|Previous Section||Index||Home Page|
Huw Irranca-Davies: The Environment Agency has identified projects to reduce the risk of flooding to 11,109 houses in the West Midlands between 2010 and 2020. Investment will continue to improve flood modelling, mapping, forecasting and warning. The development and testing of flood response plans will also continue in partnership with local authorities and emergency services.
|Major planned future expenditure (new defences) West Midlands|
|Delivery period||Location||Planned expenditure (£)|
Joan Walley: To ask the Secretary of State for Environment, Food and Rural Affairs what steps he is taking in respect of the discharge of cyanide into the River Trent in October 2009; what discussions he has had with Severn Trent Water on the incident; and if he will make a statement. 
Huw Irranca-Davies: The Environment Agency is investigating the cause of the incident with a view to prosecuting those responsible. It is having on-going discussions with Severn Trent Water and is inspecting the company's records to establish how its sewage works were disrupted by the effluent it received.
A suspension notice was served by the Environment Agency to prevent a company in Stoke-on-Trent discharging effluent to the sewer system. This notice will remain in force until the Environment Agency is satisfied that the risk of pollution has been removed.
Joan Walley: To ask the Secretary of State for Environment, Food and Rural Affairs how many reported incidents of pollution in the (a) River Trent and (b) River Tame there have been in each of the last three years. 
|Number of incidents per year|
|River Trent||River Tame|
The majority of these incidents were classed as minor and had a limited impact on the water environment. Only 10 of these incidents had a major or significant impact; five on the River Trent and five on the River Tame.
Joan Walley: To ask the Secretary of State for Environment, Food and Rural Affairs what assessment he has made of the adequacy of the specifications of the Severn Trust Water sewage treatment plants at (a) Strongford, (b) Minworth, (c) Coleshill and (d) Tamworth. 
Huw Irranca-Davies: Discharges from sewage treatment plants to surface water are required to have prior authorisation under the requirements of the Water Resources Act (1991). Discharge consent is issued under Section 88 of the Act.
The setting of these conditions involves assessing the needs of the receiving watercourse and calculating the standards a sewage treatment works must achieve in order to avoid causing damage to the environment. In most cases, these 'river needs' are prescribed by EC directives or national legislation.
Emission limits are typically set for ammonia, biochemical oxygen demand, suspended solids and, where necessary, can also include pesticides, metals and other substances deemed dangerous to the environment. It is the role of the operator to design the appropriate type of treatment works to achieve the specified standards. This applies to all the plants mentioned. Discharges are regularly monitored to ensure that these standards are met.
Nick Herbert: To ask the Secretary of State for Environment, Food and Rural Affairs (1) on what date (a) he, (b) the Minister for Food, Farming and the Environment and (c) officials in his Department was informed of the recent loss of confidential data from the Rural Payments Agency; 
Hilary Benn [holding answer 3 November 2009]: On 29 October 2009, Official Report, column 437, I made a statement to the House of Commons regarding unaccounted for electronic storage media at the Rural Payments Agency (RPA). I gave a commitment to put in the Library of the House a copy of the internal investigation report that was carried out by RPA. This text accompanies that report.
The potential issue was identified in routine audits, conducted by IBM in spring 2009 and subsequently by RPA in September 2009, which were unable to account for two back-up tapes and it was subsequently established that these were likely to have contained some personal data. As is explained in more detail in the section on assessment of risk below, a detailed assessment was made of the circumstances of the case and the risks to personal information. Although there was no documentary evidence that the tapes had been destroyed, there was evidence that one was identified as defective and suitable for destruction and the balance of probability was that both had been destroyed. It was also established that a combination of several low probability events would have had to arise in order for the tapes and the information to be misused. On this basis the DEFRA senior information risk owner (SIRO) decided that formal reporting was
not warranted and that notifying people whose data might have been included in the two tapes would cause unnecessary alarm and would be disproportionate.
This incident relates to back-up tapes used in an IBM data centre to provide essential IT services for the Rural Payments Agency. The proper administration of these tapes enables the department to restore live services if there is an outage or disaster.
Back-up tapes need to be carefully administered (i.e. recorded and labelled, logged whenever they are replaced, re-used, deleted or transported). Part of this administration is an annual audit to check that all tapes are accounted for.
Between 16 March 2009 and 7 May 2009, IBM carried out routine annual reconciliations of back-up tapes at their data centres. It became clear that 38 tapes and one CD could not be accounted for and they carried out an internal investigation and a thorough search of the data centres to establish if these were lost or had been misplaced. 19 of the 39 media were found during this audit process. At this stage it was not clear that protected personal data relating to RPA were on any of the tapes unaccounted for but it was reasonable to assume that this was possible.
IBM notified DEFRA orally at a meeting on 23 July 2009. Following further searches IBM informed DEFRA formally in writing on 28 August 2009 that 19 tapes and one CD remained unaccounted for although it had reason to believe that it knew where 18 of the tapes were and would be following this up directly.
