Chamber
Plenary, 25 Jun 2008
25 Jun 2008 · S3 · Plenary
Item of business
Scottish Ambulance Service (Contact Information)
I welcome the opportunity to make a statement to Parliament on the loss during transit of a data disk containing information relating to emergency contacts that had been made with the Scottish Ambulance Service since February 2006. My statement will cover the detailed timeline of events from the point at which the package that contained the disk was passed to the courier, TNT; the processes that the Scottish Ambulance Service followed to ensure the security of the data in transit; and the action that the Ambulance Service and TNT took in their combined efforts to find the disk from the point at which it became evident that it was missing.
I believe that my statement will assure members and—more important—the public of the robustness of the security practices that the Scottish Ambulance Service adopted. Those safeguards were implemented to minimise any risk of the information being accessed by people who do not have the appropriate authority to access it. The situation contrasts starkly with the situation at HM Revenue and Customs, where data were not protected in that way. I also plan to comment on the Scottish Government's data handling report, which was published earlier today and which offers best-practice guidance for all public bodies that are involved in collecting and managing data.
Late in the afternoon of Thursday 19 June, the Scottish Ambulance Service alerted my officials to the fact that a disk containing data relating to contacts with the emergency service was missing in transit. I was alerted to the loss shortly after 6 pm that evening. The following day—Friday 20 June—the Scottish Ambulance Service confirmed the sequence of events from when the decision was taken to download the information on to a portable hard disk. At that time, the Scottish Ambulance Service also advised of the processes that were applied to ensure the security of the information prior to its being passed to TNT for delivery.
I reassure the people of Scotland that the Scottish Ambulance Service, in preparing for the transfer of the data, took every possible effort to ensure the security of those data. Ambulance Service staff who were preparing the disk for transit sought advice from their data protection officer about the procedures to be followed to ensure the security of the information, which included the full range of data that were stored on the command and control system. Those data related to 894,629 call contacts with the Ambulance Service, including the details that would be conveyed in the course of such calls, such as the location and nature of the incident, the names of callers and patients if available, patients' details, such as their age or date of birth and gender, and contact telephone numbers. If a patient's on-going medical problem was known, the record might also refer to it. Actual medical records were not included in the data. Last night, the Scottish Ambulance Service advised me that the disk also contained necessary operational details, including contact details for staff.
The service has assured staff, as I have assured the public, about the steps that were taken to secure the information before transit. All other information on the disk—for example, contact details for general practitioner practices and other agencies, such as social work departments—is already in the public domain.
The data were exported from the Scottish Ambulance Service's command and control database and encrypted on to a portable hard drive using an encryption tool. That drive, or disk, as I will refer to it, was then sealed in a box with a covering letter that said that if the box was found, it should be returned to the Scottish Ambulance Service. The box was in turn put into another package with a similar covering letter, and the package was handed with a signed receipt to TNT on Monday 9 June 2008. That afternoon, an e-mail was sent to MIS Emergency Services Ltd in Manchester, which is the information technology company that was waiting for the disk in order to upgrade the Ambulance Service information system. That e-mail advised the company that the disk was in transit and that it should expect to receive it the following day, Tuesday 10 June 2008.
Daily contact followed over the next few days, but, by Thursday 12 June, TNT accepted that the package was missing and instigated a search in order to find it. The search continued until Thursday 19 June, when the Ambulance Service was first advised that TNT could not find the parcel and TNT invited the Ambulance Service to set down the details of the loss as part of a loss claim process. Later that same afternoon, the Scottish Ambulance Service alerted the Scottish Government to the loss.
On Friday 20 June, TNT further escalated its search procedures, advising both the Scottish Ambulance Service and the Scottish Government that it believed that those searches would result in the disk being traced over the weekend. However, shortly after noon on Monday 23 June, TNT confirmed that, although its searches continued, the leads that it had been pursuing over the weekend had not been successful. At that point, the Scottish Government and the Scottish Ambulance Service decided that the loss of the data disk needed to be made public.
