Contrast |

Text only |

Text size a a a

Parliamentary and Health Service Ombudsman

The reasons for my decision

Jump to

The assessment process

Generally when assessing complaints I first establish that a complaint falls within my remit and is therefore one I could investigate. I am satisfied that these complaints do. I then consider whether it is a complaint that I should investigate. In order to do that, I assess whether there is some evidence of maladministration on the part of the body complained about that has led to an unremedied injustice to the aggrieved person. If there is, I also want to be satisfied that an investigation is likely to result in a worthwhile outcome. My consideration of a worthwhile outcome goes wider than deciding whether an investigation could achieve an outcome that the complainant would be happy with. I also consider whether there might be a wider public interest as a result of an Ombudsman’s investigation, for example, whether the learning from the complaint could be used to drive improvements in public services or inform
public policy.

In assessing these complaints I have considered both the matters that gave rise to them and also how the Home Office responded to the situation. I have based my assessment on my Principles of Good Administration.^[3]

Principles of Good Administration

I have taken particular account of the following Principles:

Getting it right: which includes taking proper account of
established good practice – in this case the
Information Commissioner’s guidance on data
security breach management.
Being open and accountable:which includes handling information properly and appropriately, and which also says that public administration should be transparent and that information should be handled as openly as the law allows; and that public bodies should give people information and, if appropriate, advice that is clear, accurate, complete, relevant and timely.
Being customer focused: which includes communicating effectively, using clear language that people can understand and that is appropriate to them and their circumstances, and which also says that public bodies should deal with people helpfully, promptly and sensitively, bearing in mind their individual circumstances.
Putting things right: which includes acknowledging mistakes and
apologising where appropriate.

Consideration of maladministration

There are clear indications of maladministration here in that an employee of a Home Office contractor was able to download information in a non-secure area of the office on to an unencrypted memory stick. The data stick was then lost and the Home Office are now in a position where they cannot say categorically what information was contained on the data stick. In line with the Principle of ‘Being open and accountable’ outlined above, I would expect all Government departments, including the Home Office, to handle information properly and appropriately and to ensure that their contractors do so with the security of data
kept in mind at all times. That could involve, for example, regular checking on compliance with the security arrangements. While it was not the Home Office who lost the data but an employee of one of their contractors, as they are the body responsible for the proper handling of the data, it is their responsibility to ensure its safety. That did not happen here.

However, it is clear that following the data loss, the Home Office took a number of positive measures in order to put matters right. I have referred above to the Information Commissioner’s guidance on data security breach management. In line with the Principle of ‘Getting it right’ outlined above, I have considered whether the Home Office response to the data loss took adequate and appropriate account of the four important elements the Information Commissioner advises should be included in any data breach management plan.

Those are:

Containment and recovery
Assessment of ongoing risk
Notification of breach
Evaluation and response.

In terms of containment and recovery, the Home Office took prompt action to investigate the breach and provided a report for the Information Commissioner on the breach on 10 September 2008. The Home Office concluded, after investigation, that it was likely that the data stick was stolen by an opportunistic thief for its intrinsic value and not because of the data it contained. That all seems to me to be reasonable.

In terms of ongoing risk assessment, the Home Office acted quickly to convene a Steering Group to consider the data loss, to consider the risks to individuals affected and to consider the communication plan. That is in line with the Information Commissioner’s guidance on assessing ongoing risks. I will say more about the communication plan below.

The Home Office’s overall approach to risk assessment following the data loss seems to me to be reasonable, especially in terms of the risk assessments undertaken by the Association of Chief Police Officers. They identified that it was sex offenders, whose addresses might be matched to their crimes (albeit it would require a knowledge of offence codes to make the match), who were most at risk from harm. In line with the risk assessments, 34 individuals were identified in this high risk category and the relevant local bodies were made aware of this and given the task of communicating to the individuals concerned and ensuring plans would be put in place if the information were ever made public. Multi Agency Public Protection Arrangement teams were also notified of release dates of those in this high risk group. It seems to me to be sensible for the Home Office to have relied on local bodies, such as the police, prison governors and probation officers, to make decisions about communications with people within this group and a reasonable way of dealing with the risk that had been identified.

