24 October 2008
It is the responsibility of buyers continually to remind suppliers about the importance of data security.
This was one of the lessons learnt by the Home Office, which terminated a contract with PA Consulting following the loss of an unencrypted data stick containing the details of thousands of prisoners.
John Collington, group commercial director at the Home Office, said the incident happened despite robust contract terms and conditions and the supplier having data security policies and procedures that exceeded minimum OGC and Cabinet Office requirements. The loss was due to one PA Consulting employee who flouted these policies.
"We learnt you have to make suppliers aware continuously of the issues of managing data, the importance of data security and the ultimate consequences.
"We've returned to all our suppliers and reminded them of their contractual obligations when managing our data."
The department has also approached suppliers for a copy of their security policies and procedures.
"Not all firms have them so we've made sure this request will identify that," Collington said.
The Home Office is also creating a system to ask vendors to outline their security and data handling procedures every year, which will result in an assurance certificate suppliers create themselves.
Collington said it was another way of increasing the profile and focus of information security.When the security breach occurred, the Home Office alerted the information commissioner, and management of the data was brought back in-house.
An investigation, which included assistance from an RAF special security unit, was conducted by the Home Office and concluded within a month.