Statement by the Secretary of State for Transport on Data Security

With permission, Madam Deputy Speaker, I would like to make a statement about measures I am taking to improve the security of personal data in the context of the Cabinet Secretary’s review of data across Government.

I would also like to update the House on a particular security breach earlier this year relating to the loss of personal – but not financial – data by a private contractor of the Driving Standards Agency. I will set out the main details of that incident in the course of this statement.

But first, Madam Deputy Speaker, let me set out some of the background.

My Department and its agencies handle hundreds of millions of transactions with road users every year – ranging from paying Vehicle Excise Duty to licensing new bus or road haulage operators. In order to provide a good service to customers, this requires personal information to be shared between systems. For example, motorists can only renew their car tax online because the Driver and Vehicle Licensing Agency  - the DVLA - can check information with VOSA, the Vehicle and Operator Services Agency, and with insurers.

As the Cabinet Secretary has made clear in his interim report on data security, the public have a right to expect that the information they provide to Government will be held securely and used appropriately.

Madam Deputy Speaker, let me therefore set out five key actions I am taking to apply this principle and improve security of information within my Department and its Agencies.

First, recent events have highlighted the risks associated with the physical transfer of data by disk, tape or hard disk drive. Much data transmission by my Department and its Agencies is already, or soon will be, by electronic transfer. For example, driving test results are sent electronically from the Driving Standards Agency to the DVLA; and MOT results are recorded on computer by garages and then sent, in bulk, to the Vehicle and Operator Services Agency by secure electronic transfer.

I can announce today that the DVLA has created a new link to provide regular information to the police by electronic transmission. After a short period of testing, the present arrangements – which involve the transfer of tapes by secure courier – will cease.

I have asked my Permanent Secretary to work with Agency Chief Executives to accelerate other plans for further transfer of data electronically, wherever this is reasonable and cost-effective.

Second, I can tell the House that I intend to move forward with plans to merge two separate databases of registered vehicles which are currently held by the DVLA in Swansea and the Driver and Vehicle Agency in Northern Ireland.

The vulnerability this creates was illustrated by the recent loss of two disks in transit from Northern Ireland to Swansea containing the details of seven and a half thousand vehicles and the names and addresses of their owners.  We will remove this risk by merging the databases. This will also enable Northern Ireland Agencies to offer a better service – such as on-line car tax – to their customers.

Third, my Department will participate fully in the next stage of the Cabinet Secretary's review - in particular, the arrangements in place in private sector contractors, the transfer of data on removable media, and procedures for any data stored outside the UK.  My Permanent Secretary has also agreed with each Agency Chief Executive that any bulk transfer of data not done by electronic transmission will take place only by point to point transfer by a secure courier.

Fourth, to ensure greater clarity of responsibility, my Permanent Secretary has today written to senior officials in my Department – including Agency Chief Executives – drawing their attention to current guidance on the application of the Data Protection Act. This includes: the main principles of the Act; information on handling personal data appropriately; and the role of the Information Commissioner.

Fifth, in order to increase transparency and in line with the interim findings of the Cabinet Secretary's review, I have decided that my Department and its Agencies should cover information assurance issues in their annual reports. This will include a summary of any notifications about data security made to the Information Commissioner.

Madam Deputy Speaker, these measures are particularly important in the light of auditing data security in my Department and its Agencies in the context of the Cabinet Secretary's review.

In the interests of greater transparency, I would like to draw the House’s attention to one such breach which affects a significant number of people.  Madam Deputy Speaker, in May this year, Pearson Driving Assessments Ltd, a private contractor to the Driving Standards Agency, informed the Agency that a hard disk drive had gone missing from its secure facility in Iowa City, Iowa. The hard disk drive contained the records of just over three million candidates for the driving theory test.

The records contained on the hard disk drive were:

• the name of the test applicant;
• their postal address;
• their telephone number;
• the test fee paid;
• their theory test centre;
• a code indicating how the test was paid for;
• and, where provided, an email address.

The hard disk drive did not contain details of any individual’s bank account or credit card. It did not contain their driving licence number, nor their National Insurance Number. It did not contain their date of birth, nor a copy of their signature. And it did not contain the result of their test.

The hard disk drive was also, Madam Deputy Speaker, formatted specifically to fit Pearson configuration and as such is not readily usable or accessible by third parties. Pearson has confirmed that there is no external indication of the drive’s contents.

In the context of the Cabinet Secretary’s review of data, I asked the Information Commissioner for his views on this case and, on Friday afternoon, I received advice on his view of the risks to the public. The Information Commissioner has made it clear that he is concerned about any security breach – especially where large numbers of individuals are concerned. However he recognises that the risks are lower where the personal data does not include banking or credit card details and where security safeguards are in place to protect the data from third party access.

As a result, on the basis of the information received so far, he has also indicated that this case does not appear to present a substantial risk to individuals. He has not advised, therefore, that notification of each individual is needed.

Nevertheless, I apologise for any uncertainty or concern that these individuals may experience. The Driving Standards Agency has provided advice on the direct.gov website, and has set up a dedicated advice line, for candidates who took their driving theory test between September 2004 and April this year.

I can also inform the House that Pearson has already removed the specific risk which led to this loss, by now using electronic transfer in place of hard disk drives.

Madam Deputy Speaker, let me assure the House that I take the security of personal data within my Department and its Agencies extremely seriously. The measures I am taking, and the actions already underway, aim to ensure that transactions of this nature are conducted more effectively and efficiently in the future, and to provide greater assurance to the public.

Madam Deputy Speaker, I will of course keep the House fully informed of progress.

I commend this Statement to the House.