Scottish Ambulance Service (Contact Information)
The next item of business is a 10-minute statement by Nicola Sturgeon on Scottish Ambulance Service contact information. The cabinet secretary will take questions at the end of her statement, therefore there should be no interventions or interruptions during it.
I welcome the opportunity to make a statement to Parliament on the loss during transit of a data disk containing information relating to emergency contacts that had been made with the Scottish Ambulance Service since February 2006. My statement will cover the detailed timeline of events from the point at which the package that contained the disk was passed to the courier, TNT; the processes that the Scottish Ambulance Service followed to ensure the security of the data in transit; and the action that the Ambulance Service and TNT took in their combined efforts to find the disk from the point at which it became evident that it was missing.
I believe that my statement will assure members and—more important—the public of the robustness of the security practices that the Scottish Ambulance Service adopted. Those safeguards were implemented to minimise any risk of the information being accessed by people who do not have the appropriate authority to access it. The situation contrasts starkly with the situation at HM Revenue and Customs, where data were not protected in that way. I also plan to comment on the Scottish Government's data handling report, which was published earlier today and which offers best-practice guidance for all public bodies that are involved in collecting and managing data.
Late in the afternoon of Thursday 19 June, the Scottish Ambulance Service alerted my officials to the fact that a disk containing data relating to contacts with the emergency service was missing in transit. I was alerted to the loss shortly after 6 pm that evening. The following day—Friday 20 June—the Scottish Ambulance Service confirmed the sequence of events from when the decision was taken to download the information on to a portable hard disk. At that time, the Scottish Ambulance Service also advised of the processes that were applied to ensure the security of the information prior to its being passed to TNT for delivery.
I reassure the people of Scotland that the Scottish Ambulance Service, in preparing for the transfer of the data, took every possible effort to ensure the security of those data. Ambulance Service staff who were preparing the disk for transit sought advice from their data protection officer about the procedures to be followed to ensure the security of the information, which included the full range of data that were stored on the command and control system. Those data related to 894,629 call contacts with the Ambulance Service, including the details that would be conveyed in the course of such calls, such as the location and nature of the incident, the names of callers and patients if available, patients' details, such as their age or date of birth and gender, and contact telephone numbers. If a patient's on-going medical problem was known, the record might also refer to it. Actual medical records were not included in the data. Last night, the Scottish Ambulance Service advised me that the disk also contained necessary operational details, including contact details for staff.
The service has assured staff, as I have assured the public, about the steps that were taken to secure the information before transit. All other information on the disk—for example, contact details for general practitioner practices and other agencies, such as social work departments—is already in the public domain.
The data were exported from the Scottish Ambulance Service's command and control database and encrypted on to a portable hard drive using an encryption tool. That drive, or disk, as I will refer to it, was then sealed in a box with a covering letter that said that if the box was found, it should be returned to the Scottish Ambulance Service. The box was in turn put into another package with a similar covering letter, and the package was handed with a signed receipt to TNT on Monday 9 June 2008. That afternoon, an e-mail was sent to MIS Emergency Services Ltd in Manchester, which is the information technology company that was waiting for the disk in order to upgrade the Ambulance Service information system. That e-mail advised the company that the disk was in transit and that it should expect to receive it the following day, Tuesday 10 June 2008.
Daily contact followed over the next few days, but, by Thursday 12 June, TNT accepted that the package was missing and instigated a search in order to find it. The search continued until Thursday 19 June, when the Ambulance Service was first advised that TNT could not find the parcel and TNT invited the Ambulance Service to set down the details of the loss as part of a loss claim process. Later that same afternoon, the Scottish Ambulance Service alerted the Scottish Government to the loss.
On Friday 20 June, TNT further escalated its search procedures, advising both the Scottish Ambulance Service and the Scottish Government that it believed that those searches would result in the disk being traced over the weekend. However, shortly after noon on Monday 23 June, TNT confirmed that, although its searches continued, the leads that it had been pursuing over the weekend had not been successful. At that point, the Scottish Government and the Scottish Ambulance Service decided that the loss of the data disk needed to be made public.
I welcome the decision of the Scottish Ambulance Service to provide a helpline for members of the public who have questions relating to the incident. As of noon today, there had been 21 calls to the helpline, of which 13 were from members of the public. I hope that that reflects the reassurance that both we and the Ambulance Service have given to the public and to staff.
