Previous Section Index Home Page

21 Jan 2008 : Column 1228

It is clear that the MOD did not follow its own procedures for the protection of databases. Its procedure can hardly be described as robust. It is clear that the Cabinet Office review was ignored or simply not implemented. It is clear that two similar cases occurred, but Ministers were not informed. Why not? The Secretary of State does not know why his own recruiting officers routinely carry such information, so can he at least tell us how many of them carry it? He must know by now. Why are all those categories of information needed—for example, the religion of recruits, which can be very sensitive information and could prejudice several minorities in the armed forces?

It is clear that Ministers believed that information was encrypted, but they did not know, which raises the question of whether the item was an MOD laptop—or was the information kept on the officer’s personal laptop? If so, how often has that occurred? Are Ministers sure that the other two laptops that went missing have encrypted data, and what back-up is kept to enable checks to be made when things go wrong?

Clearly, we do not know what risks will be faced by those on the database—it depends entirely on whose hands it has fallen into—but putting our troops at risk in such a way is unforgivable, because it seems as though there has been systemic failure, rather than a single act of incompetence or irresponsibility. We now know that 68 MOD laptops were stolen in 2007, 66 in 2006, 40 in 2005, and 173 in 2004. What on earth is going on? How much information on our service personnel is floating around out there? Most importantly, why has nothing been done about such incidents, when they have occurred regularly for a number of years?

Can the Secretary of State tell the House how many of the computers that have been stolen since 1998 had a classification of “confidential” or higher? What was the security classification of the laptop stolen most recently? What is his Department’s policy on classifying and storing sensitive information on MOD computers in general? More importantly, what role does he have in determining what information is classified and at what level, and who has access to that information? Will he list and publish in the Library all the departmental rules, regulations and protocols that were broken, leading to this catastrophic loss of information?

Lately, it has been shown that the Government take a cavalier approach to the confidential details of UK citizens, but in the case that we are considering, the security aspects make things worse. There will be a damaging effect on the confidence and morale of our forces, which will do nothing to solve the crisis in retention and recruitment that we face. It is a dreadful mess that the Secretary of State has outlined to the House today, and it will require total commitment to put the matter right. At this stage, even he must realise that this is no job for a part-timer.

Des Browne: The hon. Gentleman is right to say that this is an extremely serious matter, and I am well aware of the implications. I see that there are Members from Northern Ireland present; I am conscious of the important implications that there were on the occasions when information was stolen in Northern Ireland from various agencies, and of the effect that that had on the morale of those serving in our armed forces there, particularly those of them who lived in Northern Ireland. As I
21 Jan 2008 : Column 1229
served as a Minister at the Northern Ireland Office, I am very conscious of that. That is why the MOD has such clear, strict procedures and systems in place, and they ought to be not only respected but observed meticulously. He is right to identify failure to do that as a matter of the utmost seriousness, and that is how I treat it.

Over and above that, I have to say that the MOD has a good record on maintaining security for a wide range of sensitive information through its procedures. From the information that I have, I have no reason to believe than the issue goes any wider than the handling of the database in question, but that is serious enough. I accept that there needs to be a robust, clear explanation of why such an amount of information had to be carried. I am far from satisfied that there can be such an explanation, but I am not prepared to prejudge the conclusions of the robust investigation that I have set up.

The hon. Gentleman asks about rules, regulations and protocols. I will consider doing as he requests, to the degree that that is consistent with our shared wider objectives relating to the security of those who serve our nation, and those who support them. In any event, I am absolutely certain that the investigation will need to look into all those rules, regulations and protocols. So far, I am satisfied that if they had been observed, the problems would not have happened on any of the three occasions. On his specific question on encryption, I thought that I made it clear that the data on none of the three laptops were encrypted.

The hon. Gentleman asks what provision we make for the support of the people who have to do the work. We provide them with laptops that have a facility for encryption. There were about 300 of those laptops in existence. They were all brought in and secured as of 18 January, whether or not the information on them was encrypted. I shall consider the other questions that the hon. Gentleman posed, and if I believe that any of them require an answer, in the interests of clarity and in support of the investigation, I shall ensure that they are answered in another fashion.

