A Driving Standards Agency contractor, Pearson, a subsidiary of FT owner Pearson, has lost a hard disk drive containing identity details of three million driving test candidates in the UK.
It looks like a related incident to the Northern Ireland DVA losing 6,000 people's identity details in a disk transfer (unencrypted) and HMRC losing 25 million people's identity details also in an unencrypted disk transfer.
A Pearson plc spokesperson said: "We take great care of the quality and security of our data and we deeply regret this incident." He said that no financial information was involved, that Pearson had strengthened its data handling procedures, and that there was no evidence of mis-use.
The hard disk drive was not found in a Pearson, Iowa city, data centre, where it was supposed to be, in May this year. Transport secretary Ruth Kelly was told in November, six months later, and informed the House of Commons only today, December 17th, one month further on. She said that no financial information was included in the unencrypted hard drive but it did contain names, addresses, and e-mail addresses where they existed.
The hard drive contained Driving Standards Agency (DSA) client test data and was stored in the Iowa data centre for business continuity and disaster recovery reasons. It was transferred to a second Pearson data centre, in Minnesota, to be backed up. Once the backup had been run it was meant to be returned to the Iowa data centre but was subsequently found not to be where it was supposed to be, and has not been located.
Pearson in the USA told the DSA in May, when the loss was discopvered. Ruth Kelly said she learnt about the loss in November, The DSA told the then roads minister, Stephen Ladyman, on June 4th. What he or his department did, apart from sitting on the embarassing information, is not known.
It came to light as a result of a review into government data security by Cabinet Secretary Gus O'Donnell. Ladyman left Government around the time Gordon Brown took over and Ruth Kelly became transport secretary. Her officials did not tell her about this until November when the O'Donnell review took place.
Kelly said the hard drive was in a Pearson's format, not readily accessible by general purpose systems, implying although not spelling out, Windows PCs. But neither she nor the Pearson's spokesperson knows the file system on the hard drive. It could easily be the case that it was a Windows file system, meaning that the raw data is readily accessible by a Windows PC.
The company is part of Pearson Education, a subsidiary of Pearson plc which owns the Financial Times, Penguin, Dorling Kindersley and other media and educational assets.
Ruth Kelly said that Pearson had committed to use electronic instead of hard disk drive transfer in future.
Kieran Poynter has done as expected and his interim report refers to procedural errors and not a systemic disfunction. Chancellor Alistair Darling, in a Commons statement, said that HMRC had banned any bulk data transfer by unsecured means, taken to mean encryption. He said that database download to disk had also been banned without senior official authorisation.
Poynter did say there was no evidence so far to indicate that Darling's earliest statement on the affair, in which he attributed the debacle a junior official, was wrong. Poynter said that HMRC management structures and reporting lines need simplifying.