I have had the process by which the Scottish Ambulance Service handled the transmission of the data analysed by the Scottish Government's chief information officer. She has reported that the Scottish Ambulance Service followed good practice by conforming to NHS Scotland information security policy and ensuring that the sensitive personal data on the disk that was entrusted to TNT were protected to the appropriate standard. There are three levels to that protection. First, the data are encrypted. Secondly, they are protected with a 15-character randomly generated password. Thirdly, even if those two barriers were overcome, the data would be a meaningless jumble without the file structure that is necessary to recombine them. That is in complete contrast to the loss of 25 million child benefit records by Her Majesty's Revenue and Customs. Those personal data, which included bank account details, were not similarly protected.
Recent problems, both in Scotland and at a United Kingdom level, have highlighted the importance of ensuring that all those who are charged with handling sensitive public information adhere to the highest standards. In November 2007, we ordered a review of data handling procedures across Government to address justified public concern and to identify any areas in which we needed to improve. By coincidence, that review has published its findings and recommendations today. The data handling review shows that public bodies throughout Scotland generally have high standards of data handling. Data security is being taken seriously across Government, but there are still areas in which improvements can and will be made. There is, of course, absolutely no room for complacency.
I do not believe that, in the case of the loss of the Scottish Ambulance Service data disk, there could be any suggestion that the service was complacent in the way in which it sought to protect the data against their possible loss in transit. The Ambulance Service considered whether there were other means of transmitting the data that might eliminate all prospect of human error. In this case, it was clear that the size of the data file far exceeded the limit of an e-mail that would be allowable via the national health service network.
TNT has acknowledged that the package remains missing and has recognised the seriousness of the issue. I know that it is continuing its efforts to trace it. I know, too, that the Scottish Ambulance Service took all reasonable steps to protect the data against the possibility of loss. It is clear to me that we would be having a very different exchange today had that not been the case.
The cabinet secretary will now take questions on the issues that have been raised in her statement. We have almost exactly 20 minutes for such questions.
On a point of order, Presiding Officer. Over the past few days, Margaret Curran has been all over the television, demanding a statement from the cabinet secretary on the loss of the data. I notice that Margaret Curran is not here today to listen to the debate.
With respect, I do not think that that is a point of order, Ms Marwick.
I wonder whether you agree with me that that is disrespectful to the chamber.
On a point of order, Presiding Officer.
This is all eating into the time that is available for questions.
Is it not insensitive that, when a member is attending a funeral, another member seeks to exploit that?
That is not a point of order, but I am grateful to the member for putting it on the record; it should answer any possible queries about the issue, which is not a point of order.
We now have less than 20 minutes for questions, after which we will move to the next item of business.
I thank the minister for her statement. This is the third emergency statement that she has had to make in the chamber.
I understand that mistakes can be made in the transmission of data, but questions need to be asked about the mechanisms. What procedure will be put in place to inform ministers about the loss of data? There was a one-week gap between TNT accepting that the data were missing and the minister being partially informed—it was the next morning before further information was passed to her.
It is important to get these things right for the confidence of the public and staff. I need to know, and the public are entitled to be assured, that the randomly generated 15-character password that accompanied the encrypted data was not in the letter in the package, because that has happened in the past. I seek reassurance for the public on that point.
The fact that this is the third occasion on which data have gone missing in Scotland—the Scottish Public Pensions Agency lost data in October 2007 and the Scottish Further and Higher Education Funding Council lost data in January 2008—means that the publication of a report on data handling is timely. However, I wonder why we need to transmit data on 1,000,000 patients at one time by hard disk, and why it was not chunked up into bits and sent via the NHS network—to which the cabinet secretary referred—which is secure, as far as I know.
What period of time is covered by the almost 1,000,000 pieces of data? That information will let the public know the period about which they can call the helpline.
I thank Richard Simpson for his questions. On his final question, I referred to the period covered by the data in my statement—it is February 2006 to June 2008.
Richard Simpson said that this is the third emergency statement that I have made, which is true. I hope that members recognise that that shows my willingness to come to the chamber to report on NHS matters and to give members the opportunity to ask questions.
Richard Simpson asked about the timescale for informing ministers. I am sure that the Scottish Ambulance Service will want to reflect on that, but it informed ministers as soon as the management became aware of the situation, so there was no time delay. I am sure that there is an issue to reflect on around the time delay between TNT and the computer company realising that the data could not be located and informing the Scottish Ambulance Service. However, judgments will always have to be made about whether to continue potentially fruitful searches before informing anyone and causing alarm. As we reflect on the incident, it is important that we also reflect on that point.
