Previous Section Index Home Page

25 Jun 2008 : Column 21WS


Burton Review

The Secretary of State for Defence (Des Browne): On 21 January 2008, Official Report, columns 1225-37 and 7 February 2008, Official Report, column 78WS, I informed the House about the theft of laptop computers containing a database with personal records relating to individuals who had expressed interest in joining the armed forces, and that I had invited Sir Edmund Burton to conduct a full investigation into the circumstances that led to the MOD’s loss of this personal data; the effectiveness of the immediate measures we introduced to prevent any recurrence; and the adequacy of the Department’s policy, practice and management arrangements for the protection of personal data more generally.

Sir Edmund has reported, and I have placed a copy of his report in the Library of the House and published it on the Department’s website at: I am very grateful for the effort that Sir Edmund and his team have put into this review. The report is in two parts with an executive summary. Part one sets out the events leading up to the loss of data on 9 January 2008, covering the relevant issues surrounding the Training Administration and Financial Management Information System (TAFMIS) and the attendant policies and procedures. Part two considers the broader MOD approach to personal data protection, drawing on the emerging findings of the Cabinet Office Review of Data Handling Procedure in Government, whose final report is also being published today. Further detail and a summary of Sir Edmund’s 51 recommendations are given in the annexes to the report. These have been published in full, although the names of those consulted have been redacted.

25 Jun 2008 : Column 22WS

I accept all 51 of Sir Edmund’s recommendations, and I am determined that we should learn the wider lessons to be drawn from this incident. At the direction of the Defence board, an action plan has been prepared to implement the recommendations, and this is being published today also. The senior management of the MOD, in the form of the Defence board, accepts that it has ultimate responsibility for the effectiveness of the Department’s information management and assurance, and will supervise the implementation of the action plan.

The action plan has been shown to Sir Edmund, who has indicated that it has his support and is in his view capable of delivering the improvements in practice which his report concludes are necessary. Sir Edmund’s report, and the action plan including the immediate steps we have taken to bring the TAFMIS system into compliance with the Data Protection Act have also been shared with the Information Commissioner; we will keep his office appraised of progress.

On the TAFMIS recruitment system, Sir Edmund’s report has set out, to the extent that he has been able to establish the facts, the sequence of events that led to the Royal Navy and Royal Air Force version of the system being unencrypted. This confirms that efforts were made to encrypt the system through an encryption upgrade, and that this was successful for most of the system. However, in August 2006 the encryption on the 55 TAFMIS laptops containing the Royal Navy/Royal Air Force recruit database was reported not to be working as expected. Despite examining all the available papers and interviewing relevant personnel from the Army Recruiting and Training Division (ARTD), who manage the contract for the system on behalf of all three armed services, and the system provider, EDS, Sir Edmund has been unable to find an explanation of why encryption of these 55 was not pursued by another means, and those using the system came to believe that it was encrypted when it was not. His main conclusions are that aspects of the TAFMIS project were poorly managed both by the ARTD’s internal project manager and EDS; that for periods in 2006 and 2007 the laptops in question were being used in breach of MOD laptop encryption security policy; and that in certain key respects, detailed in the report, the TAFMIS system is still in breach of data protection regulations. His findings have confirmed my own suspicion that there was no robust business reason for so much personal data to be carried around by recruiting officers on their laptops. Action is already in hand to remedy this position.

After studying the report, the Chief of the General Staff has ordered an inquiry to investigate whether there are grounds to pursue either disciplinary or administrative action in respect of the management of the contract between the Army and EDS.

On the more general aspects of his review, Sir Edmund finds that departmental policies and procedures generally are fit for purpose and he gives some examples of good practice by the Department (the role of the MOD’s senior information risk owner; the emergency measures introduced after the loss which have been effective in preventing similar damaging losses; the network of data protection officers; and the good security data protection and information risk management procedures of the organisations within the Department for whom handling of large volumes of personal data is core business); but he is highly critical of the Department’s general treatment
25 Jun 2008 : Column 23WS
in practice of information, knowledge and data as key operational and business assets, and of low levels of awareness of the threats to information and of the requirements of data protection legislation. Therefore, his recommendations focus on training and steps to raise awareness and compliance, and to raise the profile of the issue within our various management boards.

Sir Edmund’s investigation and other internal inquiries have established more of the facts than were available when I made my statement to the House on 21 January. Of the 600,000 recruits or potential recruits who were in the TAFMIS data base, about 1,000 dated back to 1977. In a substantial proportion of cases, the records included more limited information about next of kin and contact details for referees.

We have also established that, in addition to the three stolen TAFMIS laptop computers referred to in the statement, a further two laptops similar to those stolen in January 2008 and October 2006 were stolen from cars: a Royal Navy laptop in Bristol in August 2004 and a Royal Air Force laptop in Leeds in July 2006. In both cases the laptops were believed at the time to have been encrypted and Ministers were not informed of the losses. The personal data held on these laptops were a subset of that held on the laptop stolen on 9 January 2008 and so does not affect anyone not already affected by that incident.

