HMRC breaches DPA

While one swallow might not make a summer, multiple breaches of one particular law (Information Commissioner: “we are already investigating two other breaches”) do rather suggest that the organization concerned has little interest in compliance with it.

Her Majesty’s Revenue and Customs (‘HMRC’) has, on a number of occasions, broken the law. Those involved in the breach, and their political masters who allowed it to happen, should be dismissed and prosecuted.

The law HMRC has broken is the Data Protection Act 1998 (‘DPA’). This is what DPA says: “Personal data shall not be processed unless…appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” (7th Principle).

The DPA provides explicit guidance on how to interpret this principle: “Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.”

The data on the child benefit database (names, national insurance numbers, dates of birth, mother’s maiden names, bank account details, etc, of some 25 million people) is clearly personal data, and is clearly highly sensitive. The law therefore requires the Data Controller (in this case, HMRC) to take appropriate measures to ensure the security of the data. Even the most rudimentary of information security risk assessments would identify the danger of someone attempting to extract some or all of this data. Appropriate counter-measures should therefore, and rather obviously, include removal of any technical capability to ‘burn the database to a disc’. The supervisory failure that allowed a junior member of staff to export this data to a disc and then mail it, unencrypted, outside the organization is merely sympomatic of a deeper failure to make any effort whatsoever to comply with the DPA.

It seems to me that the time has come, not only for executives and ministers to be dismissed and prosecuted, but for two other steps:
1. All public sector organizations that deal with personal data should be required to achieve certification to the international information security standard ISO/IEC 27001 – and should be given no more than two years to complete certification;
2. The UK now needs a data breach law that brings significant financial penalties and criminal charges against those – from the top of the organization down – who fail to take security measures appropriate to the nature of the personal data being protected.