 
|
|
|
21 November 2007 ICO: HMRC appears to be “bang to rights”SA MathiesonHM Revenue & Customs appears to have been caught “bang to rights” over the loss of a copy of personal information on 25 million Britons, based on the available facts, according to one of the information commissioner’s senior colleagues. Jonathan Bamford, an assistant commissioner at the Information Commissioner’s Office (ICO), told the Fine Balance Privacy Enhancing Technologies conference in Westminster on 21 November: “No doubt Alistair Darling and other people will have to deal with the fact that these are legally enforceable standards… we have a phrase in the UK about being bang to rights.” After his presentation, Bamford said that, in his 20-year experience as a data protection regulator, this was the most serious breach he had seen. “On the facts we have available, it appears there have been contraventions of the Data Protection Act,” he said, adding that the ICO will be investigating the case, in which HMRC lost a copy of personal information on every child in the country, and most parents and carers, in the government’s internal mail system. Bamford said that role-based access and other access controls should have been in place, so it would have been impossible for a junior employee to burn discs of the entire database. “It isn’t rocket science to work out how we stop that happening,” he said. He said current government IT systems often leave something to be desired in terms of privacy, due to procurement processes. “It [privacy] has not been specified when the government’s been letting contracts for big IT systems,” he said. But he added that the Identity and Passport Service (IPS) “has embraced with open arms” ICO involvement in building privacy into the national identity register and associated systems for the UK’s identity card. “We are going to speak to the organisations which are the bidders for the work, to get our data protection points across,” he said, adding that although there have been “peaks and troughs” in the relationship with IPS, ICO is now talking to senior staff at the agency. Speaking at the same conference, Germany’s federal commissioner for data protection, Peter Schaar, criticised the design of HMRC’s child benefit data store, “One question is, why is there such a huge database?” he asked. “The second question is, why is there a directly-related database? Why do they not use data separation, pseudonymisation, for their purposes?” Bamford told the conference that use of privacy enhancing technologies could represent financial good sense. “Building in, rather than bolting on, can save money,” he said, in ensuring compliance with data protection legislation. “They can help reduce privacy risk. You can also help build trust with the public, the privacy and the data protection communities.” He added that a recent ICO survey found that 60% of Britons believe they have lost control of what happens to their personal information, and concluded that privacy is like public confidence: “Once you’ve lost it, it’s difficult or impossible to ever regain it.” ICO gets right to spot
check government departments in wake of HMRC privacy catastrophe
(21 November 2007)
|
|
