Tuesday, November 20, 2007

British tax authorities lose personal details of 25 million people

A crass case of neglect and breach of data protection legislation has led to the loss of discs containing the names, addresses, dates of birth, bank account details and National Insurance numbers of 25 million people in the United Kingdom, it was revealed today (see reports by the BBC, the Financial Times, the Guardian and The Times).

The data (they are the complete records of all 7.25 million families in the UK with a child under 16 years of age) were on two CD-ROMS which the tax authority (Her Majesty's Revenue & Customs or HMRC for short) shipped on 18 October 2007 with the courier TNT – who operate the HMRC's post system. However, they were neither recorded or registered, and failed to arrive at their destination, the National Accounting Office.

As sending the data in this way constituted a breach of rules (which was repeated a few days later, although this time as a registered parcel which reached its destination), the chairman of HMRC, Paul Gray, has resigned his post. British Chancellor of the Exchequer Alistair Darling told the House of Commons today that there was no evidence "that this data has found its way into the wrong hands". But he also admitted that the millions of families concerned were at risk from fraud and identity theft and advised them "to monitor their accounts and guard against any unusual activity."

It is difficult to understand why the HMRC chose to transfer these data at all in a physical manner rather than transferring them in encrypted format over a secure high-speed data link, as one would expect to be standard in the early 21st century. This is a massive blunder which will bring anxiousness and discomfort (to say the least) to countless British citizens for some time to come.

Regular readers of this blog will recall previous examples of private sector data security breaches (for example, the TJX case, or that of Marriott International, with links to more cases covered in this blog). Today's episode shows that the public sector is similarly careless and incompetent in this respect. For any observer of British e-government and its long record of failures, this will be no surprise.

One probably needs no special prophetic powers to predict that the Labour government's plans for a National Identity Register and for an equally comprehensive electronic health care records system will now again come up for discussion and under increased scrutiny. But so far, one has to say, the British government has not let the rather dismal past record in this field (or reasoned argument) come in the way of its grand plans for the future...

Technorati Tags: , ,