Home Office guilty of breaching Data Protection Act

Third-party contracts will have specific clauses on encryption in future

The Home Office will encrypt all mobile devices

The Home Office has been found guilty of breaching the Data Protection Act after a contractor, PA Consulting, lost an unencrypted memory stick containing the personal details of 84,000 prisoners.

The UK's privacy watchdog, the Information Commissioner's Office (ICO), has required Sir David Normington, permanent secretary to the Home Office, to sign a formal undertaking outlining that the department will encrypt all mobile devices and require all third-party contractors to encrypt information they handle.

Mick Gorrill, assistant information commissioner at the ICO, said the case was serious because it involved thousands of individual records.

"This breach illustrates that, even though a contractor lost the data, it is the data controller - the Home Office - which is responsible for the security of the information," he said.

The Home Office has agreed to conduct future audits to ensure compliance with the Act.

The ICO said that failure to meet the terms of the undertaking is likely to lead to further enforcement action - the watchdog can now perform spot checks on government departments as well as impose fines.