I welcome the decision of the Scottish Ambulance Service to provide a helpline for members of the public who have questions relating to the incident. As of noon today, there had been 21 calls to the helpline, of which 13 were from members of the public. I hope that that reflects the reassurance that both we and the Ambulance Service have given to the public and to staff.
I have had the process by which the Scottish Ambulance Service handled the transmission of the data analysed by the Scottish Government's chief information officer. She has reported that the Scottish Ambulance Service followed good practice by conforming to NHS Scotland information security policy and ensuring that the sensitive personal data on the disk that was entrusted to TNT were protected to the appropriate standard. There are three levels to that protection. First, the data are encrypted. Secondly, they are protected with a 15-character randomly generated password. Thirdly, even if those two barriers were overcome, the data would be a meaningless jumble without the file structure that is necessary to recombine them. That is in complete contrast to the loss of 25 million child benefit records by Her Majesty's Revenue and Customs. Those personal data, which included bank account details, were not similarly protected.
Recent problems, both in Scotland and at a United Kingdom level, have highlighted the importance of ensuring that all those who are charged with handling sensitive public information adhere to the highest standards. In November 2007, we ordered a review of data handling procedures across Government to address justified public concern and to identify any areas in which we needed to improve. By coincidence, that review has published its findings and recommendations today. The data handling review shows that public bodies throughout Scotland generally have high standards of data handling. Data security is being taken seriously across Government, but there are still areas in which improvements can and will be made. There is, of course, absolutely no room for complacency.
I do not believe that, in the case of the loss of the Scottish Ambulance Service data disk, there could be any suggestion that the service was complacent in the way in which it sought to protect the data against their possible loss in transit. The Ambulance Service considered whether there were other means of transmitting the data that might eliminate all prospect of human error. In this case, it was clear that the size of the data file far exceeded the limit of an e-mail that would be allowable via the national health service network.
TNT has acknowledged that the package remains missing and has recognised the seriousness of the issue. I know that it is continuing its efforts to trace it. I know, too, that the Scottish Ambulance Service took all reasonable steps to protect the data against the possibility of loss. It is clear to me that we would be having a very different exchange today had that not been the case.
I believe that my statement will assure members and—more important—the public of the robustness of the security practices that the Scottish Ambulance Service adopted. Those safeguards were implemented to minimise any risk of the information being accessed by people who do not have the appropriate authority to access it. The situation contrasts starkly with the situation at HM Revenue and Customs, where data were not protected in that way. I also plan to comment on the Scottish Government's data handling report, which was published earlier today and which offers best-practice guidance for all public bodies that are involved in collecting and managing data.
Late in the afternoon of Thursday 19 June, the Scottish Ambulance Service alerted my officials to the fact that a disk containing data relating to contacts with the emergency service was missing in transit. I was alerted to the loss shortly after 6 pm that evening. The following day—Friday 20 June—the Scottish Ambulance Service confirmed the sequence of events from when the decision was taken to download the information on to a portable hard disk. At that time, the Scottish Ambulance Service also advised of the processes that were applied to ensure the security of the information prior to its being passed to TNT for delivery.
I reassure the people of Scotland that the Scottish Ambulance Service, in preparing for the transfer of the data, took every possible effort to ensure the security of those data. Ambulance Service staff who were preparing the disk for transit sought advice from their data protection officer about the procedures to be followed to ensure the security of the information, which included the full range of data that were stored on the command and control system. Those data related to 894,629 call contacts with the Ambulance Service, including the details that would be conveyed in the course of such calls, such as the location and nature of the incident, the names of callers and patients if available, patients' details, such as their age or date of birth and gender, and contact telephone numbers. If a patient's on-going medical problem was known, the record might also refer to it. Actual medical records were not included in the data. Last night, the Scottish Ambulance Service advised me that the disk also contained necessary operational details, including contact details for staff.
The service has assured staff, as I have assured the public, about the steps that were taken to secure the information before transit. All other information on the disk—for example, contact details for general practitioner practices and other agencies, such as social work departments—is already in the public domain.
