Supplementary memorandum submitted by
the Ministry of Justice
Thank you for inviting me to give evidence on
20 November. I hope the Committee found it informative.
In the light of the loss of personal data by
Her Majesty's Revenue and Customs, we thought it would be helpful
to provide the Committee with written evidence to update the evidence
provided in November last. I enclose a further memorandum which
I hope the Committee finds helpful.
I also promised during the evidence session
in November to look into two matters raised respectively by Mr
Davies and Ms Moran. I am sorry for the delay in reporting back
Mr Davies asked what arrangements are in place,
if any, for Ministry of Justice and the Department for Work and
Pensions to share data about prisoners, in order to ensure that
prisoners who abscond from prison do not receive state benefits
to which they are not entitled.
The Ministry of Justice and the Department for
Work and Pensions (DWP) do indeed share information about prisoners,
and do so in compliance with the Data Protection Act, to enable
the DWP to check individuals' status to prevent payment of benefits
for those serving a custodial sentence. This exchange includes
information about people that escape from prison, who are treated
as if they are still serving a custodial sentence. I understand
that it is rare for absconders from open prisons to attempt to
claim social security benefits, as doing so could make their whereabouts
An electronic transfer is also sent monthly
to the DWP of a further three categories of people:
(i) absconders who are sentenced to custody
in their absence;
(ii) those who fail to attend court where
they have appealed against a custodial sentence; and
Since July 2007, the Ministry of Justice has
provided a total of five names to DWP in the first two categories.
None were in receipt of any state benefits. The third category
is quite specific, and concerns people who have escaped in transit
from the court to prison. There have been four occurrences since
July 2007 and none were in receipt of benefit.
Ms Moran mentioned that earlier last year CCTV
footage of an incident in Luton town centre had been posted on
the Internet. I reported to the Committee that any breaches of
the Data Protection Act are for the Information Commissioner to
investigate and prosecute where necessary. I have therefore referred
the matter to Richard Thomas and he has assured me that he will
The Commissioner's investigation will probably
take quite some time to conclude and he may not be able to report
the outcome publicly. However I hope my letter reassures the Committee
that the matter will be thoroughly investigated.
1. On 25 October 2007 the Prime Minister
asked the Information Commissioner, Richard Thomas, and Dr Mark
Walport, Director of the Wellcome Trust, to undertake a review
into the use of personal data in the public and private sectors.
The review is considering whether there should be any changes
to the way the Data Protection Act 1998 operates in the UK and
the options for implementing any such changes. It will include
recommendations on the powers and sanctions available to the regulator
and courts in the legislation governing data sharing and data
protection. It will also make recommendations how data sharing
policy should be developed in a way that ensures proper transparency,
scrutiny and accountability. Public consultation on these issues
was opened on 12 December 2007 and closed on 15 February 2008.
The report and recommendations will be submitted to the Justice
Secretary in the first half of 2008.
2. On 22 November 2007, following the loss
of data by HMRC, the Prime Minister invited the Information Commissioner
to undertake spot checks of Central Government Departments' compliance
with the Data Protection Act and the data protection principles.
These spot checks are expected to commence in Spring 2008. The
ICO anticipates undertaking inspections of three or four Departments
over the coming months. A report containing recommendations to
improve its data handling procedures will be provided to each
Department at the end of each assessment.
3. Also on 22 November, the Prime Minister
asked the Cabinet Secretary, Sir Gus O'Donnell, to undertake a
review of the data handling procedures of Departments and agencies.
The first stage, which concluded on 10 December, involved Departments
undertaking an analysis of their systems and procedures for complying
with policies and standards on data protection, including making
recommendations for practical improvements. An interim progress
report, Data Handling Procedures in Government: Interim Progress
Report, was published on 17 December 2007. This report made
several recommendations for data security and protection going
ensuring that Departments are
clear about roles, responsibilities and minimum standards that
they must apply,
reinforcing the culture across
the public service that values and protects information and people's
ensuring that performance is
transparent and the right external scrutiny mechanisms are in
place to promote improvements into the future.
Initial cross-Government recommendations relating
to the framework within which data is handled included:
enhanced transparency with Parliament
and the public about action to safeguard information and the results
of that action, through Departmental annual reports and an annual
report to Parliament,
increased monitoring of information
assurance through, for example, Accounting Officers' Statements
on Internal Control,
improved guidance to those involved
in data handling, that is simplified and better tailored, setting
clear common standards and procedures for departments on data
legislative steps to enhance
the ability of the Information Commissioner to provide external
scrutiny of arrangements across the entire public sector through
"spot checks", and
commitment in principle to provide
for new sanctions under the Data Protection Act for the most serious
breaches of its principles.
Government will be issuing a consultation document
on the last two recommendations shortly.
4. A further review commissioned by the
Prime Minister on 22 November 2007 was that of HMRC's data handling
procedures undertaken by Kieran Poynter of PricewaterhouseCoopers.
The interim report, which was published in December 2007, set
out the work Kieran Poynter had already undertaken and made recommendations
for immediate steps for HMRC to take to protect data security.
They included: the imposition of a complete ban on the transfer
of bulk data without adequate security protection, such as encryption;
measures to prevent the downloading of data without adequate security
safeguards, and disabling personal and laptop computers to prevent
downloading of data on to removable media. A full report is expected
in Spring 2008.
26 March 2008