News
Parliamentary committee calls for increased powers for Information
Commissioner
7 January 2008
The House of Commons Justice Committee in a review of data protection
issues has called for increased powers for the Information Commissioner.
The Committee has published its findings in a report, The
Protection of Private Data (1), which covers the issues of
protection of personal data held by Government and other agencies.
The review followed the loss by HM Revenue and Customs (HMRC) last
year of two CDs containing personal and banking information of all child
benefit claimants in the UK. The Committee says this loss was compounded
by "the fact that HMRC sent out 7.25 million personalised letters of
apology for the CD data loss which contained the relevant child benefit
claimant’s name, address, national insurance and child benefit numbers".
In a rather weak set of conclusions, the Committee also comes up with
some blindingly obvious observations:
- "there is evidence of a widespread problem within Government
relating to establishing systems for data protection and operating
them adequately; and
- there is a difficult balance to be struck between the undoubted
advantages of wider exchange of information between government
departments and the protection of personal data. The very real risks
associated with greater sharing of personal data between government
departments must be acknowledged in order for adequate safeguards to
be put in place."
The review 'acknowledges' the need for measures that the Information
Commissioner and others have been calling for for some time, including:
- strengthening the Information Commissioner's powers;
- obligation to notify those affected by security breaches;
- significant security breaches to become a criminal offence; and
- providing the Information Commissioner's Office with enough
funds to carry out its legislated tasks.
The Prime Minister announced on 21 November his intention to give the
Information Commissioner the power to spot-check government departments,
ie without having to get their consent first, as is the case now. On
this, the Committee says, "we hope that this change of heart will lead
to powers quickly being provided through legislation".
The loss of data by HMRC has highlighted for the general public data
security issues that have been swept under the carpet by Government
departments for years. The report says that currently there are several
ongoing reviews:
- Richard Thomas, Information Commissioner and Dr Mark Walport,
Director of the Wellcome Trust, are undertaking a review of the
framework for the use of information in both the private and public
sector (requested by the government before the HMRC data loss);
- the Cabinet Secretary, Sir Gus O'Donnell, has been asked to
carry out a review of Government departments;
- Robert Hannigan, Head of intelligence, security and resilience
in the Cabinet Office is carrying out a review of data protection
practices across Government;
- Kieran Poynter, Chair of PricewaterhouseCoopers, is carrying out
a study of the HMRC data loss.
There have been numerous reports and meetings on data security in the
public sector yet little effective action taken to plug the causes of
the data security breaches. As one example, last year the Government was
warned about problems with the junior doctors' online job application
system long before it went live, yet totally ignored this advice. There
are still problems with this service.
Security experts say that the most serious data security problems are
not the likes of the HMRC loss of disks with millions of records, but
the numerous small breaches that are not recorded by any person or
system, and where the data is more easily usable.
IT services in the public sector are notoriously understaffed and
under-funded and IT is often among the first services to be scaled back
when budgets are tight. In the NHS, even with the National Programme for
IT in England, inhouse staff in NHS trusts are often overworked and
under resourced. With public sector budgets being cut across the
country, how are organisations such as healthcare and social services
going to ensure that personal and sensitive data is not copied in an
unencrypted manner onto devices with low or no security?
Reference
1. House of Commons Justice Committee. Protection of Private Data.
First Report of Session 2007–08. January, 2008. London: The Stationery
Office Limited.
www.publications.parliament.uk/pa/cm/cmjust.htm (accessed 7 Jan
2008).
|