The UK government claimed that the person who burnt the HMRC child benefit database to a disc and mailed it to the National Audit Office (NAO) was a relatively junior civil servant who had breached rules and would be subject to disciplinary action.
If this is true, it’s hardly fair, is it?
After all, this person was just trying to be helpful – a previous set of discs had already gone missing and the NAO really wanted the data (actually, they only wanted some of the data, but HMRC thought it was easier just to send the lot) – and, apparently, ‘senior management’ authorised the despatch. There’s no evidence that HMRC provided the level of training that would ensure that everyone inside the organization understood their individual responsibilities in respect of personal data; conversely, there does appear to be evidence that HMRC is systemically failing to comply with the Data Protection Act (see details of an even more recent data breach) AND, in spite of delaying the publication of this news by over a month, still couldn’t even get their story straight.
It’s only right that the Chairman of HMRC should have resigned. That’s not enough – systemic failures of this sort go right to the top of the organization, to the politician accountable to Parliament for its performance. However, it’s not clear that the current Chancellor of the Exchequer should go (although, if he can’t get to grips with this fiasco, he’ll have to go anyway) – after all, it was his predecessor that presided over the creation of the shambles that is now the HMRC.
And the Prime Minister, who was responsible for the creation of the ‘modern’ HMRC, has promised to spend a lot of money with PricewaterhouseCoopers for proposals to ensure this sort of thing doesn’t happen again.
Well, it doesn’t take a multi-million pound contract to get the answer to this question! The three things that must be done are:
1. Require all UK public sector organizations to achieve ISO/IEC27001 – an independent, third party certificate that they have in place all the procedures – including staff training – necessary to secure such vital information;
2. Bring in a Data Breach Law requiring immediate notification of the breach, enabling criminal charges to be brought against organizations and, individually, top management, and providing for real compensation as a class for those affected by the breach;
3. Forget about the UK national ID card – it must be obvious to anyone by now that the risks associated with a database of this sort are just too great for HM Government to counter.
There – that saves the public purse a small fortune!