An investigation into the theft of UK Ministry of Defence (MoD) laptops containing the personal information of thousands of potential recruits has found the ministry’s policies and procedures are adequate, although some areas could be improved upon.
In January this year, UK Defence Secretary Des Browne revealed three MoD laptops containing personal data of thousands of potential recruits had been stolen in the past two years.
The revelation followed the theft of a Royal Navy laptop containing unencrypted data including passport details, bank account numbers and family details dating back as far as 1997 from a navy officer’s car earlier this year.
At the time he said information stored on the laptops was in breach of security regulations.
Sir Edmund Burton, who is Chairman of the Information Assurance Advisory Council and supports the Cabinet Office in the implementation of the government’s information assurance strategy, was invited to conduct a full investigation into the circumstances that led to the loss of the data and to consider the broader MoD approach to data protection.
He found MoD policies and procedures are generally fit for purpose and cited examples of good practice by the department, particularly the measures introduced after the loss which were effective in preventing similar damaging losses. But he identified a number of areas where the MoD needs to do better in protecting personal data.
The MoD has accepted all of Sir Edmund’s 51 recommendations and has prepared a comprehensive action plan to implement them.
Permanent Under Secretary Bill Jeffrey said he is “absolutely determined to make sure that we learn the lessons arising from the loss of this data and that we should do everything possible to make sure that this type of thing does not happen again”.
“We deeply regret the losses of personal data. We have identified weaknesses within parts of the MoD that led to this situation and I am confident that we are taking the necessary steps to address them.”
By Elizabeth Clifford-Marsh