Revenue blunder is a lesson for public bodies

The Information Commissioner has highlighted the importance of tight security and data protection in public sector bodies, following the security lapse at HM Revenue and Customs (HRMC) leading to the disappearance of discs containing the personal data of 25m people.

Last night the Chancellor, Alistair Darling, confirmed that two computer discs holding the personal details of all families in the UK with a child under 16 had gone missing, after being sent by unrecorded and unregistered internal mail.

The Child Benefit data on them included names, addresses, dates of birth, National Insurance numbers and, where relevant, bank details of 25m people.

Responding to the revelation, Richard Thomas, Information Commissioner, said: “Incidents like these illustrate that any system is only as good as its weakest link. The alarm bells must now ring in every public sector organisation about the risks of not protecting people’s personal information properly.

“As I highlighted earlier this year, it is imperative that organisations earn public trust and confidence by addressing security and other data protection safeguards with the utmost vigour.”

Yesterday the Chancellor made an emergency statement to the Commons, explaining how a junior official at the HMRC sent the entire child benefit database from the HMRC office in Washington, Tyne and Wear, to the National Audit Office in London on 18 October.

In a clear breach of the agency’s procedure, the package was not posted via recorded delivery, through contracted courier TNT, and never arrived at its destination. Earlier in the day HMRC chairman, Paul Gray, resigned after the incident came to light.

Thomas has now promised to pursue a full review of this data loss, which he says is now the third such incident the Information Commission is investigating from the HMRC.

“I am pleased that HMRC reported this breach to my office and that the Chancellor has announced that Kieran Poynter of KPMG will carry out an independent review. The Chancellor has agreed that the full report will be made available to my office and we will then decide what further action may be appropriate. Searching questions need to be answered about systems, procedures and human error inside both HMRC and NAO,” he said.

The discs were password protected, and the Chancellor said a junior official should never have been in a position to post the sensitive information, but added that there was currently no evidence to suggest it had fallen into the wrong hands.

“This is a very, very bad situation indeed. There are clear procedures in place which should have stopped anyone, let alone a junior official, from downloading this information on to two discs and putting them in the post unregistered,” the Chancellor admitted.

Yesterday, EHI reported that the Information Commissioner had proposed plans to prosecute doctors who have laptops containing unencrypted patient information stolen from their cars.

Joe Fernandez