Following the theft of the laptop on 9 January, the Department conducted a full internal investigation into the details of computer and other electronic storage media lost or stolen since 2003 when mandatory reporting of such incidents was introduced. This investigation has now been completed and the collated data were provided to Sir Edmund Burton as part of his review. He has summarised key elements of the data in his report.

Prior to 2003 the reporting of lost and stolen laptops was not centrally collated and it has been found that the figures for the period 1995 to 2002 may be incomplete and therefore unreliable. As the details of incidents for this period are no longer available it is not possible to provide updated figures.

In conclusion, I reiterate my deep regret over both the losses of personal data and the systemic weaknesses within parts of the MOD that led to this situation. As the Cabinet Office report also published today highlights, these reflect challenges faced by all parts of Government but that does not make them any more acceptable. Both I and senior MOD management are determined to act quickly and decisively on Sir Edmund’s recommendations and bring about an early significant improvement in practice within the Department in this important area.

Home Department

Consultation on Visitors (Government Report)

The Minister for Borders and Immigration (Mr. Liam Byrne): This year sees the biggest changes to Britain’s immigration and border security system for 45 years. Our policy will deliver strong borders, a selective migration system and an expectation that newcomers earn the right to stay. Our ambition is that migration policy maximises benefits for Britain and manages local impacts.

This strategy underpins our Australian-style points system and reforms to spouse visas, and requires us to modernise visit visas. I am therefore setting out today a
25 Jun 2008 : Column 24WS
strategy for comprehensively overhauling our visit visa system. Copies are being placed in the Library of the House and include our formal response to our consultation on visitor visas published in December 2007.The full analysis of responses to the consultation can be found on the UK Border Agency website.

In modernising our visit visa system, our ambition is two fold; to let legitimate visitors connect with the UK quickly, and to strengthen still further our border security.

Significant changes lie at the heart of today’s strategy:

There are two policy areas to which I propose no change following the consultation responses:

We know that many have a stake in us getting today’s policy right. For this reason we coupled a formal consultation with meetings with parliamentarians, with community meetings with the UK’s ethnic minority community and, for the first time, consultation in India, our largest visa market, supported by a cross-party delegation of community leaders and business people. Six hundred and four additional responses were received regarding the consultation.

I am grateful to everyone who contributed. I will now bring forward changes to both legislation and the immigration rules to give effect to today’s announcement. Because of the significance of the changes proposed, I will publish detailed statements of intent in advance of introducing change, together with detailed impact assessments.


No-Win No-Fee Arrangements

The Parliamentary Under-Secretary of State for Justice (Bridget Prentice): I am announcing today the commencement of a feasibility and scoping study into the operation of no-win no-fee arrangements in England and Wales.

25 Jun 2008 : Column 25WS

We are aware of growing concerns that no-win no-fee arrangements may not always be operating in the interests of access to justice. This includes a perception that consumer interests are not always being best served; allegations over the possible misuse of no-win no-fee agreements and a potential adverse impact on the administration of justice. We feel that now is the appropriate time for a comprehensive, objective and evidence based examination of the operation of no-win no-fee arrangements in relation to personal injury, employment and defamation/privacy cases. This work forms an important part of one of the Department’s key objectives to deliver fair and simple routes to justice, including identifying any gaps in access to justice in the above areas.

We recognise that the issues at hand are complex and varied and their consideration could potentially be a large-scale exercise. Therefore, as a preliminary step, the Department has asked Professors Richard Moorhead (Director of Research, Cardiff law school), Paul Fenn (Nottingham university business school) and Neil Rickman (Head of Economics, university of Surrey, and RAND Europe) to conduct a research-based review of how conditional fee arrangements operate in personal injury, employment, and defamation/privacy cases. Today I am announcing the commencement of the scoping work the purpose of which is to highlight the key issues and identify areas that would benefit from further work.

The study will consider how best to:

Professors Moorhead, Fenn and Rickman are expected to report to Ministers in the autumn. The report will help determine what specific aspects ought to be pursued in more detail and the feasibility of doing so.

Sentencing Guidelines Council (Annual Report 2007-08)

The Secretary of State for Justice and Lord Chancellor (Mr. Jack Straw): The Sentencing Guidelines Council has today published its annual report, jointly with the Sentencing Advisory Panel, giving details of the excellent work it has achieved during the past year and outlining its work plans for the next 12 months.

Copies of the annual report have been placed in the Libraries of both Houses. Copies are also available in the Vote Office and the Printed Paper Office.

Cabinet Office

Data Handling Procedures

The Minister for the Cabinet Office (Edward Miliband): On 21 November, the Prime Minister announced that he had asked the Cabinet Secretary, with the advice of
25 Jun 2008 : Column 26WS
security experts, to work with Departments to ensure that all Departments and all agencies check their procedures for the storage and use of data. An interim report, published on 17 December, summarised action taken across Government, and set out initial directions of reform to strengthen the Government’s arrangements.

I am today placing a final report in the Libraries of both Houses. The final report summarises work conducted in Departments to improve data handling. It further sets out how the Government are improving information security by putting in place:

The measures being put in place, which represent a new set of minimum mandatory standards for Departments, include:

Next Section Index Home Page