out that there would be some overlap between the data sets as some prolific and priority offenders would be included in the list of those in custody. He said that he could not determine with sufficient precision the extent to which the data sets overlapped in order to provide a figure for the total number of individuals concerned. However, given the further research that the Association of Chief Police Officers have undertaken on the contents of the data stick and the numbers affected, which I have set out above, it seems to me that a more accurate description of the position is that it would take more extensive analysis to be more precise about the overall numbers and that would not be proportionate at this stage. As I have explained above, I have relied on the Association of Chief Police Officers’ more detailed description of the information contained on the data stick and the numbers affected.
The Home Office’s communication strategy
The Home Office have told me that following the loss, a Steering Group, which included representatives from the Association of Chief Police Officers, the Home Office, the Ministry of Justice, the National Policing Improvement Agency and the Metropolitan Police (and in discussion with the Information Commissioner), decided not to contact everyone who might be affected by the data loss. The Permanent Secretary has told me that this was because many of them were either active or former offenders and the police were aware that many of them might be difficult to locate. They considered that communicating through a third party might cause more worry and distress, as they could not be sure whether family and friends were aware of the details of the individual’s convictions, and giving them information about an individual’s conviction might actually cause more distress to that individual.
In their notification to the Information Commissioner of 10 September 2008, however, the Home Office said that they considered that the disadvantages of contacting those affected outweighed the benefits of doing so, and that it would probably exacerbate the situation rather than help. They said that they had reached that decision because:
- communication to the prison population was being managed by prison governors, which would minimise the risk of disruption within prisons;
- addresses given by individuals in the criminal justice system can often be unreliable and there was a high risk of giving away sensitive data about criminal
- records by writing to incorrect addresses;
- support was available to those affected via the public enquiry contact points; and
- the risk to the vast majority of individuals had been assessed as low and contingency plans had been put in place to respond quickly in the unlikely event of the data becoming public.
Whatever the precise rationale, the Home Office have told me that the Ministry of Justice sent a notice to chief probation officers and prison governors with a brief outline of the missing data; the intention was that this would enable them to respond to any concerns raised by prisoners or those under probation supervision. The assumption was that those affected would find out through the media and relatives and, if they had any concerns, these could be addressed by the prison governors or probation officers who had already been briefed. The Home Office’s general enquiry line was also briefed to deal with any calls on the subject.
The Home Office have also told me they have set up arrangements to ensure that any individual who considers his or her data may have been lost as a consequence of the loss of the data stick, will (upon proof of identity) receive a written response from the Home Office setting out the data fields in which the individual may have been included. In many instances, individuals’ details will have appeared on more than one of the data sets, requiring an individual response in each case. So far, the Home Office have provided this information to more than 800 individuals.
Risk Assessments
As I have touched on above, the Home Office did, however, take action to consider the risks of the data being made public, and the Association of Chief Police Officers drew up a risk assessment with mitigation in terms of the most at risk groups. They identified that the most at risk groups would be sex offenders and witnesses on protection if they were affected. Witnesses were not affected by this loss and so sex offenders were considered to be the most at risk group. They considered those at risk in this group were the people whose names, addresses and offence details could be matched. They identified 34 sex offenders in this group, of whom three were of no fixed abode, ten were out of prison and 21 were still in prison. In these cases the relevant local police force was notified to consider any risks the loss posed to the offenders’ families, with any decision to contact the individual or family made locally. That was in line with the risk assessment, which said that:
‘Relevant police forces will be informed of the details of the sex offenders who have been identified as potentially at risk and are currently not within prison. Details will be passed to the MAPPA [Multi Agency Public Protection Arrangement] teams in order that crime prevention advice can be provided to the individuals where appropriate. In doing so, this will enable the most recent information available to be considered as part of the process.’
The risk assessment went on to say that prison authorities were handling notification to individuals currently within their establishments and Multi Agency Public Protection Arrangement teams would be notified of any imminent release dates. The Permanent Secretary has told me that as of 13 November 2009, a total of eleven individuals were visited personally by the police and prison staff and a further seven were informed through their families, where there wasconfidence that the family was in close contact with the individual. (I do not know why the 13 other people potentially at risk, and whose whereabouts were known, were not contacted but I do not believe that this is material to my assessment which follows.)
The Association of Chief Police Officers also considered that there was a low to medium risk of those affected being subject to fraudulent crime. That was because the data stick did not contain financial information about individuals. That was to be mitigated by the provision of advice to anyone concerned on how to be vigilant in respect of their finances.
The external scrutiny report
The Home Office also commissioned an external scrutiny report to look into the way they had handled matters. The report was completed in late September 2008 and concluded that the Home Office had responded appropriately and well to the incident; appropriate risk assessments had been conducted to assess the possible implications for individuals and steps taken to mitigate such risks. The report also noted that the Home Office had identified important lessons from the incident, particularly the urgent need to improve controls and audits of their commercial suppliers. The report also made a number of recommendations for further action in relation to embedding the learning from this incident and preparing a good practice guide for senior managers.
The Information Commissioner’s decision not to take enforcement action
The Information Commissioner decided not to investigate the data loss as the Home Office had notified him appropriately, promptly investigated and on 10 September 2008 provided formal notification in the form of a report (which was independently scrutinised later that month). The Information Commissioner decided that enforcement action was not required as the Permanent Secretary had signed an undertaking to ensure that data are processed in accordance with the Data Protection Act and that the Home Office would check its data processors for compliance with that; and because the Home Office had taken the matter seriously.
Claims for compensation
On 29 March 2009, the solicitors who represent a large number of the people who have complained to me wrote separately to both the Home Office and to the Home Office contractor saying that they had been instructed by over 1,000 prisoners in connection with the data that went missing in August 2008. They maintained that the Home Office/the contractor had not complied with the Data Protection Act and that they intended making a formal complaint to the Information Commissioner. Before doing so, they asked the Home Office/the contractor to provide copies of any reports and full details of subsequent action taken; to state the date and circumstances of the loss and what information was lost.
The Home Office replied on 22 April 2009 enclosing copies of their internal report of 10 September 2008 to the Information Commissioner and the external scrutiny report. They said the reports answered all of the solicitors’ questions. They invited them to contact them if they required any further information.
In response to claims for compensation the Home Office have received direct, they have provided a generic response, which explains that they consider there are no grounds to uphold a complaint or seek compensation as the risk assessment had determined that there was no heightened risk to individuals or their families. That was because the data did not include any financial information and all the individuals concerned had Police National Computer identification numbers, meaning that data relating to them were already in the public domain.
The Prisons and Probation Ombudsman
I understand that the solicitors have also complained to the Prisons and Probation Ombudsman about these matters, and in response he has explained that he cannot consider the complaints, as they do not fall within his remit. That is because the data was not lost by a member of staff of HM Prison Service, UK Border Agency or the National Probation Service.
Footnote
[2.] JTrack is a Home Office system and it is an operational tool used by the Police and the Crown Prosecution Service to support the Government’s Prolific and other Priority Offender (PPO) programme. The custody details of PPOs have been entered on to the JTrack system since 2006. The purpose of the system is for individual areas to see when one of their PPOs enters custody, is moved between prisons, and is due for release and from which establishment. The Home Office have said that this is a useful tool for reducing crime and it ensures that prolific offenders are not released in to the community without the knowledge of the local police, who I understand often meet prisoners as they leave prison. The Police National Computer is used to provide the information on persistent offenders.
