Most serious breach in 20 years, says assistant
commissioner Bamford.
HM Revenue & Customs appears to have been caught "bang to
rights" over the loss of a
copy of personal information on 25 million Britons, a senior
official from the Information Commisoner's Office said
yesterday.
Jonathan Bamford, an assistant commissioner at the Information
Commissioner's Office (ICO), said: "No doubt Alistair Darling and
other people will have to deal with the fact that these are legally
enforceable standards we have a phrase in the UK about being bang
to rights."
Bamford said that, in his 20-year experience as a data
protection regulator, this was the
most serious breach he had seen. "On the facts we have
available, it appears there have been contraventions of the Data
Protection Act," he said,
He confirmed that the ICO will be investigating the case.
Bamford said that role-based access and
other access controls should have been in place, so it would
have been impossible for a junior employee to burn discs of the
entire database. "It isn't rocket science to work out how we stop
that happening," he said.
Speaking at the Fine Balance Privacy Enhancing Technologies, he
said government IT systems often leave something to be desired in
terms of privacy, due to procurement processes. "It [privacy] has
not been specified when the government has been letting contracts
for big IT systems," he said.
Despite calls for the government to abandon the ID cards
programme, Bamford said that the Identity and Passport Service
(IPS) "has embraced with open arms" ICO involvement in building
privacy into the national identity register and associated systems
for the UK's identity card.
"We are going to speak to the organisations which are the
bidders for the work, to get our data protection points across," he
said, adding that although there have been "peaks and troughs" in
the relationship with IPS, ICO is now talking to senior staff at
the agency.
Speaking at the same conference, Germany's federal commissioner
for data protection, Peter Schaar, criticised the design of HMRC's
child benefit data store.
"One question is, why is there such a huge database?" he asked.
"The second question is, why is there a directly related database?
Why do they not use data separation, pseudonymisation, for their
purposes?"
Bamford told the conference that use of privacy enhancing
technologies could represent financial good sense.
"Building in, rather than bolting on, can save money," he said,
in ensuring compliance with data protection legislation. "They can
help reduce privacy risk. You can also help build trust with the
public, the privacy and the data protection communities."
He added that a recent ICO survey found that 60% of Britons
believe they have lost control of what happens to their personal
information, and concluded that privacy is like public confidence:
"Once you've lost it, it's difficult or impossible to ever regain
it."
A version of this article first appeared on the web-site of
Infosecurity magazine, http://www.infosecurity-magazine.com/
ICO gets right to spot check government departments
in wake of HMRC privacy catastrophe >>
Information Commissioner’s Office asks UK to
criminalise severe data breaches >>