Andrew Miller (Ellesmere Port and Neston) (Lab): My right hon. Friend has appointed an extremely competent official to undertake the investigation. I have worked with Sir Edmund Burton in the Information Assurance Advisory Council on a number of subjects, so I know that his presence is a big plus. I am deeply concerned, however, that the lack of reporting to which my right hon. Friend referred may constitute a breaking of the law by officials as a result of their failure to handle matters properly within the data protection legislation. While Sir Edmund conducts the investigation, will my right hon. Friend make sure that he takes every possible step to ensure that anyone in his Department who handles personal data has undertaken proper training under the Data Protection Act before being allowed to handle any more sensitive information?

Des Browne: My hon. Friend is right to identify the fact that Sir Edmund Burton is well qualified to do this job. Those who know him, and his fierce reputation as an independent advocate in this area, know that he is well qualified to undertake the investigation. I have set out in short the remit for Sir Edmund’s wide-ranging
21 Jan 2008 : Column 1230
investigation, and I am satisfied that, as agreed with the Information Commissioner, it addresses all the necessary questions and gives Sir Edmund the flexibility that he needs. If it transpires that there has been a breach of the law—and whatever law is breached—those who are responsible will have to live with the consequences, because they are accountable.

Nick Harvey (North Devon) (LD): I thank the Secretary of State for his statement, and for calling me on Friday to brief me about this matter. Everyone would accept that the primary responsibility lies with the individual whose foolishness led to the laptop being stolen. However, the House is less ready to accept the Secretary of State’s assertion that the MOD has robust policies, systems and procedures to stop that sort of thing happening. Sir Edmund Burton may reflect on policies and procedures, but the Secretary of State will accept that the systems and controls to stop that sort of thing happening simply have not worked—if, indeed, they exist. As we have heard, this is not the first case—there have been others in recent years—so we need a fundamental rethink about the way in which data are protected in the Department.

In the light of the well-known shortages in manpower in all three of the armed forces, I suppose it is reassuring that 600,000 people wish to volunteer and join the forces. I hope that the confidence of would-be recruits is not shaken by this regrettable incident. Will the Secretary of State reflect on the comments this morning of the Information Commissioner, who said that we have further to go to understand

The Secretary of State told us candidly—and I sympathise with his predicament—that he did not know why that information was kept in one place and put on to a laptop. That is the sort of thing that we have to sort out and understand. The public would be shocked to think that their records were stored in such a way, without knowing how long they were stored and who had access to them. Does he accept that we have to treat the protection of personal information as seriously as we treat official secrets, military intelligence, and, indeed, large sums of money? Is it not clear that a change of culture across Whitehall is needed, and that, as the Justice Committee has suggested, there should be a new crime of recklessly divulging data, and a new power for the Information Commissioner to perform spot checks on data controllers?

Des Browne: The hon. Gentleman referred to the conversation that I had with him on Friday night. In case it is not clear, I should say that I had intended, and was ready, to make this statement on Thursday. After discussions with the police, and for reasons to do with the stage of the police investigation, I made the judgment that it would be better to wait. Unfortunately, however, the media broke the story on Friday. I deeply regret that I had to put a statement into the public domain without speaking in the House about it first, but the story running in the media was wrong, and I could not leave it wrong over the weekend. I am grateful to the hon. Gentleman, the hon. Member for Woodspring and Mr. Speaker for their understanding when I contacted them on Friday night to explain what I was doing. I trust that the House will accept that my judgment was right.

21 Jan 2008 : Column 1231

The fundamental point made by the hon. Member for North Devon is right—but I did not say that the MOD had “robust” policies, systems and procedures; I said that we had clear policies, systems and procedures. The hon. Gentleman pointed to a draft of the statement— [Interruption.] I make this point advisedly. The hon. Gentleman has pointed to a draft of my statement—to be checked against delivery—that we gave him. When I was given the final draft of the statement, immediately after Defence questions, I changed that word.

The hon. Gentleman is right: the robustness of the policies and procedures depends on their being observed. The failure to observe those procedures will be the focus of the investigation that I have set up. That failure caused the need for my statement today, and the potential release of the information into the hands of people who should not have it. I deeply regret that, and I am determined to find out why it happened. I cannot give the House an explanation why information relating to 600,000 people needed to be on a laptop; frankly, and without wishing to prejudge the investigation, I do not believe that it needed to be.

