Government to toughen Data Protection Act

In a statement on HM Revenue and Customs’ loss of personal information on 25m Britons, he said: “These will take account of the need not only to provide high levels of data security, but to ensure that sensible data-sharing practices can be conducted with legal certainty. We will consult early in the new year on how this can best be done.” (Hansard record)

Darling added that police are still looking for the lost discs, but neither they nor the banks – which were given lists of affected accounts in advance of the public announcement, allowing them to watch for anomalous activity – have seen any evidence of fraud.

Darling said that the stronger penalties are in addition to new powers for the Information Commissioner’s Office (ICO) to conduct spot-checks on government departments’ processing of personal data.

Richard Thomas, the information commissioner, had previously called for both changes. “These new arrangements will not be burdensome or onerous for organisations; they are a vital step to ensure there is proper protection for personal information,” he said in a statement welcoming Darling’s commitment (PDF). “It goes without saying that it is essential that the ICO is properly resourced to discharge any new responsibilities effectively.”

However, in a letter to The Times on 19 December, Thomas said he was not calling for prison sentences to be introduced for serious breaches of the act, but instead only for illegal trade in personal data.

The government has announced a string of personal data breaches over the last few weeks. The first and largest was the loss of data on 25 million children, parents and guardians claiming child benefit, which included bank account information. On 17 December, transport secretary Ruth Kelly told parliament that the Driving Standards Agency had lost personal information on the three million people who took driving theory tests between September 2004 and April 2007. The records were lost in June by the agency’s contractor, Pearson Driving Assessments, on a computer hard-drive in Iowa City in the US.

Earlier, on 11 December, Northern Ireland’s Driver and Vehicle Agency in Coleraine said it had lost personal data on around 6000 drivers, sent on unencrypted discs in November to the UK’s Driver and Vehicle Licensing Agency in Swansea, in response to a safety recall by vehicle manufacturers. Neither of the driver data breaches involved financial information.

Then, on 18 December, HMRC disclosed the loss of 6500 records on those holding pensions with Countrywide Assured. The Lancashire-based firm sent data including names, dates of birth, national insurance numbers and pension contributions to HMRC’s office in Cardiff, by courier in September. Although HMRC signed for receipt of the information, which was held on a data cartridge rather than a standard disc, it has since been lost.

Countrywide Assured has written to its affected customers. HMRC says this latest breach is one of the seven significant data breaches over the last 30 months reported by its acting chairman, Dave Hartnett, to a parliamentary select committee on 5 December.

A major private sector data breach has also come to light during December, with Norwich Union Life disclosing that fraudsters stole money from policies owned by 74 customers, to the value of £3.3 million.

Financial companies, unlike government departments, are subject to severe penalties for infosecurity breaches. Norwich Union Life is paying a £1.26 million fine levied by the Financial Services Authority for the breach, and has refunded the policies. The BBC reports that 11 people have been arrested in connection with the crime.

* The ICO says that the Department of Health breached the Data Protection Act in May, when it allowed open access to sensitive personal data held on the Medical Training Application Service. MTAS, which was used by junior doctors applying for posts, exposed personal information including religious beliefs and sexual orientation.

In a statement released on 19 December (PDF), the ICO said the Department has been required to encrypt personal data, undertake penetration testing and train staff, as well as sign a formal undertaking to comply with the Act. Further failures could lead to enforcement action and prosecution.

What’s hot on Infosecurity Magazine?