I read an account of the government position on the most recent data loss on the BBC (here).
It sounds like the government are saying it must be PA consulting’s fault since they took the data on a memory stick in contravention of their contract. Clearly not PA’s finest hour, but methinks the home office is being slippery here. It doesn’t feel remotely acceptable to rely on the contract in place of decent defensive safeguards. PA should not have been able to see the actual individually identifiable data at all unless critical (e.g real name and real address should have been removed). And, even if the real data was required, they should not have been able to copy it to any removable media at all by themselves – that should require formal data release procedures.
By analogy, pedestrian crossings are a waste of time – it’s illegal to drive into a pedestrian, so that should be defence enough. But it’s not, is it? Nor is it for data.