Kit Malthouse – 2021 Statement on Data Loss at the Home Office

The statement made by Kit Malthouse, the Policing Minister, in the House of Commons on 18 January 2021.

With permission, Mr Speaker, I would like to make a statement about the technical issues that we have experienced with the police national computer over the past week.

The records and information held by the police help to keep us safe, but they, like many other public bodies, have an obligation to ensure that the information they hold is properly managed. As I am sure you are aware, Mr Speaker, not all information and records held by the police can be held indefinitely. To ensure that the police are complying with their legal obligations in respect of the records they hold, a regular housekeeping process is undertaken to delete personal data and records from the police national computer and linked databases: in this case, data relating to individuals who were investigated by the police but where no further action was taken. This is undertaken for a variety of reasons, but chiefly to abide by legal obligations.

With such a large database, holding some 13 million records, an automated process is used to remove records that the police national computer has no legal right to hold. A weekly update was designed by engineers and applied to the police national computer, which then automatically triggers deletions across the PNC, and other linked databases. Last week, the Home Office became aware that, as a result of human error, the software that triggers these automatic deletions contained defective coding and had inadvertently deleted records that it should not have, and indeed had not deleted some records that should have been deleted. An estimated 213,000 offence records, 175,000 arrest records and 15,000 person records are being investigated as potentially having been deleted. It is worth the House noting that multiple records can be held against the same individual, so the number of individuals affected by this incident is likely to be lower. Operational partners are still able to access the police national computer, which holds, as I say, over 13 million records. Clearly this situation is very serious, and I understand that colleagues across this House will have concerns, which of course I share.

By your leave, Mr Speaker, I want to set out for the House the steps that we have taken to deal with this complex incident. On the evening of 10 January—the same day the Home Office became aware of the incident—engineers put a stop on the automated process to ensure that no further deletions took place. All similar automated processes have also been suspended. Early last week, Home Office civil servants and engineers worked quickly to alert the police and other operational colleagues, and established a bronze, silver and gold command to manage the incident and co-ordinate a rapid response. The gold command provided rapid guidance for police forces and other partners to ensure that they were kept abreast of the situation.

Secondly, Home Office officials and engineers, working closely with the National Police Chiefs Council, police forces and other partners, immediately initiated rapid work, through the gold command, to assess the full scale and impact of the incident. This included undertaking a robust and detailed assessment and verification of all affected records, followed by developing and implementing a plan to recover as much of the data and records as is possible, and to develop plans to mitigate the impacts of any lost data. This is being done in four phases. Phase 1 involves writing and testing a code to bring back accurate lists of what has been deleted as a result of the incident. Phase 2 will involve running that code and then doing detailed analysis on the return to fully analyse the records that have been lost and establish the full impact. Phase 3 will be to begin the recovery of the data from the police national computer and other linked systems. Phase 4 will involve work to ensure that we are deleting any data that should have been deleted as usual when this incident first began. Phase 1 of the process has taken place over the weekend, and I am assured that it has gone well. The second phase is now under way, and I will hopefully have an update in the next few days.

While any loss of data is unacceptable, other tried-and-tested law enforcement systems are in place that contain linked data and reports to support policing partners in their day-to-day efforts to keep us safe: for example, the police national database or other local systems. The police are able to use these systems to do simultaneous checks.

I urge patience while we continue our rapid internal investigation and begin the recovery. I hope the House will appreciate that the task in front of us is a complex one. Public safety is the top priority of everyone working at the Home Office, and I have full faith that Home Office engineers, our partners in the National Police Chiefs Council and police forces throughout the country, with whom we are working, are doing all they can to restore the data. Although that is rightly our immediate priority, the Home Secretary and I have commissioned an internal review as to the circumstances that led to this incident, so that lessons can be learned. I will update the House regularly on the process. I commend this statement to the House.