The Home Office also considered the risk of the information contained on the data stick being used for the purposes of fraudulent crime. They considered that that risk was low to medium, given that none of the datasets contained financial information. The risk assessment considered that the risk could be mitigated by the provision of advice on how to be vigilant about finances. That also seems to me to be reasonable.

I turn next to evaluation and response. I note that the Home Office commissioned an external scrutiny report to look at the way the situation had been handled, and lessons that had been learnt from that. In addition, because the action of the contractor’s employee was a clear breach of both the contract the Home Office had with the contractor, and also with the contractor’s own internal procedures, the Home Office swiftly terminated the contract with the contractor and have brought the administration of the JTrack system in-house. These actions all seem to me to represent positive measures that demonstrate that the Home Office sought to learn from this incident and to ensure that it does not recur.

That leaves the issue of notification. There is no doubt that the Home Office acted promptly to notify the Information Commissioner about the loss and later gave formal notification in the form of the report of 10 September 2008. The work with the Information Commissioner resulted in the Home Office signing an
undertaking that they would take steps to ensure that all processing done by a data processor would be done in line with the security measures governing that and that they would carry out regular inspections to ensure compliance.

There is, of course, another side to providing relevant notification and that is the question of whether, and if so how, to communicate the fact of the data loss to those affected.

The Home Office was aware that the matter was going to be reported extensively in the press on 22 August 2008, but decided that they would not be proactive in terms of letting those affected know about it. Rather, they took the decision to let those affected learn of the loss through the media, with the onus then being placed on those individuals to contact the relevant authorities (prison governors, probation officers or the general enquiry line) for further information and clarification if they felt they needed it. The Home Office had ensured by way of the Steering Group that prison governors, probation officers and enquiry line staff had been briefed so that they could deal with any questions put to them.

The Home Office’s communication strategy was clear but was it reasonable? I have considered whether there are any indications of maladministration in what the Home Office did – and did not – do in relation to communicating with the individuals affected by the data loss. It was, after all, their data.

After considerable reflection I have decided that I cannot say that the Home Office’s communication strategy was unreasonable. First, the Home Office acted correctly in that they considered whether or not it was appropriate to notify the individuals concerned about the data loss. I accept that the Home Office and members of the Steering Group are more familiar than I am with the difficulties of communicating with the offender and ex-offender population. I recognise that those difficulties were likely to have been a relevant consideration in their decision; and I cannot say that the decision to brief prison governors, probation officers and the enquiry line with the information they needed to respond to enquiries once the fact of the data loss became public was an unreasonable way of dealing with the situation.

Notwithstanding that, it seems to me that the communication strategy might usefully have drawn more clearly than it did on the Ombudsman’s Principles of ‘Being open and accountable’ and ‘Being customer focused’. If it had done, it seems to me that the Home Office might have decided to give the individuals affected information about the data loss directly and sooner and might have done so in a more helpful and sensitive manner.

As I see it, when a public body has lost personal data, normally the public body should be proactive and open in their communications with those affected about the data loss, rather than place the onus on those affected to seek out the information, unless there are good reasons not to adopt this approach.

There might be good reasons not to adopt this approach, for example, if the public body has assessed that there is a very low likelihood of the data itself, and/or the fact of its loss, coming into the public domain. In such circumstances, notification to those affected might well cause worry and distress needlessly.

However, in this case, the Home Office knew that the data loss was going to be reported in the media, and when that was likely to happen. It was highly likely therefore that worry and distress would be caused to those affected. In those circumstances it seems to me that it would have been better for arrangements to have been put in place to ensure that some form of proactive communication was issued with the aim of minimising the extent of that worry and distress.

I am not suggesting that the Home Office should have written personally to each person who was affected. I understand that they decided not to do so because of the difficulties involved in communicating with the offender population and the associated risks of notifying family members or friends who might not be aware of all the details of the offender’s conviction. However, as the entire prison population was affected by the data loss, a communication could have been issued to prison governors to pass on in an appropriate way. The Home Office did, after all, have something of a captive audience. Similarly, probation officers could have been given the same communication to pass on to those on probation. In that way those affected would have been provided with timely, relevant and complete information at the outset, rather than having to seek it out for themselves, once they had found out about the loss from the media.

Moreover, the Home Office, with the Steering Group, had put a lot of thought and effort into establishing the nature and extent of the data loss and considering the risks to individuals, which meant that there were a number of positive messages they could have given to those affected. For example, they knew that the data stick contained only limited information and had assessed that only 34 individuals were at high risk.

