Information commissioner to act against HMRC, MoD
Published: 25 Jun 2008 15:07 BST
The information commissioner is to take action against two government organisations over data-loss incidents.
In an announcement on Wednesday, Richard Thomas said he will take action against HM Revenue & Customs (HMRC) for the loss of 25 million child-benefit claimant details, and against the Ministry of Defence (MoD) for the loss of laptops containing sensitive military data.
Enforcement notices are to be served following publication of a review by the Independent Police Complaints Commission that blames "systemic failure" for the HMRC loss, and a review, due to be published today by Sir Edmund Burton, of the MoD data loss.
"I will be taking formal enforcement action against HMRC and MoD, following the serious data breaches that have occurred," said Thomas. "The reports... show deplorable failures at both HMRC and MoD."
Thomas added that, while these breaches have been highly publicised, they are not isolated cases, and that even more sensitive data has been lost that has not been made public knowledge.
Read this
Special report: The top five internal security threats
What should an employer watch out for?
"It is deeply worrying that many other incidents have been reported, some involving even more sensitive data," said Thomas. "It is of fundamental importance that lessons are learned from these breaches. Information security and other aspects of data protection must be taken a great deal more seriously by those in charge of organisations."
Thomas said that it is "beyond doubt that both departments have breached data-protection requirements" and that the Information Commissioner's Office (ICO) intends to serve formal enforcement notices on them.
To comply with the terms of the enforcement notices, HMRC and the MoD will have to implement all the recommendations outlined in the reports. The information commissioner will require progress reports to be published after 12, 24 and 36 months, documenting in detail how the recommendations have been implemented to improve data-protection compliance. Failure to comply with an enforcement notice is a criminal offence.
- The top five internal security threats
- Keeping mobile data from going walkabout
- Lib Dems call for data guardians
- Worker suspended over loss of prisoner data
- Ministry of Justice reports nine data breaches
- Foreign Office reports five data breaches since 2007
- ICO: Gov't ignoring data-sharing hazards
- Lords presses government for data-breach law
- Experts urge criminal charges for data breaches
- Justice minister urges overhaul of gov't data handling
- MoD announces data-protection action plan
- Systemic failure blamed for HMRC data loss
Did you find this article useful?
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
