ICO takes action over compromise of MPs’ personal details

The Independent Parliamentary Standards Authority has agreed to take action after MPs' personal details were placed at risk, the Information Commissioner's Office (ICO) has announced.

The Independent Parliamentary Standards Authority (IPSA) has agreed to take action after MPs' personal details were placed at risk, the Information Commissioner's Office (ICO) has announced.

MPs' expenses claims were accessible for a period of 21 hours following IT maintenance work in July 2010, which allowed others with an expenses account, and their clerks, to access the information, the ICO said.

The data included MPs' banking details, vehicle registrations and home telephone numbers.

Mick Gorrill, head of enforcement at the ICO, said the case highlighted how any work carried out on a database must be subject to rigorous security testing before being relaunched.

"MPs carry out a high-profile role and the information their expenses claims include could put them at risk of fraud and endanger their security," he said.

IPSA has signed a formal undertaking to ensure that changes to the system's administrator account are reviewed regularly and that breach notification procedures are reviewed and communicated to all MPs and staff.

The authority will also implement any other security measures it deems necessary to protect MPs' personal information, the ICO said.

IPSA said in a statement, "Following a data breach on 13 July, data was accessed by 11 MPs or their offices. IPSA took urgent action to remove the data and reported the incident to the ICO immediately. In the days after reporting the incident to the ICO, IPSA took further urgent steps to strengthen its systems and processes."

The expenses authority also highlighted the measures it has taken to address the problem, which include:

  • Restricting the number of staff who have access rights to move and release data reports;
  • Introducing technical changes to prevent a repeat of the incident;
  • Reviewing user accounts and introducing new ones with a hierarchy of privileges;
  • Completing an independent security accreditation exercise;
  • Appointing an independent auditor to review system security;
  • Strengthening internal monitoring activities to identify members of staff who view data reports;
  • Heightening the authorisation requirements for staff being able to access and change IT systems;
  • Providing ongoing training of staff emphasising the importance of data security.
  • Contacting each MP setting out the action they needed to take if they read or kept the data.

"IPSA takes data protection very seriously. We are committed to ensuring robust data security," said the IPSA statement.

 

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close