The data were exported from the Scottish Ambulance Service's command and control database and encrypted on to a portable hard drive using an encryption tool. That drive, or disk, as I will refer to it, was then sealed in a box with a covering letter that said that if the box was found, it should be returned to the Scottish Ambulance Service. The box was in turn put into another package with a similar covering letter, and the package was handed with a signed receipt to TNT on Monday 9 June 2008. That afternoon, an e-mail was sent to MIS Emergency Services Ltd in Manchester, which is the information technology company that was waiting for the disk in order to upgrade the Ambulance Service information system. That e-mail advised the company that the disk was in transit and that it should expect to receive it the following day, Tuesday 10 June 2008.
Daily contact followed over the next few days, but, by Thursday 12 June, TNT accepted that the package was missing and instigated a search in order to find it. The search continued until Thursday 19 June, when the Ambulance Service was first advised that TNT could not find the parcel and TNT invited the Ambulance Service to set down the details of the loss as part of a loss claim process. Later that same afternoon, the Scottish Ambulance Service alerted the Scottish Government to the loss.
On Friday 20 June, TNT further escalated its search procedures, advising both the Scottish Ambulance Service and the Scottish Government that it believed that those searches would result in the disk being traced over the weekend. However, shortly after noon on Monday 23 June, TNT confirmed that, although its searches continued, the leads that it had been pursuing over the weekend had not been successful. At that point, the Scottish Government and the Scottish Ambulance Service decided that the loss of the data disk needed to be made public.
I welcome the decision of the Scottish Ambulance Service to provide a helpline for members of the public who have questions relating to the incident. As of noon today, there had been 21 calls to the helpline, of which 13 were from members of the public. I hope that that reflects the reassurance that both we and the Ambulance Service have given to the public and to staff.
I have had the process by which the Scottish Ambulance Service handled the transmission of the data analysed by the Scottish Government's chief information officer. She has reported that the Scottish Ambulance Service followed good practice by conforming to NHS Scotland information security policy and ensuring that the sensitive personal data on the disk that was entrusted to TNT were protected to the appropriate standard. There are three levels to that protection. First, the data are encrypted. Secondly, they are protected with a 15-character randomly generated password. Thirdly, even if those two barriers were overcome, the data would be a meaningless jumble without the file structure that is necessary to recombine them. That is in complete contrast to the loss of 25 million child benefit records by Her Majesty's Revenue and Customs. Those personal data, which included bank account details, were not similarly protected.
Recent problems, both in Scotland and at a United Kingdom level, have highlighted the importance of ensuring that all those who are charged with handling sensitive public information adhere to the highest standards. In November 2007, we ordered a review of data handling procedures across Government to address justified public concern and to identify any areas in which we needed to improve. By coincidence, that review has published its findings and recommendations today. The data handling review shows that public bodies throughout Scotland generally have high standards of data handling. Data security is being taken seriously across Government, but there are still areas in which improvements can and will be made. There is, of course, absolutely no room for complacency.
I do not believe that, in the case of the loss of the Scottish Ambulance Service data disk, there could be any suggestion that the service was complacent in the way in which it sought to protect the data against their possible loss in transit. The Ambulance Service considered whether there were other means of transmitting the data that might eliminate all prospect of human error. In this case, it was clear that the size of the data file far exceeded the limit of an e-mail that would be allowable via the national health service network.
TNT has acknowledged that the package remains missing and has recognised the seriousness of the issue. I know that it is continuing its efforts to trace it. I know, too, that the Scottish Ambulance Service took all reasonable steps to protect the data against the possibility of loss. It is clear to me that we would be having a very different exchange today had that not been the case.
In the same item of business
The Presiding Officer (Alex Fergusson):
NPA
The next item of business is a 10-minute statement by Nicola Sturgeon on Scottish Ambulance Service contact information. The cabinet secretary will take ques...
The Deputy First Minister and Cabinet Secretary for Health and Wellbeing (Nicola Sturgeon):
SNP
I welcome the opportunity to make a statement to Parliament on the loss during transit of a data disk containing information relating to emergency contacts t...
