He has also warned that any Government plans to create a single database of phone and internet use data collection plans could be a threat to privacy.
The Information Commissioner's Office (ICO) has published its annual report in which it said that it had informally resolved 48% of its closed cases, and that it had received 2,646 freedom of information complaints in the last 12 months.
Last November HM Revenue and Customs (HMRC) lost two compact discs containing the personal details of 25 million child benefit claimants. The loss was the subject of five reports, including one by Kieran Poynter of PriceWaterhouseCoopers, which contained 45 recommendations for HMRC.
"Having considered the report ... the Commissioner is satisfied that the data controller has contravened the Third Data Protection Principle in that the personal data processed on the missing compact discs were excessive for the purpose for which they were processed," says the decision notice issued by the ICO. "Moreover, the Commissioner is also satisfied that the data controller has contravened the Seventh Data Protection Principle in that he failed to take appropriate measures to ensure the security of its data."
HMRC was ordered by the notice to ensure that the recommendations in the Poynter report were carried out within three years, and that annual progress updates be provided to the ICO.
In January of this year a laptop belonging to the Ministry of Defence (MoD) was stolen. It contained the unencrypted details of up to one million people.
"In the circumstances the stolen laptop computer held an excessive amount of personal data at the time it was stolen," said the ICO's notice.
The MoD has also been ordered to comply with the recommendations contained in a report into the issue and to comply within a year, giving three monthly reports on progress.
Delivering the annual report, Commissioner Richard Thomas warned that reported Government plans to create a new database of phone and internet usage for all UK citizens could be a dangerous threat to privacy.
"Speculation that the Home Office is considering collecting this information from phone companies and internet service providers has been reinforced by the government’s Draft Legislative Programme which, referring to a proposed Communications Data Bill, talks about ‘modifying procedures for acquiring communications data’," he said.
"I am absolutely clear that the targeted, and duly authorised, interception of the communications of suspects can be invaluable in the fight against terrorism and other serious crime. But there needs to be the fullest public debate about the justification for, and implications of, a specially-created database – potentially accessible to a wide range of law enforcement authorities – holding details of everyone’s telephone and internet communications. Do we really want the police, security services and other organs of the state to have access to more and more aspects of our private lives?" he said.
The Home Office has previously told OUT-LAW that it was not yet releasing details of what it meant by the outline changes contained in the Government's Draft Legislative Programme.
The ICO has also cancelled an enforcement notice served last January on retailer Marks and Spencer (M&S). The company had been issued with a notice ordering them to encrypt all the data on their laptop computers after a computer was stolen.
The ICO said in January that M&S had broken the law when it allowed the details of 26,000 employees to be stored on laptops in unencrypted form. The ICO ordered it in January to encrypt all of its laptops by April.
M&S wrote to the ICO last week to say that all the company's laptops had been encrypted. IT director Darrell Stein said in the letter that 4,532 had been encrypted. The computers are mostly in the UK, but some are as far afield as Morocco, Bangladesh and Sri Lanka.
Deputy Information Commissioner cancelled the enforcement notice this week. Failure to comply with an enforcement notice can result in criminal charges.
When the notice was issued it said that the ICO was prepared to accept less formal undertakings from M&S that it would encrypt the computers, but that M&S pushed for no announcement of those undertakings to be made. That was "not acceptable to the Commissioner," the notice said.