Richard Simpson asked whether the password was included in the letter. Nothing that I have heard suggests that that was the case, and I am sure that it was not. However, I want to be absolutely sure that I can reassure Richard Simpson of that, so I will ensure that he has that answer in writing. Again, not one but three levels of protection were applied to the data: the data were encrypted using an encryption tool; a 15-letter randomly generated password was used; and even if someone got through those two lines of defence, sense could not be made of the data without the file structure that is necessary to put the data back together. That should give the public considerable reassurance.
Richard Simpson also asked why the information was being sent. It was part of the updating of the command and control system server. It could not be sent electronically for the reasons that I have spoken about. I am told that the file was 60 times bigger than anything that could be sent through the NHS system. I am sure that different ways of sending such information will be considered. All organisations have a duty to consider such issues.
My final point is that, however we transmit data, it is impossible to eliminate risk completely, even when data are sent electronically. That makes it all the more important that data are properly protected before being sent. The key point is that, in this case, the data were properly and adequately protected. That point should give the public reassurance.
First, I note from your statement that TNT has confirmed that its searches are continuing. Can you advise me what happened to the computerised tracking, which I know from personal experience TNT uses for all parcels and documents?
Secondly, although there seems to be no fault on the part of the Scottish Ambulance Service, what improvements will be made as a result of the data loss that has occurred with TNT?
Thirdly, I note that the statement mentions a loss claim process. Can you tell me what penalty, if any, will apply to TNT? Will the Government make a loss claim? If so, what will be the value of that claim?
I remind all members to address other members through the chair.
On computerised tracking, TNT has undertaken a number of searches over the past few days—certainly since I was made aware of the issue—including examining all its closed-circuit television coverage in depots. Such searches led TNT to believe, on Friday and into Saturday, that specific leads that were being followed would result in the recovery of the disk. One of those leads involved a hospital in England. TNT staff have made use of all the information and technology that they have to point them in the direction of where the disk might be, but, unfortunately, those searches have not proved successful. TNT is still looking for the disk, but what changed on Monday was that specific lines of inquiry were no longer being followed. At that point, I took the decision, along with the Scottish Ambulance Service, that it was right to alert the public to what had happened.
Obviously, the Scottish Ambulance Service will receive a full report from TNT about the loss and will reflect on specific improvements that the service might want to make. I thank Mary Scanlon for acknowledging that the fault does not lie with the Scottish Ambulance Service. The data handling review that the Government coincidentally published today also highlights improvements that we feel still need to be made. The public sector in general has good systems in place, but there is no room for complacency.
Any loss claim is a matter for the Scottish Ambulance Service. It is almost certain that a claim will be made, but the quantum of that claim is a contractual matter between the service and TNT, and will depend on the circumstances that flow from the report that TNT submits.
I am grateful to the cabinet secretary for circulating an advance copy of her statement to shadow ministers while they were still in the chamber. That certainly eliminated the risk of the data being lost.
The cabinet secretary has given a welcome assurance about the levels of protection, but I am bound to tell her that one reason for public disquiet was the language used in the Government's press releases, which talked in rather general terms about it being unlikely that the data could be used. The cabinet secretary's statement was much more robust as she made it much clearer that that was a very remote possibility. Therefore, I ask her to ensure that technical data that are available to her are also transmitted in that way.
Finally, further to the cabinet secretary's response to Richard Simpson's question on why the data were not sent through the NHS's system, should we read into the fact that the size of the data exceeded the current limits of the NHS's network that the safer and best option is not necessarily to be restricted by the current size and capacity of that network?
I thank Ross Finnie for confirming that he received safely the copy of my statement that I asked to be delivered to him—that is a great relief to me.
Ross Finnie made a point about the language that we used when we made the loss of the disk public on Monday. I am happy to reflect on the matter, as it is important that we learn any lessons that must be learned. However, I know that in interviews that I gave on Monday I was careful to stress the level of protection and encryption that was in place. I repeat the point that I made to Richard Simpson: I wish it were different, but, unfortunately, no matter how we transmit data, we cannot eliminate the risk of their being lost. The fundamental issue is whether the data were protected. In the case of HMRC, the key weakness was that the data were not protected, but in this case they were subject to the most rigorous protection. I agree with Ross Finnie that it is important that we get across that reassurance.
There have been a grand total of 21 calls to the helpline, including 13 from members of the public. I understand that the remaining calls, apart from one or two from staff, were from other organisations offering their assistance to the Scottish Ambulance Service, but I have not managed to delve into the detail of the matter. The low number of calls suggests that the reassurance that we have given has got through to the public and that people know that the data are secure.
