Recent data security breaches provoke a spate of Government reviews

19 March 2008

Jamie Herbert

In light of a number of major public sector data security breaches which have occurred in recent months the Government have commissioned three separate reviews, each emanating from different Departments, and have proposed new powers for the Information Commissioner.

HMRC data loss – Poynter review

Perhaps the most well-publicised of the recent data security breaches was HMRC’s loss of two CDs containing unencrypted details of the entire child benefit database in October 2007. In response to this loss, the Chancellor Alistair Darling immediately commissioned a review by Kieron Poynter, the Chairman of PricewaterhouseCoopers. The terms of reference of this review are to consider and advise the Government on what urgent measures should be taken to improve data security at HMRC, to consider the circumstances surroundingthe recent government data security breaches, to establish the exact chain of events surrounding HMRC’s loss of the child benefit database and to make recommendations as to how HMRC may implement and maintain a higher level of data security.

The full report is due to be published in spring 2008. However, in a recent interim report Poynter stated that good progress is being made, both in ascertaining the precise chain of events leading up to the loss of the CDs and in affecting urgent change within HMRC. Changes which have already been implemented include the appointment of a senior official to the new post of Director of Data Security, the imposition of a complete ban on the transfer of bulk data onto removable media without encryption and the utilisation of secure couriers and appropriate tamper proof packaging in the transport of bulk data stored on removable media.

Wellcome Trust and ICO report on data sharing

In his “Liberty Speech” of 25 October 2007 at the University of Westminster, the Prime Minister announced that he had commissioned an independent review to be conducted by the Information Commissioner, Richard Thomas, and Professor Mark Walport, Director of the Wellcome Trust into the way in which people’s information is shared and protected.

The terms of reference for the review have been published by the Ministry of Justice. The Lord Chancellor and Secretary of State for Justice will publish the report in the first part of 2008.

The report will “review of the scope of sharing of personal information and the protections that apply when personal information is shared in the public and private sectors.” The review will also look at whether any changes should be made to the operation of the Data Protection Act in the UK. It will also include recommendations on:

  • the ICO’s and the court’s powers and sanctions with regards to data sharing and data protection.

  • how data sharing policy should be developed so as to ensure “proper transparency, scrutiny and accountability”.

In tandem with this review the Ministry of Justice have also begun a consultation, launched on 12 December 2007 and due to finish on 15 February 2008, in which they are seeking the views of a number of organisations, both from the private and public sectors, on the subject of data sharing.

Cabinet Office to review Government data handling procedures

As a result of the HMRC data loss the Prime Minister has commissioned a further review, to be conducted by the Cabinet Office, into data handling procedures within Government. The review will be led by Robert Hannigan, Head of Intelligence, Security and Resilience in the Cabinet Office and will examine:

  • the procedures in Departments and agencies for the protection of data;

  • their consistency with current Government wide policies and standards; and

  • the arrangements for ensuring that procedures are being fully and properly implemented.

The review will be conducted in two stages. Firstly, Departments have been asked to analyse their data handlng systems and procedures to assess the level of compliance with current policies and standards. This first step has been completed and the results set out in the Interim Progress Report released by the Cabinet Office in December 2007. This report reveals that a number of Departments are currently conducting internal reviews into their data handling procedures, with many amending their policies with regard to the use of removable media for data storage and the merging of databases.

The second part of the review will aim to “look collectively at improved standards and procedures, including the role of the centre and governance mechanisms as well as the introduction of better compliance and audit arrangements. A plan to deliver any changes will also be produced.”

The final report detailing the results of the second phase of the review will be released in spring 2008.

ICO given power to audit Government departments

The Prime Minister has also recently announced an increase in the powers of the Information Commissioner. At Prime Minister’s Questions on 21 November 2007, he announced that the ICO would have the power to spot check all government departments to ensure that they complied with Data Protection legislation.

He stated that he would give the “Information Commissioner the power to spot-check Departments, to do everything in his power and our power to secure the protection of data”. Details of how these powers will be exercised have not yet been announced.