The government has undertaken to give the information commissioner the power to spot check all public sector bodies for data security gaps.
It will also publish data security breaches and steps taken to prevent them as part of its annual reporting arrangements at departmental and ministerial levels. The government will also consider stiffening penalties for "the most serious breaches" of the Data Protection Act.
The government accepted these recommendations from the Cabinet Office's head of intelligence, resilience and security, Robert Hannigan. Hannigan's comments were part of an interim report on an investigation into government data handling procedures. The investigation followed a series of data breaches by the public sector last year, the worst of which was HM Revenue & Customs' loss of 25 million records of child benefit claimants, revealed in November.
The information commissioner, Richard Thomas, welcomed the moves. He said, "These new arrangements will not be burdensome or onerous for organisations they are a vital step to ensure there is proper protection for personal information."
Thomas has been calling for tougher penalties and the power to audit public and private sector firms for breaches of the Data Protection Act for almost a year. The Information Commissioner's Office is now discussing with the government how to fund its new responsibilities.
Meanwhile, the Information Commissioner's Office found the Department of Health breached the Data Protection Act in May 2007 when sensitive personal details relating to junior doctors, including religious beliefs and sexual orientation, were visible to any visitors to its Medical Training Application Service website.
The Department of Health will now have to encrypt sensitive personal data on its website. It must also make regular penetration and vulnerability tests on developing applications and systems and train staff to comply with the Data Protection Act.