Yesterday there was yet another story in the news about the loss of sensitive data, this time records on all the prisoners in England and Wales as well as details on others with convictions were lost after a private company misplaced a memory stick. This is only the latest in a long line of data losses, earlier in the year CD's and laptops containing details on others were lost as well.
This current issue raises several questions, first what was a consulting firm doing with information such as this? I can understand the need to view statistics and have information on prisoner distribution and the types of crimes committed but why wasn't the data anonymized before it was given to this company and why wasn't it encrypted.
There should be a simple policy for handling data such as this, never put it on removable media. Government agencies should have secure gateways, VPN's or some other method that would allow those who are authorized to view this information without needing to copy it onto disk. Its going to take a serious incident (someone finding the lost data and doing something bad with it) before they really change there policies and way of working.