It is clear that those who complained to me do not feel that they received sufficient information or reassurances from the relevant authorities. A general communication could have been helpful in ensuring that those affected received the same information and advice. Such a communication could have given details of the information that was contained on the data stick, explained where those affected could go for further information and advice and outlined the steps that were being taken to contact separately the 34 individuals considered to be in the high risk group. That information could have provided considerable reassurance to those affected and mitigated the extent of worry and distress caused.

I am not suggesting that the Home Office’s failure to adopt the approach and take the sort of steps that I have outlined above amounts to an indication of maladministration. As I have already said, I have concluded that I cannot describe the Home Office’s communication strategy as unreasonable. But I do think it could have been better, and that if the Home Office had adopted a different, more proactive, approach, these complaints might have been avoided.

Consideration of injustice

I turn now to my assessment of whether there is any evidence of unremedied injustice as a result of the alleged maladministration.

In these cases the complainants are seeking compensation for what they have described as the fear, inconvenience and risk to their own and their family’s safety caused by the data loss. It seems that at the heart of their anxiety is the lack of information they received up front about the information contained on the data stick. In response to the compensation requests, the Home Office have explained that the Association of Chief Police Officers had determined that there were no heightened risks to individuals or members of their families as a result of the loss of the data stick because the lost data did not include any financial information about them, and all the individuals involved had PNC identification numbers, which meant that data relating to them was already in the public domain. On that basis the Home Office decided that a compensation payment would not be appropriate.

I recognise that the complainants are likely to remain of the view that a compensation payment would be appropriate but I do not agree. It seems to me that the Home Office was clearly at fault in relation to the loss of the data stick but the steps they took to consider the consequences of that and to put a communication plan in place were reasonable. In reaching that decision I am also mindful that the information contained on the data stick was largely in the public domain in any event (names, addresses and offence details) and so I cannot see any basis on which the complainants could reasonably claim to be additionally worried about its contents being made public.

In addition, in a number of cases we have found information about the complainants and their convictions readily available on the Internet. In those circumstances, it is even more difficult to see any merit in a compensation claim for the additional anxiety the complainants say they are experiencing as a result of the loss of the data stick.

Of course, I fully recognise that part of the reason the complainants are concerned about the data loss is because they do not feel that they have been fully briefed on the information contained on the data stick. However, I see that the solicitors representing the vast majority of the complainants were provided with this information in April last year and I trust that the information I have provided in this report will go some way to ease their outstanding concerns. The Home Office have set up arrangements to ensure that any individual who considers that his or her data may have been lost as a consequence of the loss of the data stick will receive a written response from the Home Office setting out the data fields in which the individual may have been included.

That said, I have seen no evidence that the Home Office have considered whether a remedy, other than compensation, would be appropriate. In line with the Principle of ‘Putting things right’, I expect public bodies to acknowledge mistakes and apologise where it is appropriate to do so. It is clear that data should not have been lost and it seems to me that it would be appropriate for the Home Office to apologise to those affected about that. I put that to the Permanent Secretary and he has asked me to pass on his apologies for this loss of data and for any loss of public confidence in the security of Home Office systems that contain personal data. The contractor has publicly apologised for the data loss. Given that I do not consider that compensation would be appropriate, I am satisfied that represents a suitable remedy to these complaints.

Footnote

[3] The Ombudsman’s Principles trilogy, the Principles of Good Administration, Principles of Good Complaint Handling, and Principles for Remedy and were published in 2007 and are based on the 40 years of experience the Ombudsman’s Office has in dealing with complaints. There are six Principles in all: Getting it right, Being customer focused, Being open and accountable, Acting fairly and proportionately, Putting things right and Seeking continuous improvement. More information about the Principles can be obtained from www.ombudsman.org.uk

« Previous page - The events that led to the complaints

Next page - Conclusion »

Helpline

Telephone

Parliamentary and Health Service Ombudsman 0345 015 4033

Textphone (Minicom)

0300 061 4298 (Calls to these numbers cost the same as a call to a UK landline) 8:30am - 5:30pm Monday - Friday

Request a call back

Text 'call back' with your name and your mobile number to 07624 813 005 and we will call you back within one working day during our office hours. Standard text rates apply