Security breach should “set alarm bells ringing” at all public bodies

The information commissioner has said that the security lapse at HMRC that allowed the personal details of 25 million people to go missing in the post should set alarm bells ringing in every public sector organisation.

Richard Thomas said: “Incidents like these illustrate that any system is only as good as its weakest link. Alarm bells must now ring in every public sector organisation about the risks of not protecting people’s personal information properly.”

Chancellor Alastair Darling told Parliament on Tuesday (November 20 2007) that a “junior official” at HMRC had copied details of every family in the country with a child under 16 onto two unencrypted CDs, and then sent them – unregistered – via courier to the National Audit Office. The discs never arrived. "Alarm bells must now ring in every public sector organisation about the risks of not protecting people’s personal information properly.”

Although Mr Darling insisted that there were “clear procedures in place” that should have stopped a single official being able to download such sensitive information and put it in the post, Mr Thomas said the incident showed that procedures were not enough.

“Any aggregated system of collecting information must be proof against criminals, it must be proof against idiots, it must be proof against those who do not follow the ordinary rules,” he told the BBC’s Today programme. “This [data protection] has got to be taken a great deal more seriously than it has been in this situation.”

The revelation of the security breach at HMRC came a week after Mr Thomas had renewed his call for tougher penalties for organisations and individuals who misuse personal data and more powers for his own office.

Giving evidence to the Lords Constitution Committee enquiry on surveillance and data protection, deputy information commissioner David Smith said his office had put forward proposals to the Ministry of Justice that it should be a criminal offence to “knowingly or recklessly” flout the Data Protection Act 1998.

He also welcomed government proposals to introduce new criminal penalties, including imprisonment, for people who traded in personal data. At the moment, such activity attracts only a fine.

Mr Smith made it clear that penalties should apply in the health service. To illustrate what “knowingly or recklessly” flouting data protection rules might look like, he said: “Say a doctor or hospital leaves a laptop containing patients’ records in a car. It’s hard to say that’s anything but gross negligence. "The Department of Health has backed Mr Thomas’ call for stiffer penalties for data misuse, arguing that these would help to secure the NHS Care Records Service."“Where there has been gross negligence we need to have some sort of deterrent to make sure people understand the importance of safeguarding information.”

In his 2006 report, What Price Privacy?, Mr Thomas highlighted cases in which lawyers, journalists, private investigators and others had been able to obtain personal details from private and public institutions, including NHS trusts and commissioning bodies, using a variety of hacking and “social engineering” techniques.

He warned then that it would not be possible to build an “information society” unless its “foundations and systems are secure.”

But Mr Thomas has also warned of the dangers of a “surveillance society” and questioned the rationale for some big IT projects, including the children’s database that will hold basic information, including some NHS details, for every child in the country – and not just those known to be at risk.

The Department of Health has backed Mr Thomas’ call for stiffer penalties for data misuse, arguing that these would help to secure the NHS Care Records Service.

Mr Smith told the Lords’ committee: The DH has supported our call for increased penalties and also wants to see guidance and training for their staff on the risks of being duped and consequences which would face anybody who improperly disclosed information.”

An independent review of the loss of data at HMRC will be carried out by Kieran Poynter of KPMG. This will report to the Chancellor and to the Information Commissioner’s office.