In association with heise online

25 June 2008, 18:35

Information Commissioner to sanction HMRC and MOD for data loss

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Information Commissioner Richard Thomas has decided to issue enforcement notices against HMRC for the loss of 25 million child benefit records in November 2007 and against the Ministry of Defence (MOD) for losing laptops including one containing personal details of some 600,000 recruits.

The HMRC child benefit data loss has been described in his report (PDF) by official investigator and PricewaterhouseCoopers Chairman Kieran Poynter as "entirely avoidable". However, he identified no single individual as bearing prime responsibility for the loss. Instead, "an unfortunate catalogue of inter-locking factors ... triggered the events which unfolded". Fundamentally, "the prioritisation by HMRC staff of other considerations above information security risk concerns" was found to be the root cause.

A separate report (PDF) on the HMRC incident by the Independent Police Complaints Commission (IPCC) found an "... absence of a coherent strategy for mass data handling and, generally speaking, practices and procedures were less than effective". Specifically, the IPCC identified "a complete lack of any meaningful systems", "a lack of understanding of the importance of data handling" and "a ‘muddle through’ ethos".

This is a landmark decision that gives teeth to the Information Commissioner's active campaign for better management of personal data in the UK.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit