Nick Herbert (Shadow Secretary of State for Environment, Food and Rural Affairs, Environment, Food and Rural Affairs; Arundel & South Downs, Conservative)

To ask the Secretary of State for Environment, Food and Rural Affairs

(1) on what date (a) he, (b) the Minister for Food, Farming and the Environment and (c) officials in his Department was informed of the recent loss of confidential data from the Rural Payments Agency;

(2) who ordered the investigation into the recent loss of confidential data from the Rural Payments Agency;

(3) what data is contained on the tapes recently lost by the Rural Payments Agency;

(4) on what date individuals whose personal data were contained on tapes lost by the Rural Payments Agency were informed of the loss;

(5) on what date the investigation into the recent loss of confidential data from the Rural Payments Agency (a) began and (b) concluded;

(6) on what date the recent loss of confidential data from the Rural Payments Agency was discovered.

Hilary Benn (Secretary of State, Department for Environment, Food and Rural Affairs; Leeds Central, Labour)

holding answer 3 November 2009

On 29 October 2009, Hansard, column 437, I made a statement to the House of Commons regarding unaccounted for electronic storage media at the Rural Payments Agency (RPA). I gave a commitment to put in the Library of the House a copy of the internal investigation report that was carried out by RPA. This text accompanies that report.

Summary

The potential issue was identified in routine audits, conducted by IBM in spring 2009 and subsequently by RPA in September 2009, which were unable to account for two back up tapes and it was subsequently established that these were likely to have contained some personal data. As is explained in more detail in the section on assessment of risk below, a detailed assessment was made of the circumstances of the case and the risks to personal information. Although there was no documentary evidence that the tapes had been destroyed, there was evidence that one was identified as defective and suitable for destruction and the balance of probability was that both had been destroyed. It was also established that a combination of several low probability events would have had to arise in order for the tapes and the information to be misused. On this basis the DEFRA senior information risk owner (SIRO) decided that formal reporting was not warranted and that notifying people whose data might have been included in the two tapes would cause unnecessary alarm and would be disproportionate.

Back-up tapes and administration

This incident relates to back-up tapes used in an IBM data centre to provide essential IT services for the Rural Payments Agency. The proper administration of these tapes enables the department to restore live services if there is an outage or disaster.

Back-up tapes need to be carefully administered (i.e. recorded and labelled, logged whenever they are replaced, re-used, deleted or transported). Part of this administration is an annual audit to check that all tapes are accounted for.

Narrative of events relating to unaccounted media

Between 16 March 2009 and 7 May 2009, IBM carried out routine annual reconciliations of back-up tapes at their data centres. It became clear that 38 tapes and one CD could not be accounted for and they carried out an internal investigation and a thorough search of the data centres to establish if these were lost or had been misplaced. 19 of the 39 media were found during this audit process. At this stage it was not clear that protected personal data relating to RPA was on any of the tapes unaccounted for but it was reasonable to assume that this was possible.

IBM notified DEFRA orally at a meeting on 23 July 2009. Following further searches IBM informed DEFRA formally in writing on 28 August 2009 that 19 tapes and one CD remained unaccounted for although they had reason to believe that they knew where 18 of the tapes were and would be following this up directly.

At the same time the RPA were carrying out internal assurance and became aware of the results of the media audits reported on 28 August 2009.

On 3 September 2009, the risk was escalated to the DEFRA Deputy SIRO who immediately informed security branch and requested further investigation. Between 3 September and 21 September 2009, more tapes were accounted for (there had been double accounting errors and some media were awaiting destruction), leaving four media (three tapes and one CD) still unaccounted for.

It was ascertained that one tape and one CD did not hold protected personal data and the issue therefore related only to the two tapes which were likely to contain protected personal data.

On 7 October 2009, a full assessment of the position was passed to both the DEFRA SIRO and the SIRO at RPA, who agreed on 9 October 2009 that the incident did not warrant formal reporting to the Cabinet Office and Information Commissioner's Office and that notifying SPS claimants would be disproportionate and cause unnecessary concern.

Data and responsibilities

Not all data held and processed by DEFRA its agencies are personal data as defined by the Data Protection Act (1998). Much of the data processed by he IT suppliers at DEFRA relate to day-to-day transactions and are not connected to identifiable persons.

Most organisations that hold personal data require a Data Controller and a formal notification which sets out what data is being held and for what purposes. In the case of the Rural Payments Agency the Data Controller is DEFRA.

