Data files containing the personal records of thousands of serving and former military personnel have been stolen from an RAF base in Gloucester, the Ministry of Defence (MoD) has said.

The information was stored on computer hard drives within a high-security area in the Service Personnel and Veterans Agency at RAF Innsworth.

Police are investigating the incident. The MoD said it was treating the breach "extremely seriously".

The agency provides support services for some 900,000 serving and ex-service personnel. It is as yet unclear what information was stored on the three disc drives taken and how many people's records are affected.

The data loss will come as the latest embarrassment for the Government, which has already suffered a series of lost or stolen data files.

Last week, a disc containing the names and addresses of almost 11,500 teachers went missing in the post.

Commenting on the latest data loss, Lib Dem Defence spokesman Nick Harvey said the situation was "unacceptable", adding: "This is just the latest in a seemingly endless stream of stories involving personal information being lost or stolen.

"The first priority has to be ensuring that nobody's security has been put at risk, but we also need a serious look at the way such sensitive data is being handled."

Copyright © PA Business 2008

Liz Bell, a member of Morgan Cole's Information Governance team, comments:

This incident highlights the need for a comprehensive approach to information security. The 7^th Data Protection Principle, places obligations on all organisations with responsibility for processing personal data to take appropriate technical and organisational measures to guard against unlawful access to this data.

With more personal data being stored on portable devices, data controllers will need to give due consideration to the physical security of such devices.  For particularly sensitive information, organisations should consider whether it is appropriate for this information to be stored on portable devices at all. 

In addition, technical security options should be implemented, so that in the event of a theft of a portable device, the personal information stored on it is further protected by the use of passwords, encryption, or even bio-security measures.  The more sensitive the information stored, the greater the degree of security is required.

There is an obligation on all organisations to continually review their data security measures, in the light of reported incidents such as this, so as to ensure that they continue to meet their obligations under the Act, and, where a significant data loss is identified, to notify the Information Commissioner in accordance with ICO guidance.