Well, I did say, when the government blamed the HMRC data loss on the failure of some junior member of staff to observe the rules, that if the truth were ever to emerge, it would be that HMRC suffered from systemic failure to comply with the Data Protection Act (DPA).
Lo and behold, the Poynter report highlights serious institutional deficiencies at HMRC. No surprise there, then.
What is slighly more surprising, though, is the apparent determination of the government to give the Information Commissioner some real teeth. The recent Criminal Justice and Immigration Act brings in serious financial sanctions for organisations that recklessly breach the provisions of the DPA. As recent fines levied for the loss of laptops indicate, ‘serious’ can be in the order of £1 million – certainly serious by most measures.
And most organisations are going to find, when it comes down to it, that they developed DPA compliance policies and procedures when the threat of punitive action was just so much FUD – and these procedures are about to be found wanting. The first cases might be expected in Autumn this year.
That’s why we developed two tools – one is a tool for checking compliance with DPA, and the other is a DPA Compliance toolkit of templates and so on to help organisations ensure they do actually have the core policies and procedures in place.
But, even if you have the right procedures, the key will still be to get staff to comply – and that’s likely to be a real challenge for the allegedly morale-deficient HMRC!