Thank you for inviting me to give evidence on 20 November. I hope the Committee found it informative.

  In the light of the loss of personal data by Her Majesty's Revenue and Customs, we thought it would be helpful to provide the Committee with written evidence to update the evidence provided in November last. I enclose a further memorandum which I hope the Committee finds helpful.

  I also promised during the evidence session in November to look into two matters raised respectively by Mr Davies and Ms Moran. I am sorry for the delay in reporting back to you.

  Mr Davies asked what arrangements are in place, if any, for Ministry of Justice and the Department for Work and Pensions to share data about prisoners, in order to ensure that prisoners who abscond from prison do not receive state benefits to which they are not entitled.

  The Ministry of Justice and the Department for Work and Pensions (DWP) do indeed share information about prisoners, and do so in compliance with the Data Protection Act, to enable the DWP to check individuals' status to prevent payment of benefits for those serving a custodial sentence. This exchange includes information about people that escape from prison, who are treated as if they are still serving a custodial sentence. I understand that it is rare for absconders from open prisons to attempt to claim social security benefits, as doing so could make their whereabouts known.

  An electronic transfer is also sent monthly to the DWP of a further three categories of people:

(i)  absconders who are sentenced to custody in their absence;

(ii)  those who fail to attend court where they have appealed against a custodial sentence; and

(iii)  escapees.

  Since July 2007, the Ministry of Justice has provided a total of five names to DWP in the first two categories. None were in receipt of any state benefits. The third category is quite specific, and concerns people who have escaped in transit from the court to prison. There have been four occurrences since July 2007 and none were in receipt of benefit.

  Ms Moran mentioned that earlier last year CCTV footage of an incident in Luton town centre had been posted on the Internet. I reported to the Committee that any breaches of the Data Protection Act are for the Information Commissioner to investigate and prosecute where necessary. I have therefore referred the matter to Richard Thomas and he has assured me that he will investigate.

  The Commissioner's investigation will probably take quite some time to conclude and he may not be able to report the outcome publicly. However I hope my letter reassures the Committee that the matter will be thoroughly investigated.

  1.  On 25 October 2007 the Prime Minister asked the Information Commissioner, Richard Thomas, and Dr Mark Walport, Director of the Wellcome Trust, to undertake a review into the use of personal data in the public and private sectors. The review is considering whether there should be any changes to the way the Data Protection Act 1998 operates in the UK and the options for implementing any such changes. It will include recommendations on the powers and sanctions available to the regulator and courts in the legislation governing data sharing and data protection. It will also make recommendations how data sharing policy should be developed in a way that ensures proper transparency, scrutiny and accountability. Public consultation on these issues was opened on 12 December 2007 and closed on 15 February 2008. The report and recommendations will be submitted to the Justice Secretary in the first half of 2008.

  2.  On 22 November 2007, following the loss of data by HMRC, the Prime Minister invited the Information Commissioner to undertake spot checks of Central Government Departments' compliance with the Data Protection Act and the data protection principles. These spot checks are expected to commence in Spring 2008. The ICO anticipates undertaking inspections of three or four Departments over the coming months. A report containing recommendations to improve its data handling procedures will be provided to each Department at the end of each assessment.

  3.  Also on 22 November, the Prime Minister asked the Cabinet Secretary, Sir Gus O'Donnell, to undertake a review of the data handling procedures of Departments and agencies. The first stage, which concluded on 10 December, involved Departments undertaking an analysis of their systems and procedures for complying with policies and standards on data protection, including making recommendations for practical improvements. An interim progress report, Data Handling Procedures in Government: Interim Progress Report, was published on 17 December 2007. This report made several recommendations for data security and protection going forward including:

—    ensuring that Departments are clear about roles, responsibilities and minimum standards that they must apply,

—    reinforcing the culture across the public service that values and protects information and people's privacy, and

—    ensuring that performance is transparent and the right external scrutiny mechanisms are in place to promote improvements into the future.

  Initial cross-Government recommendations relating to the framework within which data is handled included:

—    enhanced transparency with Parliament and the public about action to safeguard information and the results of that action, through Departmental annual reports and an annual report to Parliament,

—    increased monitoring of information assurance through, for example, Accounting Officers' Statements on Internal Control,

—    improved guidance to those involved in data handling, that is simplified and better tailored, setting clear common standards and procedures for departments on data security,

—    legislative steps to enhance the ability of the Information Commissioner to provide external scrutiny of arrangements across the entire public sector through "spot checks", and

—    commitment in principle to provide for new sanctions under the Data Protection Act for the most serious breaches of its principles.

  Government will be issuing a consultation document on the last two recommendations shortly.

  4.  A further review commissioned by the Prime Minister on 22 November 2007 was that of HMRC's data handling procedures undertaken by Kieran Poynter of PricewaterhouseCoopers. The interim report, which was published in December 2007, set out the work Kieran Poynter had already undertaken and made recommendations for immediate steps for HMRC to take to protect data security. They included: the imposition of a complete ban on the transfer of bulk data without adequate security protection, such as encryption; measures to prevent the downloading of data without adequate security safeguards, and disabling personal and laptop computers to prevent downloading of data on to removable media. A full report is expected in Spring 2008.

26 March 2008