During the Westminster Hall debate on 15 January 2009, I offered to provide you with a full response concerning the follow-up review of the independent public inquiries' information security procedures.

As you are aware, following the data loss by the Rosemary Nelson Inquiry, the Northern Ireland Office commissioned an independent security consultant to carry out a review of all the inquiries' security procedures. This review concluded in July 2008, and found an adequate level of assurance at all the inquiries. However, recommendations were made to mitigate against further potential risks and weaknesses, and the NIO undertook to engage the consultant again to conduct a follow-up review to assess progress.

That review took place from 24 November to 12 December 2008. It took the form of a series of visits to the inquiries in order to assess how recommendations had been taken on board; discussions with the Northern Ireland Office and other stakeholders to gain Government's assessment on how the inquiries had changed procedures; and an examination of correspondence since the initial review.

Turning initially to the threat to the inquiries, the consultant recognised that risks remain focused around those who might deliberately or inadvertently compromise sensitive information. Any negligent loss of information or insider disruption through leaks would clearly have an undesirable impact and the inquiries continue to work to avoid this. The inquiries are also aware that new threats are likely to continue to emerge, particularly through IT, as any perceived vulnerability is exploited through software and emerging hardware technologies as they move into different phases of their work.

In the steps needed to address these threats, circumstances are unique to each inquiry, with each one having to implement varying measures and to report on action taken since the initial July 2008 review. All of the independent public inquiries have undertaken a review of their internal policy frameworks and general guidance. Where appropriate, procedures have been tightened and guidance revised to include reference to the threat. Security training has also taken place for those staff with security responsibilities. Regular meetings are held with contractors to discuss IT-related risks. Senior managers within the inquiries have endorsed updated security procedures and guidelines. All staff within the inquiries are now required to sign a declaration that they are fully aware of and understand the importance of adhering to this guidance.

In his follow-up report, the security consultant made some specific recommendations about the provision of further security advice and guidance to the inquiries in the future, which are being taken forward. He also recommended that the Northern Ireland Office should engage with the inquiries and other stakeholders on a mechanism to provide an acceptable system of measuring security compliance in the inquiries, as part of a corporate governance framework. This should enable the NIO to receive continued assurance that the inquiries are fulfilling their obligations as they move to their conclusion. We have now agreed a tighter, more thorough form of regular review which we believe is the best way to achieve a close monitoring of security procedures and compliance, without compromising the inquiries' independence. These reviews will take place every six months, and begin in April 2009.

The consultant also recommended that the NIO works with the inquiries in order to ensure the safe, long-term storage of inquiry documents after the completion of the inquiries; this work has already begun. The NIO and government will continue to work with the inquiries to monitor compliance with the agreed security standards.

30 March 2009