UK learner driver details lost in America

BBC news reports that the details of 3 million learner drivers were lost in May this year by a government subcontractor in the US. Announced by the UK Transport Secretary Ruth Kelly in Parliament yesterday, this is only the latest of numerous such losses to be reported, further underlining a systemic failure to manage basic information security within UK government departments.

Apparently, this time the files include only names and contact details but no banking information, unlike the recent HMRC debacle. However, the question that seems most urgent is why the data were in the USA in the first place. It seems the data processor, Pearson Driving Assessments Ltd, a private contractor to the Driving Standards Agency, saw fit to pass the data to its supposedly secure data processing facility in Iowa. So secure that the disk containing the data disappeared from it within less than a month.

Unless there was a very solid reason for this transfer to the US (and it would have to be a much better reason than commercial expediency) the data should never have been sent to America at all. This would seem to breach Data Protection Principle Eight, which states that data should not be transferred outside the European Union without ensuring that "adequate protection" is in place. The USA is well known not to comply across the board with the required standards, there is no evidence so far that Pearson Driving Assessments operated a "safe harbor", and even if they did, it clearly failed in its purpose.

The question should also be asked why it took so long for this loss to be acknowledged by government - apparently the then Roads Minister was informed as early as last June.

(mba)