The furore surrounding last week's announcement that Her Majesty's Revenue and Customs (HMRC) has lost child benefit records looks likely to drag on for weeks to come - and have a profound effect on the way that organisations in both the public and private sectors consider the thorny issue of data protection.

In a speech to the House of Commons, Chancellor of the Exchequer Alistair Darling announced that a police investigation is underway into how two discs, containing records for 25 million people and relating to child benefit payments for 7.25 million families got lost in the HMRC's own postal system.

The two discs never arrived - but that's not what's bothering many, including Vince Cable, acting leader of the Liberal Democrats. The real question, as Mr Cable sees it, is why any information was being physically sent on a CD in the first place, rather than in encrypted format using high-security electronic systems?

There is still much more to be revealed about this case. In particular, those in government need to establish (as a matter of extreme urgency) whether the two discs are really ‘lost' or have been stolen. And if the latter proves to be the case, who now has that wealth of personal data at their disposal?

Either way, according to the Chancellor, banks have been informed and are monitoring relevant accounts, as well as tracking back to transactions made after 18 October when the CDs were sent.
But more importantly, we need to know whether the UK government is pursuing a policy of ‘do as I say, not as I do," when it comes to data protection, and what broader lessons we can draw from this week's revelation.

As Richard Thomas, Information Commissioner, has pointed out: "This is an extremely serious and disturbing security breach. The alarm bells must now ring in every organisation about the risks of not protecting people's personal information properly."

Comments

There are currently 8 comments about this blog.

Jan Zelezinski, 7 months ago

Martin, As announced in yesterdays Times newspaper Richard Thomas, the "Information Commissioner, will investigate latest gaffe by taxman". If you want to know of who else they are investigating then go to http://www.ico.gov.uk/about_us/news_and_views/press_releases.aspx and you'll find quite a few !!!

Mandy Shaw, 7 months ago

Someone in HMRC decided to save the money and use the 'full' extract, and someone in HMRC decided to trust the CDs to the internal mail. Maybe they were disobeying procedures, or maybe there weren't any relevant procedures, in which case they surely failed to apply the basic common sense that any employer is entitled to expect. Of course other people will have done these things, in the public sector and in the private sector, and got away with it. At least this episode may stop this sort of thing being seen as acceptable by anyone in any context.

Peter Osborne, 7 months ago

Was it really a question of cutting costs? I read that cutting the data would have cost a relatively meagre £5,000, compared to the millions that it is likely to cost to rectify now the cat is out of the bag. Or just incompetence?

Martin Hodges, 7 months ago

Not to downplay HMRC's catastrophic error, but does anyone else wonder if this type of data loss/theft takes place more regularly than we'd like in the private sector too? Difference is we don't necessarily get to hear about it - even though when it comes to something like your bank account, the repercussions are just as worrying.

Leslie Hill, 7 months ago

Being one of the effected people I spoke to HMRC today requesting a full extract of the information they provided together with a written explanation as to what caused this error to have been made. HMRC simply said write in if your are not happy. I then went on to say that the preceding letter sent out in the form of an apology also contained sensitive information and if used fraudulently could cause problem equal to the first blunder. HMRC refused to comment. Further more working in IT I know just how simple it is to drop a number of columns from a Oracle/SQL database so what's all this about having to pay EDS large amount of money to undertake the process? Maybe that contract needs to be looked into!

Mandy Shaw, 7 months ago

Agreed, this doesn't sound like advanced reporting functionality ... However I'd guess the lack of a specific extract has more to do with the service agreement between EDS and HMRC than with any technical issue.

Jon Mell, 7 months ago

Mandy, I too was intrigued as to why it was so expensive to extract the non-required data. I could understand that adding it in (cross-referencing etc.) might be time consuming (=expensive) but filternig out surely just involves not querying certain columns or deleting columns from the final report?

Mandy Shaw, 8 months ago

Here's another 'real question': why was so much confidential data sent in the first place? We gather that the NAO didn't actually /need/ a lot of the information ... I read that HMRC would have ended up paying EDS an extra charge if they had requested a data extract specific to this requirement, so they didn't. Surely, under at least the spirit if not the letter of the Data Protection legislation, the transmission of such confidential data to another agency or to a third party should only occur /at all/ where there is a specific documented requirement. Also, how on earth is this database structured, if extracting information from it is so difficult? And finally, how many other times has all this confidential data been given to other agencies who happen to require specific subsets of it, just to save money?

Leave a Reply

Name

Email Address

Your Website URL (please include http://)

Your Comment

type the text from the image