I listened with care to the Information Commissioner on the radio this morning. I listened to the questions that he posed; all those questions need to be answered. I have deliberately framed the remit of the investigation so that they will be answered. I have the comfort of knowing that my senior officials spoke to him about the issue, and I understand that he is of the same view. The hon. Gentleman can be satisfied that I am taking the matter appropriately seriously. If there are consequences for individuals, those individuals will have to live with them, whatever they may be. I am not in a position to deliver such a judgment; that is for the chain of command.

Mr. Gordon Prentice (Pendle) (Lab): Has anyone been disciplined for negligence as a result of losing a laptop containing sensitive personal information since 1997?

Des Browne: Not to my knowledge.

Mr. Douglas Hogg (Sleaford and North Hykeham) (Con): The right hon. Gentleman has told the House what steps he has taken to prevent a future blunder of this kind. He will know about the loss of Child Support Agency data at the back end of last year. Will he say what steps he and other Ministers personally took then to ensure that no blunder of the kind that has just occurred was perpetrated by his Department?

Des Browne: As the right hon. and learned Gentleman would expect, I made it clear to the permanent under-secretary that we should co-operate fully and comprehensively with the review that was being set up at the centre of Government. I said that we were to ensure that what might well have been at the heart of the Revenue and Customs problem—a culture had appeared to grow up that, at least in some regard, did not treat such information as being as valuable as it is, and people had not been observing the systems and procedures in place—was not the case in our Department.

21 Jan 2008 : Column 1232

As I said in my statement, the interim report that I received on the part of the review that my permanent under-secretary carried out on this particular issue did not identify the problem or the circumstances that I believe, and that I think the investigation will reveal, led to what we have to deal with today. Had I known, I would have taken other steps, but it was not reported to me.

Dr. Tony Wright (Cannock Chase) (Lab): My right hon. Friend has been let down by his Department. This has turned out to be not what we thought it was—the isolated action of a foolish individual—but a section of his Department failing to take elementary precautions about data protection. When he was asked about its systems by the Cabinet Secretary’s review, he was presumably given an assurance, notwithstanding the fact that there had been previous incidents, that those systems were in order. If I were him, I would be very cross about this, and want to do something about it.

Des Browne: I can hardly say that I am delighted about it, but there does not seem to be any point in getting angry in this job. I am often asked if I am angry or frustrated about things, but it seems to me that those are wasted emotions. My job is to get on and ensure that this never happens again—to find out exactly what happened, and to ensure that those who need to be properly trained are properly trained, and that those who were responsible for ensuring that those systems and procedures were properly applied are made properly accountable for their failure to do so.

Mr. Peter Lilley (Hitchin and Harpenden) (Con): Given the series of incredible and repeated scandals involving child benefit discs, Department for Work and Pensions data in binbags, and military laptops, has not the time come for an analysis of the problems of data protection that is more extensive, comprehensive and independent than anything that the Government have initiated so far? Should not that also cover information that they deliberately make public, which, in the case of the Land Registry information, has resulted in tens of millions of pounds of people’s freehold property being robbed? And should not the lessons of all this be learned before we proceed with identity cards?

Des Browne: The right hon. Gentleman tempts me into discussing the Land Registry, an area where, because of my professional experience, I may have some limited but now dated expertise—but that is not my responsibility. I accept his point. It is very important that the Government and the Government’s employees take responsibility for complying with the data protection standards for which we have legislated in this House, but it is equally important that the independent Information Commissioner’s Office can properly keep accountable all those who hold information, including the Government. That independent regulation is the right construction, and we have to ensure that it is robust enough. However, at the heart of this is the point, which has already been made, that there needs to be a cultural understanding that such data and information, particularly when it relates to individuals, is as valuable as any other property that the Government or any other institution might have, and it is obvious that that culture is not there across substantial parts of the public sector.

21 Jan 2008 : Column 1233

Linda Gilroy (Plymouth, Sutton) (Lab/Co-op): The Secretary of State said that he would not prejudge the very thorough investigation that he has put in hand. However, does he understand the incomprehension and fury felt by people in defence communities such as Plymouth, who think that common sense, rather than rocket science, should have stopped this sort of thing happening? Can he give the House a greater sense of how the cultural change to which he referred can be put in hand before we receive the report—and when we will receive it?

