The government has undertaken to give the information
commissioner the power to spot check all public sector bodies for
data security gaps.
It will also publish data security breaches and steps taken to
prevent them as part of its annual reporting arrangements at
departmental and ministerial levels. The government will also
consider stiffening penalties for "the most serious breaches" of
the Data Protection Act.
The government accepted these recommendations from the Cabinet
Office's head of intelligence, resilience and security, Robert
Hannigan. Hannigan's comments were part of an
interim report on an investigation into government data
handling procedures. The investigation followed a series of data
breaches by the public sector last year, the worst of which was
HM Revenue & Customs' loss of 25 million records of child
benefit claimants, revealed in November.
The information commissioner, Richard Thomas, welcomed the
moves. He said, "These new arrangements will not be burdensome or
onerous for organisations they are a vital step to ensure there is
proper protection for personal information."
Thomas has been calling for tougher penalties and the power to
audit public and private sector firms for breaches of the Data
Protection Act for almost a year. The Information Commissioner's
Office is now discussing with the government how to fund its new
responsibilities.
Meanwhile, the Information Commissioner's Office found the
Department of Health breached the Data Protection Act in May
2007 when sensitive personal details relating to junior doctors,
including religious beliefs and sexual orientation, were visible to
any visitors to its Medical Training Application Service
website.
The Department of Health will now have to encrypt sensitive
personal data on its website. It must also make regular penetration
and vulnerability tests on developing applications and systems and
train staff to comply with the Data Protection Act.