The Presiding Officer:
NPA
The cabinet secretary will now take questions on the issues that have been raised in her statement. We have almost exactly 20 minutes for such questions.
Tricia Marwick (Central Fife) (SNP):
SNP
On a point of order, Presiding Officer. Over the past few days, Margaret Curran has been all over the television, demanding a statement from the cabinet secr...
The Presiding Officer:
NPA
With respect, I do not think that that is a point of order, Ms Marwick.
Tricia Marwick:
SNP
I wonder whether you agree with me that that is disrespectful to the chamber.
Hugh Henry (Paisley South) (Lab):
Lab
On a point of order, Presiding Officer.
The Presiding Officer:
NPA
This is all eating into the time that is available for questions.
Hugh Henry:
Lab
Is it not insensitive that, when a member is attending a funeral, another member seeks to exploit that?
The Presiding Officer:
NPA
That is not a point of order, but I am grateful to the member for putting it on the record; it should answer any possible queries about the issue, which is n...
Dr Richard Simpson (Mid Scotland and Fife) (Lab):
Lab
I thank the minister for her statement. This is the third emergency statement that she has had to make in the chamber.I understand that mistakes can be made ...
Nicola Sturgeon:
SNP
I thank Richard Simpson for his questions. On his final question, I referred to the period covered by the data in my statement—it is February 2006 to June 20...
Mary Scanlon (Highlands and Islands) (Con):
Con
First, I note from your statement that TNT has confirmed that its searches are continuing. Can you advise me what happened to the computerised tracking, whic...
The Presiding Officer:
NPA
I remind all members to address other members through the chair.
Nicola Sturgeon:
SNP
On computerised tracking, TNT has undertaken a number of searches over the past few days—certainly since I was made aware of the issue—including examining al...
Ross Finnie (West of Scotland) (LD):
LD
I am grateful to the cabinet secretary for circulating an advance copy of her statement to shadow ministers while they were still in the chamber. That certai...
Nicola Sturgeon:
SNP
I thank Ross Finnie for confirming that he received safely the copy of my statement that I asked to be delivered to him—that is a great relief to me. Ross Fi...
The Presiding Officer:
NPA
We come to questions from back-bench members. As always, I ask members to keep questions and answers as brief as possible. If they do so, we will manage to f...
Bill Wilson (West of Scotland) (SNP):
SNP
I express my relief—which may not be as great as that of the cabinet secretary—that, in contrast with the 25 million records that HM Revenue and Customs lost...
Nicola Sturgeon:
SNP
It is in line with data protection procedures generally—the point is not specific to the Scottish Ambulance Service—for organisations to use courier companie...
Hugh Henry (Paisley South) (Lab):
Lab
The cabinet secretary said that this situation contrasts with the situation at HMRC—she would say that, wouldn't she? Will she reflect on comments that her c...
Nicola Sturgeon:
SNP
I am here because I have ministerial responsibility for the Scottish Ambulance Service—no one could accuse me of trying to dodge that. However, given that al...
Michael Matheson (Falkirk West) (SNP):
SNP
Given the importance of retaining public confidence in the way in which such matters are handled, I fully accept that the Scottish Ambulance Service has foll...
Nicola Sturgeon:
SNP
That is a fair point. All public bodies should be asked to ensure not just that their practices are up to scratch but that they remain so over time. It is on...
James Kelly (Glasgow Rutherglen) (Lab):
Lab
I note the publication today of the data handling review. The investigation into data handling was announced on 23 November, when John Swinney told Parliamen...
Nicola Sturgeon:
SNP
I am more than happy to ask my colleague John Swinney to respond to James Kelly in detail about the timeline in question. However, the publication here today...
The Presiding Officer:
NPA
I call Ian McKee. Please be as brief as possible.
Ian McKee (Lothians) (SNP):
SNP
It is good to have the reassurances of the cabinet secretary today. Can she advise me whether the Scottish Ambulance Service holds a copy of the information ...
Nicola Sturgeon:
SNP
Yes, the Scottish Ambulance Service has a copy.
The Presiding Officer:
NPA
Perfect.