HMRC blunder prompts calls for stronger punishments

The Government’s loss of 25 million people’s bank and employment details in the post has led to calls for the Information Commission to receive stronger powers.

HM Revenue and Customs (HMRC) could fall foul of the Data Protection Act because it did not take the precaution of encrypting the data before sending it.

Simon Morrissey, technology head at Lewis Silkin, said: “The act requires persons using data to use appropriate technical measures to safeguard the security of personal data. In this case, the data included details of people’s bank accounts and it would be very difficult to argue that an appropriate level of protection did not include encryption.”

Richard Thomas, the information commissioner, does not have the power to punish the breach itself, but he has already called on government to allow him to carry out spot checks on public and private organizations to prevent similar blunders in the future.

Information law barrister Tim Pitt-Payne of 11 King’s Bench Walk said the Data Protection Act was the only real instrument for redress.

“As it stands the Information Commission does not have the power to punish,
so the Data Protection Act, if you can prove that you’ve suffered loss, can
be brought against HMRC.”

He added: “The problem here though is that there’s so much ID fraud that it could be difficult to prove it’s the result of this leak.”

The blunder has shaken the public’s faith in the government’s ability to handle sensitive information securely and will put pressure on the government to rethink its controversial ID cards project.

One lawyer commented: “The ID cards project can’t really be stopped now, but it will give ammunition to the anti-ID cards campaign.”

The government is in the process of selecting an outsourcing contractor to handle the project, instructing Field Fisher Waterhouse to advise on the negotiations.