In a statement to Parliament at 3.30pm today, Chancellor
Alistair Darling blamed a breach of procedures by junior staff at
HMRC. Paul Gray, chairman of HMRC, has resigned over the
incident.
According to
the BBC, two password-protected discs containing the data were
sent to the NAO in October. The package was not sent by recorded
delivery and it appears that it did not arrive at its destination.
A further package was sent by recorded post which did arrive.
Darling acknowledged that it is "highly likely" that a breach of
the Data Protection Act has occurred.
Information Commissioner Richard Thomas described the incident
as "an extremely serious and disturbing security breach."
"This is not the first time that we have been made aware of
breaches at the HM Revenue and Customs – we are already
investigating two other breaches," he said. "Incidents like these
illustrate that any system is only as good as its weakest
link."
The Information Commissioner has not been charged with reviewing
the breach, though. That job has gone to consultants
PricewaterhouseCoopers. The Chancellor said that PwC's report will
be made available to the Information Commissioner's Office (ICO)
and the ICO will then decide what further action may be
appropriate.
"Searching questions need to be answered about systems,
procedures and human error inside both HMRC and NAO," said the
Commissioner.
Rosemary Jay, a partner at Pinsent Masons, the law firm behind
OUT-LAW.COM, said the problem is not just about losing a disc. "You
should not have a system where junior staff can copy so much vital
data onto a disc. Even if the data had reached the NOA safely that
alone suggests that there would have been a breach of the Data
Protection Act."
"It suggests that an understanding of the importance of personal
data has not gone through the organisation," she said. "It also
raises questions about the NAO. Were they used to getting data in
this way? Was there no procedure for the secure transfer of files
between them?"
While the discs were reported to be password protected, there
was no suggestion that the data was encrypted. When asked, HMRC
told OUT-LAW that it could not comment because an inquiry is
ongoing.
Jay said the incident may put more pressure on the Government to
introduce a security breach notification law of a kind that exists
in most US states. The loss of the discs was reported to Darling on
10th November. The matter was only reported to police four days
later. The public announcement came today (20th November).
A
data breach notification law was recommended in a recent report
by the House of Lords' Science and Technology Committee. Last month
the Government
responded (16-page / 90KB PDF) that it was "not
so convinced as the Committee that this would immediately lead to
an improvement in performance by business in regard to protecting
personal information and we do not see that it would have any
significant impact on other elements of personal internet
safety."
The Government said it would "continue to observe the US
experience and consider whether we need to find more formal ways of
ensuring that companies do – as a matter of routine – contact the
Office of the Information Commissioner when problems arise."
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
