Picture of crowd
The need for better security measures is greater than ever

HMRC fiasco places data protection under the spotlight

Records loss highlights need for new approach to data protection

Written by Tom Young

Computing, 29 Nov 2007

HM Revenue & Customs’ (HMRC’s) loss of CDs containing child benefit records for 25 million people ­ including the bank details of 7.25 million families ­ is the worst data security breach in UK history.

Chancellor Alistair Darling admitted in his parliamentary statement that the situation represents an “extremely serious failure by HMRC in their responsibility to the public”.

But the furore is also emblematic of the need for widespread change in our approach to personal information ­ not just in government, but in the commercial sector and in society as a whole.

The chancellor was keen to emphasise that when a junior official copied the child benefit database onto CDs and sent the unencrypted data through the post, the department’s data-handling procedures had not been followed.

But the events still illustrate woefully inadequate data protection safeguards.

“Classic risk management strategy is to plan around the worst scenario rather than everyone following procedure,” said Eric Woods, government practice director at analyst Ovum.

HMRC violated three basic principles of good practice.

First, information should be encrypted when downloaded to any kind of portable media.

Second, the data should be anonymised, so that it can not be linked with its owner.

Third, information should only be accessible by relevant personnel, with multiple sign-offs needed by junior staff members.

On the last point, there is continued debate ­ with the National Audit Office claiming the downloads were signed off by senior civil servants at HMRC.

But beyond political in-fighting and the short-term blame game is a far more significant problem.

Not only is the current fiasco the third breach at HMRC in as many months, the likelihood of such incidents is only increasing as the amount of data held by organisations of all kinds grows exponentially.

The National Identity Register and NHS IT programme are creating vast new data banks. The UK’s four million-record DNA database is already the biggest in the world. And private sector companies are increasing the amount of information they hold at an equally precipitous rate ­ particularly supermarkets, credit agencies and financial services providers.

Keeping control of such enormous amounts of data is not easy, according to Richard Hackworth, former chief information security officer at HSBC.

“You can apply access controls of a kind that were not in use at HMRC and make sure the data is encrypted,” he said.

“But if lots of people need to get to the information, that becomes irrelevant.”

There is a balance to be struck. And good practice must be cultural, not just technical.

“The controls to manage data have to be everywhere,” said Hackworth.

“Right now there is not the technology to do this ­ so ultimately it is a management issue. You have to educate people,” he said.

Instigating the necessary cultural change is crucial for both the public and private sectors, according to the information commissioner, Richard Thomas.

“Alarm bells must ring in every boardroom,” he said. “It is imperative that all organisations take the protection of individuals’ information more seriously.”

Thomas insists that changes to the law will help reinforce the message that personal data is a valuable commodity.

The general public needs little convincing.

Nine out of 10 people regard the safety of their information as a more pressing social concern than the NHS, national security issues or the environment, according to a recent survey by the Information Commissioner’s Office.

The issue is that the government considers public information to be state property, according to David Murakami-Wood, a surveillance expert at Newcastle University.
“People need to realise that their information is an asset that belongs to them and not the government,” he said.

Technology needs to catch up with itself. It can collect and manipulate masses of records, but not necessarily protect them in sufficiently flexible ways.

But progress is being made, according to European Commission head of IT security research Jacques Bus.

“There are some privacy-enhancing technologies being developed that will mean a person’s personal data can’t be accessed by a new organisation unless that person gives personal confirmation ­ giving control back to the public,” he said.

Additional reporting by Sarah Arnott

reader comments

related articles

Computing comment logo

We must all learn from data debacle

Individuals will need to take more informed control of their personal information 29 Nov 2007

 

HMRC breach warning to all departments, says watchdog

Loss of 25m child benefit records is third Revenue security lapse under investigation by the Information Commission 21 Nov 2007

HMRC loses data for 25 million people

Loss is "one of the world's biggest ID protection failures" 20 Nov 2007

Police accused of 'excessive' data policies

Information Commissioner demands deletion of old records 01 Nov 2007

Updated: UK Chancellor discusses measures to prevent future data losses

New security measures for handling data unveiled in the House of Commons 19 Dec 2007

Three million records lost in another government data scandal

And still no news on the 25 million missing child benefit records 18 Dec 2007

Review 2007: IT security and e-crime

Computing's review of the year looks back at the top IT security and cybercrime stories 20 Dec 2007

today's top stories

Hardware

Analysis: The true cost of printing

Organisations need to get a better sense of how much they spend on printing before finding ways to reduce it 05 Sep 2008

Management

Computing podcast 4 September 2008

Find out what Michael Dell told Computing, and listen to our take on the latest browser wars 04 Sep 2008

Hardware

Looking to the future - exclusive Michael Dell interview

Dell's chief executive talks to Computing about the way the company continues to adapt to major changes in the industry 04 Sep 2008

Internet

Interview: Delivering power where it's needed at Betfair

The online gambling firm is putting its money on grid computing and virtualisation to underpin global expansion 04 Sep 2008

Hardware

E-paper displays are an open book

A display revolution is on the way - but only once the user interface issues are solved 04 Sep 2008

> More news

Most commented stories

> More

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Jobs

Related jobs

Job of the week

> More IT vacancies

Job alerts

  • Latest jobs to your inbox
Sign up here

Find your next job

Advertisement

White papers

Search white papers

Top categories

VPN, Extranet and Intranet Solutions

WAN/ LAN Solutions

Network Security

Interoperability-Connectivity

Grid/ Utility Computing

Latest poll

Would you use a mobile phone as an alternative to cash?

Would you use a mobile phone as an alternative to cash?

When mobile phones include inbuilt payment technology - would you use one instead of cash?

Previous poll results

> More polls

Latest audio and video articles

BlackBerry BoldVideo

Video Review: BlackBerry Bold

Technology editor Daniel Robinson takes a hands-on look at the latest device from Research in Motion 01 Sep 2008

Podcast imageAudio

Computing podcast 4 September 2008

Find out what Michael Dell told Computing, and listen to our take on the latest browser wars 04 Sep 2008

> More audio and video

Latest in-depth articles

A meetingAnalysis

Turning adversity into an advantage

IT chiefs under pressure to make cost cuts can turn the situation to their benefit 04 Sep 2008

CloudAnalysis

How to introduce cloud computing into your organisation

Best practice advice from Forrester Research 04 Sep 2008

> More in depth articles

Primary Navigation