MOD data loss report finds systemic failures

The Ministry of Defence has published a report by into the loss of MOD laptops, written by Sir Edmund Burton, including at least one containing the personal details of over half a million recruits and potential recruits. The report, delivered to the MOD in April, identifies systemic weaknesses in MOD data protection. Sir Edmund states in his preamble that strong information management controls developed in the Cold War era "have not been translated, effectively, into the information age. Furthermore, there seems to be a lack of awareness that, in the information age, the behaviour of each individual is a significant factor in the risks faced by the parent organisation."

It appears that of 51 laptops holding the 600,000-record TAFMIS Royal Navy and RAF Recruiting SQL database, no less than four have gone missing from parked cars, although only the latest loss led to disciplinary action. Sir Edmund points out that although there was a prohibition against leaving these laptops in cars, encryption was not mandated. He concurs with heise Online's conjecture that the very existence of this database on unencrypted laptops constituted a breach of the Data Protection Act.

It is clear from the timeline in the report that although encryption was mandated for all new laptops from April 2003 under MOD JSP 440 security instructions, and supposed to be installed on all existing laptops from January 2006, delays were encountered, partly due to misinterpretation of the poorly worded instructions. The deadline for encrypting older laptops was therefore extended in April 2006, to 1 January 2009.

Sir Edmund identifies key strategic failings at the MOD, including "not treating information, knowledge and data as key operational and business assets", "information risk … not being formally managed at executive boards across the Department", and "little awareness of the current, real, threat to information, and hence to the Department's ability to deliver and support operational capability." These findings are supported by reports of other MOD losses, but the MOD is not alone – HMRC has not fared well recently, nor have the Department of Work and Pensions (DWP) or the NHS, and top secret intelligence documents were recently left on a London train by a member of Cabinet Office staff. Indeed the general situation has got so bad that before the House of Lords Constitution Committee on 25 June Justice Minister Michael Wills called for a complete overhaul of the way government departments manage personal data, urging the application of the same standards that apply to financial transactions. However, considering recent losses of card transaction data, that may well not prove to be a sufficient remedy.

(mba)