ICO: HMRC appears to be 'bang to rights'

Most serious breach in 20 years, says assistant commissioner Bamford.

Most serious breach in 20 years, says assistant commissioner Bamford.

HM Revenue & Customs appears to have been caught "bang to rights" over the loss of a copy of personal information on 25 million Britons, a senior official from the Information Commisoner's Office said yesterday.

Jonathan Bamford, an assistant commissioner at the Information Commissioner's Office (ICO), said: "No doubt Alistair Darling and other people will have to deal with the fact that these are legally enforceable standards we have a phrase in the UK about being bang to rights."

Bamford said that, in his 20-year experience as a data protection regulator, this was the most serious breach he had seen. "On the facts we have available, it appears there have been contraventions of the Data Protection Act," he said,

He confirmed that the ICO will be investigating the case.

Bamford said that role-based access and other access controls should have been in place, so it would have been impossible for a junior employee to burn discs of the entire database. "It isn't rocket science to work out how we stop that happening," he said.

Speaking at the Fine Balance Privacy Enhancing Technologies, he said government IT systems often leave something to be desired in terms of privacy, due to procurement processes. "It [privacy] has not been specified when the government has been letting contracts for big IT systems," he said.

Despite calls for the government to abandon the ID cards programme, Bamford said that the Identity and Passport Service (IPS) "has embraced with open arms" ICO involvement in building privacy into the national identity register and associated systems for the UK's identity card.

"We are going to speak to the organisations which are the bidders for the work, to get our data protection points across," he said, adding that although there have been "peaks and troughs" in the relationship with IPS, ICO is now talking to senior staff at the agency.

Speaking at the same conference, Germany's federal commissioner for data protection, Peter Schaar, criticised the design of HMRC's child benefit data store.

"One question is, why is there such a huge database?" he asked. "The second question is, why is there a directly related database? Why do they not use data separation, pseudonymisation, for their purposes?"

Bamford told the conference that use of privacy enhancing technologies could represent financial good sense.

"Building in, rather than bolting on, can save money," he said, in ensuring compliance with data protection legislation. "They can help reduce privacy risk. You can also help build trust with the public, the privacy and the data protection communities."

He added that a recent ICO survey found that 60% of Britons believe they have lost control of what happens to their personal information, and concluded that privacy is like public confidence: "Once you've lost it, it's difficult or impossible to ever regain it."

A version of this article first appeared on the web-site of Infosecurity magazine, http://www.infosecurity-magazine.com/

ICO gets right to spot check government departments in wake of HMRC privacy catastrophe >>

Information Commissioner’s Office asks UK to criminalise severe data breaches >>

Read more on IT risk management