In addition, each government organisation has a Board level Senior Information Risk Owner who is responsible for managing the risks associated with information assets (both personal and non-personal). DEFRA's SIRO is the Director General of Law and Corporate Services and the Rural Payments Agency's SIRO is the Chief Information Officer.

DEFRA employs a number of companies to provide ICT (information and communications technology) services. Such companies are known as Data Processors (any action which relates to holding, using, manipulating or even just storing data is known as 'processing' as defined by the Data Protection Act). The Data Controller and Data Processors put in place all necessary measures to ensure that personal data is held in accordance with data protection law and principles (of which security is part). The Data Processor in this case was IBM.

Data Handling Review

The Data Handling Review (DHR) published in June 2008 sets out the minimum measures for personal data handling which government departments are required to adhere to. A written ministerial statement and a copy of the report can be found at:

http://www.cabinetoffice.gov.uk/newsroom/statements/080625_data_handling.aspx

The IBM procedures for handling back-up tapes on behalf of RPA were designed to ensure that their movements were recorded and tracked accurately throughout their life cycle. There were also compliance checks in place and as is described in the report of the RPA investigations into this incident, these checks revealed evidence that these procedures were not followed by IBM in some respects. IBM is now implementing changes in conjunction with DEFRA and RPA to strengthen arrangements and improve compliance checking.

Protection of Personal Data

Under the procedures introduced following the DHR, government Departments are required to identify and consider reporting any potential breach or loss of personal protected data to the Information Commissioner and also consider informing the individuals concerned. These decisions are normally taken by the SIRO, who is the board level executive with particular responsibility for information risk. Departments are required to include in their annual reports

a summary of protected personal data related incidents formally reported to the Information Commissioner under the Data;

a summary of centrally recorded protected personal data related incidents not formally reported to the Information Commissioner; and

a summary statement of actions to manage information risk.

Assessment of risk posed by RPA media unaccounted for

The potential issue with unaccounted for RPA removable media was identified in routine audits conducted by IBM in spring 2009 and subsequently by RPA in September 2009. In accordance with the Cabinet Office Guidance an assessment was made of the risks posed by the media not accounted for. This established that although three tapes and one CD were unaccounted for, only two tapes could have contained protected personal data.

These two tapes were part of an automatic contained system in a secure data centre: tapes sit within a hopper and are automatically used to back it up in turn about every eight weeks. They are not moved within the data centre and if moved between sites (for example for destruction) are transported in authorised vehicles.

The most likely explanation for the fact that the two tapes could not be accounted for is that they were found to be defective and were destroyed. Other tapes of the same type were so destroyed and there is evidence that one of the tapes was reported as defective and recommended for destruction and neither of the tapes not accounted for appear to have been used on the system since 2007.

The tapes are not of a type that can be easily read: the data is dumped across the set of back-up tapes in random strings and appears in ASCII code. Specialist equipment and technical skills are needed to reconstitute it.

Even when reconstituted the data would not mean much. A name, address or banking details of a particular individual would not necessarily appear on the same backup tape or be linked together, six tapes are required to back up the system.

The risk of these tapes having been stolen for criminal purposes by someone with access to the system in the data centre is low. For the data to be useful the entire bank of tapes would be needed (because the linked data may be spread across all the tapes) so a person with access to the tapes and with the knowledge to interpret the data would also know that the entire set of six tapes was needed to make sense of it.

The assessment concluded that a combination of several low probability events would have had to arise in order for the tapes and the information to be misused. On this basis the DEFRA SIRO decided that formal reporting was not warranted and that notifying people whose data might have been included in the two tapes would cause unnecessary alarm and be disproportionate.

Lessons learned

The RPA instructed IBM to act upon lessons learned on 11 October 2009. This included: restrictions on physical access to data centres unless accompanied by specified representatives; a further strengthening of tracking and logging procedures for all removable storage media at sites (including the transit between sites); introduction of formal confirmatory reporting that any actions taken are fully catalogued and the audit history maintained. An external expert consultant, engaged by RPA, has also provided independent advice on these improvements.

The Secretary of State and Minister for Food and Farming were informed of these events on 28 October 2009.

At the time that the DEFRA SIRO decided that formal reporting was not warranted, a full review of IBM removable media storage, handling and accounting procedures was commissioned, covering arrangements across the DEFRA network. DEFRA will also be looking to strengthen arrangements for identifying and reporting on incidents involving the potential loss of personal information.

In accordance with normal practice the incident will be reported in the RPA's annual report for 2009-10.