November 21, 2007 11:16 AM PST

U.K. government reveals its 'biggest privacy disaster'

Her Majesty's Revenue and Customs has admitted to losing the details of 25 million individuals, with 7.25 million U.K. families potentially affected.

In a speech to Parliament on Tuesday, the chancellor of the exchequer, Alistair Darling, told of the loss of two discs containing the details of everybody in the U.K. who claims and receives child benefits.

Details on the discs, which were only password-protected, included names, addresses, dates of birth, national insurance numbers, and bank and building society account details.

"This is the biggest privacy disaster by our government," said Jonathan Bamford, assistant information commissioner. "Clearly on the facts available there appears to be a major contravention of data-protection laws."

Speaking on Wednesday at "Fine Balance," a conference in Westminster on privacy-enhancing technologies, Bamford said that some of the eight principles of the Data Protection Act, including that personal information be kept secure, had "clearly been breached."

Bamford added that there should be tougher penalties for persistent or serious breaches of data laws. At present, the toughest legal penalty for the persistent or serious flouting of data laws in the U.K. is a 5,000-pound ($10,300) fine; criminal prosecution is possible only after the Information Commissioner's Office has served notice due to an information breach, and another breach occurs.

"This is an extremely serious matter," said Darling. "HMRC (Her Majesty's Revenue and Customs) failed to meet the high standards expected of it. I recognize that millions of people across the country will be concerned."

The discs were lost during a National Audit Office investigation in October. A junior official in HMRC sent the unencrypted discs to the NAO, but HMRC was not informed until November 8 that the discs had not arrived to be audited. Darling himself was informed of the loss on November 10--three weeks after the discs had failed to arrive at the NAO.

Edward Leigh, the chair of the Public Accounts Committee, later said that the information the NAO requested had specifically been national insurance numbers, and not other personal details.

HMRC had not followed procedures for data transit, said Darling. The agency had given the discs to courier TNT, but had failed to record or register the discs. When those discs did not arrive, two more discs with the same information were sent by registered post. Those discs did arrive.

"Again, they should never have let this happen," said Darling.

When Darling was informed on November 10, he ordered searches for the data. When nothing had been found by November 14, Darling asked the Metropolitan Police to become involved.

Darling said that there had, as yet, been no evidence of fraudulent activity.

"So far the data has not been found," said Darling. "The police told me there was no reason to believe the discs have fallen into the wrong hands, or been used for fraudulent purposes."

Last week Paul Gray, chairman of HMRC, offered to resign over the matter, and he did so formally on Tuesday.

This is the second major data-loss incident involving HMRC to emerge this month. On November 6, it was revealed that the pension details of 15,000 Standard Life customers were sent to the pension provider by HMRC via an unnamed third-party courier at the end of September. The disc went missing and was not encrypted.

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
data protection, U.K., government, insurance

2 comments

Join the conversation!
Add your comment
Data insecurity
I'm hoping this might be the first nail in the coffin of ID cards
and the national register in the UK, but expect they'll plough on
regardless. It doesn't matter how many experts try to explain to
the government that it's a disaster waiting to happen, they'll do
what they want.

What gets me is that they pretend they want the whole system
for our good when there's absolutely nothing good can come of
it, but plenty bad. What gets me even more is that the majority
of the public here believe them and happily hand their liberties
over piece by piece, blissfully confident of our democratic
freedoms and the benevolence of the authorities.
Posted by eddy m (280 comments )
Reply Link Flag
Post office? :-s
The british post office??? Erm, think you need to read again. It
was TNT, a national courier firm, NOT the post office, which is
actually called Royal Mail FYI.

I find it all quite amusing actually. As a british citizen, I can
honestly say the government sucks, and they are useless at
everything, including, obviously, following their own laws, such
as the Data Protection Act.

What's more important however, is none of my details are on
those missing disks. :-)
Posted by hunkyboi69 (47 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.