On 3 September 2009, the risk was escalated to the DEFRA Deputy SIRO who immediately informed security branch and requested further investigation. Between 3 September and 21 September 2009, more tapes were accounted for (there had been double accounting errors and some media were awaiting destruction), leaving four media (three tapes and one CD) still unaccounted for.
On 7 October 2009, a full assessment of the position was passed to both the DEFRA SIRO and the SIRO at RPA, who agreed on 9 October 2009 that the incident did not warrant formal reporting to the Cabinet Office and Information Commissioner's Office and that notifying SPS claimants would be disproportionate and cause unnecessary concern.
Not all data held and processed by DEFRA its agencies are personal data as defined by the Data Protection Act (1998). Much of the data processed by the IT suppliers at DEFRA relate to day-to-day transactions and are not connected to identifiable persons.
Most organisations that hold personal data require a Data Controller and a formal notification which sets out what data are being held and for what purposes. In the case of the Rural Payments Agency the Data Controller is DEFRA.
In addition, each government organisation has a Board level Senior Information Risk Owner who is responsible for managing the risks associated with information assets (both personal and non-personal). DEFRA's SIRO is the Director General of Law and Corporate Services and the Rural Payments Agency's SIRO is the Chief Information Officer.
DEFRA employs a number of companies to provide ICT (information and communications technology) services. Such companies are known as Data Processors (any action which relates to holding, using, manipulating or even just storing data is known as 'processing' as defined by the Data Protection Act). The Data Controller and Data Processors put in place all necessary measures to ensure that personal data are held in accordance with data protection law and principles (of which security is part). The Data Processor in this case was IBM.
The Data Handling Review (DHR) published in June 2008 sets out the minimum measures for personal data handling which government departments are required to adhere to. A written ministerial statement and a copy of the report can be found at:
The IBM procedures for handling back-up tapes on behalf of RPA were designed to ensure that their movements were recorded and tracked accurately throughout their life cycle. There were also compliance checks in place and as is described in the report of the RPA investigations into this incident, these checks revealed evidence that these procedures were not followed by IBM in some respects. IBM is now implementing changes in conjunction with DEFRA and RPA to strengthen arrangements and improve compliance checking.
Under the procedures introduced following the DHR, government Departments are required to identify and consider reporting any potential breach or loss of personal protected data to the Information Commissioner and also consider informing the individuals concerned. These decisions are normally taken by the SIRO, who is the board level executive with particular responsibility for information risk. Departments are required to include in their annual reports
a summary of protected personal data related incidents formally reported to the Information Commissioner under the Data;
a summary of centrally recorded protected personal data related incidents not formally reported to the Information Commissioner; and
a summary statement of actions to manage information risk.
The potential issue with unaccounted for RPA removable media was identified in routine audits conducted by IBM in spring 2009 and subsequently by RPA in September 2009. In accordance with the Cabinet Office Guidance an assessment was made of the risks posed by the media not accounted for. This established that although three tapes and one CD were unaccounted for, only two tapes could have contained protected personal data.
These two tapes were part of an automatic contained system in a secure data centre: tapes sit within a hopper and are automatically used to back it up in turn about every eight weeks. They are not moved within the data centre and if moved between sites (for example for destruction) are transported in authorised vehicles.
The most likely explanation for the fact that the two tapes could not be accounted for is that they were found to be defective and were destroyed. Other tapes of the same type were so destroyed and there is evidence that one of the tapes was reported as defective and recommended for destruction and neither of the tapes not accounted for appear to have been used on the system since 2007.
The tapes are not of a type that can be easily read: the data are dumped across the set of back-up tapes in random strings and appear in ASCII code. Specialist equipment and technical skills are needed to reconstitute them.
Even when reconstituted the data would not mean much. A name, address or banking details of a particular individual would not necessarily appear on the same backup tape or be linked together, six tapes are required to back up the system.
The risk of these tapes having been stolen for criminal purposes by someone with access to the system in the data centre is low. For the data to be useful the entire bank of tapes would be needed (because the linked data may be spread across all the tapes) so a person with access to the tapes and with the knowledge to interpret the data would also know that the entire set of six tapes was needed to make sense of it.
The assessment concluded that a combination of several low probability events would have had to arise in order for the tapes and the information to be misused. On this basis the DEFRA SIRO decided that formal reporting was not warranted and that notifying people whose data might have been included in the two tapes would cause unnecessary alarm and be disproportionate.
The RPA instructed IBM to act upon lessons learned on 11 October 2009. This included: restrictions on physical access to data centres unless accompanied by specified representatives; a further strengthening of tracking and logging procedures for all removable storage media at sites (including the transit between sites); introduction of formal confirmatory reporting that any actions taken are fully catalogued and the audit history maintained. An external expert consultant, engaged by RPA, has also provided independent advice on these improvements.
At the time that the DEFRA SIRO decided that formal reporting was not warranted, a full review of IBM removable media storage, handling and accounting procedures was commissioned, covering arrangements across the DEFRA network. DEFRA will also be looking to strengthen arrangements for identifying and reporting on incidents involving the potential loss of personal information.
|Next Section||Index||Home Page|