Ross Finnie makes a valid point about the service's system. I think that I may have said that the information on the disk was 60 times the maximum capacity of the network infrastructure. I am not a computer expert, but my briefing notes indicate that the information was 600 times the maximum capacity of the infrastructure—if I gave the wrong figure inadvertently, I stand corrected. As Ross Finnie indicated, we must always seek the best, most efficient and most reliable ways of making secure and transmitting information. I have no doubt that all parts of the public sector will continue to do that.
We come to questions from back-bench members. As always, I ask members to keep questions and answers as brief as possible. If they do so, we will manage to fit everyone in.
I express my relief—which may not be as great as that of the cabinet secretary—that, in contrast with the 25 million records that HM Revenue and Customs lost recently, the Paisley emergency response centre data that were lost were fully encrypted and password protected. I note that TNT suggests that all security procedures were followed but the data still went missing. I am sure that the cabinet secretary agrees that it is vital that TNT find the cause of that lapse in security. Can we be assured that, if it is unable to do so, it will not secure future contracts?
It is in line with data protection procedures generally—the point is not specific to the Scottish Ambulance Service—for organisations to use courier companies with audit and security arrangements, so the use of TNT was in line with recognised procedures. As I have indicated, the Scottish Ambulance Service will receive a report on the incident from TNT. I am sure that the content of that report will inform any future decisions that the service makes.
There is one point that I have not made so far. It should be obvious, but in case it is not, I point out that this was a one-off transfer of data by the Scottish Ambulance Service, associated with the upgrading of its system. The service does not transfer such data routinely and regularly between locations, so it will not ask TNT or anyone else to carry out transfers regularly.
The cabinet secretary said that this situation contrasts with the situation at HMRC—she would say that, wouldn't she? Will she reflect on comments that her colleagues made in relation to the HMRC incident? Mike Weir spoke about the incompetence of the Administration, Stewart Hosie suggested that the Chancellor of the Exchequer had lost credibility, and Sandra White and seven of her colleagues in the Parliament called for the chancellor's resignation. Does the cabinet secretary agree that those comments were inappropriate?
I am here because I have ministerial responsibility for the Scottish Ambulance Service—no one could accuse me of trying to dodge that. However, given that all members in the chamber, with the possible exception of Hugh Henry, have had the good grace to concede that the Scottish Ambulance Service is not at fault, the rest of his comments are somewhat absurd. The situation that we are discussing contrasts with the HMRC incident, so the comments to which he referred stand. First, there was fault on the part of HMRC in respect of that data loss; secondly, the nature of the information was different because it included bank account details; and thirdly, and crucially, the data were not encrypted. That makes the HMRC case radically different.
Given the importance of retaining public confidence in the way in which such matters are handled, I fully accept that the Scottish Ambulance Service has followed all the necessary procedures in this instance. However, will the cabinet secretary ensure that public bodies within her areas of responsibility that transfer data regularly audit the process that they use and that the audit covers any private company that may be contracted to carry out that work?
That is a fair point. All public bodies should be asked to ensure not just that their practices are up to scratch but that they remain so over time. It is one of the delicious ironies of life that the data handling review is being published today. The review points out that the NHS's procedures are an exemplar in many respects. That assures me that the Scottish Ambulance Service, which follows those procedures, did what it should have done. I agree that organisations should always keep their procedures up to date and learn lessons. However, let us acknowledge that the Scottish Ambulance Service did what it was meant to do.
I note the publication today of the data handling review. The investigation into data handling was announced on 23 November, when John Swinney told Parliament that the results of the initial review would be reported to him within two weeks. If the initial review reported within that timescale, why has it taken more than six months for the results to be made public?
I am more than happy to ask my colleague John Swinney to respond to James Kelly in detail about the timeline in question. However, the publication here today of the data handling review coincides with its publication in England, Wales and, I believe, Northern Ireland, which is a good sign of partnership working between the different parts of the United Kingdom.
I call Ian McKee. Please be as brief as possible.
It is good to have the reassurances of the cabinet secretary today. Can she advise me whether the Scottish Ambulance Service holds a copy of the information that has gone missing?
Yes, the Scottish Ambulance Service has a copy.
Perfect.
On the question of back-up information, can the minister reassure the public that such information will be stored off-site? It is fundamental for any IT system to ensure that, for safety and future security, information is stored on two sites rather than on one.
I thank the Presiding Officer for his earlier commendation.
I offer to reply to Helen Eadie in detail on the technical point that she raises. Her general point about the back-up of data will be recognised by everybody. I will return to her on exactly how, in what form and in how many locations different forms of data are backed up.
I should just say that my use of the word "perfect" was in relation to the length of Dr Ian McKee's question and the answer.