The firm responsible for the loss of a computer "memory stick" containing the personal details of thousands of criminals is to have its contract terminated, the Government has said.

PA Consulting will lose the £1.5 million, three-year deal with the Home Office after it mislaid the names, addresses and expected release dates of 84,000 prisoners in England and Wales.

Home Secretary Jacqui Smith said all PA Consulting's other contracts with the department - worth £8 million a year - would be reviewed, along with those signed with other firms.

The Cabinet Office will also launch a review of all contracts signed by the Government with private companies to ensure they are "appropriate", she added.

"We are cancelling this contract and we are urgently reviewing the way in which PA Consulting are meeting the requirements of other contracts we have with them," the Home Secretary said.

"Our investigation has demonstrated that while the information was transmitted in an appropriately secure way to PA Consulting and fed to a secure site, it was subsequently downloaded on to an insecure data stick and that data stick was then lost."

The memory stick was left in an unlocked drawer in an unsecured office at its offices in Victoria, central London.

Copyright © PA Business 2008

Heledd Lloyd-Jones, a member of Morgan Cole's Information Governance team, comments:

The Data Protection Act 1998 imposes an obligation on all organisations responsible for personal data (data controllers) to have effective mechanisms in place to ensure that contractors acting on their behalf have appropriate data security measures in place. It is essential that all subcontracting arrangements that involve data processing are governed by written data processing agreements that comply with the Act. Where highly sensitive or otherwise confidential personal data is involved, it is not enough to simply have written agreements in place; data controllers should take reasonable steps by means of audit or inspection to satisfy themselves that their contractors are indeed complying with their contractual obligations in relation to the security of personal data being processed on the data controller's behalf. Failure on the part of the data controller to have the necessary written agreements in place and, where necessary to ensure that the terms of such agreements are adhered to, may result in regulatory action on the part of the Information Commissioner, who is responsible for enforcing the Act.

Morgan Cole provides specialist advice on all aspects of Data Protection Law, including the drafting of data processing agreements and contract terms. Morgan Cole is also accredited by the British Computer Society to deliver training leading to the award of the ISEB Certificate in Data Protection. For further information, visit http://iseb.morgan-cole.com or call Ian Emery on 0118 955 3001.