Des Browne: I am grateful to my hon. Friend, who speaks with justifiable passion for those whom she represents—some of whom, I have no doubt, will be receiving letters from us in the near future, and will have a degree of concern. We will endeavour, by our response to those who get in touch with us, to support them through this. It will be a vulnerable time for them; I accept that. I am not in a position to tell my hon. Friend exactly when the report will be available, because, with respect, Sir Edmund has not yet started on his work, but as soon as I am in a position to give the House some indication of when the work will be completed and how I will keep the House informed, I will tell it specifically what I plan to do. I also intend to have further conversations with the right hon. Member for North-East Hampshire (Mr. Arbuthnot) and my hon. Friend the Member for Cannock Chase (Dr. Wright), in their capacity as Chairs of the Defence Committee and the Public Administration Committee respectively, to ensure that they are kept fully informed. I am sure that both their Committees will be interested in inquiring further not only into the circumstances of this loss of data but into what we do.

I cannot make it any plainer than that. I am taking this matter with the utmost seriousness, and I intend to get to the bottom of what happened. If there is a reason, even if it is not a justification, for why that amount of information was being carried on a laptop, I will find out what it was. I intend to take the steps necessary to ensure that nothing like this ever happens again in the MOD.

Dr. William McCrea (South Antrim) (DUP): Four Departments have now been responsible for losing data. Does the Secretary of State understand the serious damage done with regard to the community’s view of the Government’s competence in the protection of public records? Surely every instance of such loss reinforces the argument against ID cards.

The Secretary of State mentioned that he was sensitive to the concerns of Northern Ireland. I therefore wonder why my right hon. Friend the Member for North Antrim (Rev. Ian Paisley), the leader of my party, was not informed about this matter by the Secretary of State. Did any of the details contained in the stolen laptops refer to Army service recruits in Northern Ireland? The Secretary of State knows that there is an increased threat to security forces personnel in Northern Ireland, so it would be important to inform them if any of their names were on that laptop.

Des Browne: I am very aware of the issues the hon. Gentleman raises, and I cannot make it any clearer how seriously I take this matter. He knows how seriously I
21 Jan 2008 : Column 1234
take such issues, from the time that I served as a Minister in Northern Ireland, when I dealt with him, his party colleagues and others in relation to similar matters. I am well aware of the potential security implications.

It is clear that the protection of data is relevant to the identity cards scheme, but as the hon. Gentleman is probably aware, the scheme is underpinned by biometric data that will protect people’s identities from being taken and/or used. That is the fundamental problem with loss of data, although there is a specific personal security problem in relation to the data in this case, which I understand. I do not think that the read-across that people constantly suggest with ID cards is robust.

I understand how important the issues that the hon. Gentleman raises are and I give him my word that I will do everything to ensure that they are taken seriously. As far as those who may be living and/or serving in Northern Ireland are concerned, I am not in a position to answer his question at this stage, but I am certain that some of the people concerned must be in Northern Ireland, and if they are exposed to any degree of risk, they will receive a letter from us, just as others involved will.

Mr. Kevan Jones (North Durham) (Lab): Most hon. and right hon. Members find it mind-boggling that 600,000 names were on a laptop in the back of a car in Birmingham. My hon. Friend the Member for Cannock Chase (Dr. Wright) raised the point that we are not looking at the actions of just one individual, but a systemic failure in procedures. Will my right hon. Friend assure me that the lowly naval recruitment officer concerned will not be made a scapegoat for this mistake, and that those further up who are responsible for the systems in question will take responsibility for this incident as well?

Des Browne: My hon. Friend makes some good points. Wherever responsibility, or any part of it, falls, that is where responsibility should be taken. Clearly, the person responsible for the immediate security of the laptop was in breach of regulations in leaving it where he did. I accept that he is not wholly responsible for the circumstances, but whatever the Navy chooses to do to him through its disciplinary procedures will be a matter for its chain of command, and the same applies to everyone else involved. I have no intention of protecting anyone from the consequences of the decisions that they have taken, if they were in breach of regulations.

Angus Robertson (Moray) (SNP): It is completely unacceptable for the Secretary of State to inform only some parties in the House about major events and to overlook others, especially parties of Government in Scotland, Wales and Northern Ireland. He has been able to give a breakdown of some of the data, so will he tell the House how many of the people in question are domiciled in Scotland, Wales and Northern Ireland? What notice was given about the data loss, and when, to the devolved Administrations of Scotland, Wales and Northern Ireland?

Next Section Index Home Page