U.K. faces wave of data security breaches

Published 23 April 2008

The state of personal data security in the United Kingdom is not good; in the last six months, nearly 100 incidents of data security breaches by government agencies and private sector companies were reported

Wen it rains, it pours. Almost 100 security breaches resulting in personal information going missing have been reported to the U.K. government’s privacy watchdog in the last six months, it was revealed the other day. Information has been recovered in only three of the cases, the information commissioner, Richard Thomas, said. Thomas said it was “inexcusable” that public and private organizations were continuing to lose data following the controversy in November about HM Revenue & Customs (HMRC) losing computer discs carrying details of 25 million child benefit claimants. The Guardian’s Andrew Sparrow writes that of the total number of incidents reported to the commissioner, sixty-two security breaches were in the public sector, twenty-eight were in the private sector, and four in the charity or third sector. Fourteen of the private sector losses involved financial institutions. Of those reported by public sector bodies, almost a third happened in central government and associated agencies, and a fifth in the NHS. Thomas said: “It is particularly disappointing that the HMRC breaches have not prevented other unacceptable security breaches from occurring. The government, banks and other organizations need to regain the public’s trust by being far more careful with people’s personal information. Once again I urge business and public sector leaders to make data protection a priority in their organization.”

Lost information included unencrypted laptops, paper documents, and computer discs and memory sticks. Some of the breaches were due to theft and others due to items going missing in the post or a courier service. Thomas said: “The level of understanding about data protection and the need to safeguard people’s personal information have no doubt increased and I am encouraged that more chief executives and permanent secretaries appear to be taking data protection more seriously. But the evidence shows that more must be done to eradicate inexcusable security breaches.” The commissioner is investigating the cases and in sixteen incidents has already required an organization to make changes to improve data security, such as encryption. The Revenue & Customs scandal involved staff losing two computer discs in their internal mail which held the personal details of all families in the United Kingdom claiming child benefit. Information included dates of birth, national insurance numbers and bank details. The shadow justice secretary, Nick Herbert, said: “How can we trust a government with ever more of our private information and a national ID card database when two thirds of data breaches involve government or public sector bodies? Perhaps this explains why the government has been so reluctant to accept our call for a new offense of reckless mishandling of data. It is time for ministers to get serious about protecting personal information.”

A Cabinet Office spokesman said: “We are already taking steps to improve information assurance across government and the cabinet secretary’s ongoing review of data-handling has resulted in immediate action to improve data security arrangements. The final report from the review will be published later this spring. In the interim, any security breaches that are reported are taken extremely seriously and will be thoroughly investigated.”