MPs appalled by lax data rules
The government should have already introduced measures only put in place after the loss of data affecting 25 million people, MPs believe.
HM Customs and Revenue (HMRC) introduced additional security procedures after realising it had mislaid two CDs containing the information it had sent to the National Audit Office.
Justice committee chairman Alan Beith said it was “frankly incredible” HMRC had not done so beforehand and said the episode pointed to wider failings within the government.
“The scale of the data loss by government bodies and contractors is truly shocking but the evidence we have had points to further hidden problems,” he said.
“We will monitor the situation closely to ensure that effective action is taken to protect information which is the property of members of the public.”
Gordon Brown announced a review of the government’s data protection measures in the wake of the HMRC loss.
The justice committee, publishing its report on the protection of private data today, says urgent action needs to be taken to punish those guilty of major failings in this area.
It calls for information commissioner Richard Thomas to be given enforcement powers making companies report incidents of data loss and demands legislation making “significant security breaches” a criminal offence.
“There is a difficult balance to be struck between the undoubted advantages of
wider exchange of information between government departments and the
protection of personal data,” the report concludes.
“The very real risks associated with greater sharing of personal data between government departments must be acknowledged in order for adequate safeguards to be put in place.”
Commenting on the report, a statement from the Ministry of Justice said the government “takes data protection seriously” and claimed to have identified problems with the existing system in October 2007.
It said the criminal justice and immigration bill currently going through parliament included provisions for punishing those who profit from illegal information and said a statutory requirement to notify data protection breaches was also being considered.
“We will consider this, along with other recommendations for safeguards, when the various reviews have concluded so that we can take a considered view of the range of measures necessary to strengthen the protection of personal data,” the statement concluded.