By Ibrahim Hasan, IBA Solicitors, Dewsbury
Child benefit data debacle
The other week, my better half received a letter from the acting chairman of HM Revenue & Customs (HMRC), personally apologising for the loss of our family's child benefit data. In all, some 7.25 million such letters have been sent out. Little wonder that the post seems slower than usual.
This unprecedented apology comes as a result of recent events, which culminated in the resignation of the then chairman of HMRC, and an emergency statement to Parliament by Alistair Darling. The Chancellor was forced to admit that his department had managed to lose 25 million child benefit records. The lost (or stolen) information included the names, addresses, dates of birth, National Insurance numbers and, where relevant, bank details of claimants.
According to the BBC, two password-protected discs containing the data were sent by HMRC in Newcastle to the National Audit Office in October. The package was sent by courier and it appears that it did not arrive at its destination. A further package was sent by recorded post which did arrive. The police have been called in but, at the time of writing, nothing has been found.
The government does not seem to be having much luck complying with its data protection obligations at the moment. On 13 November, the Information Commissioner's Office (ICO) announced that the commissioner had found the Foreign and Commonwealth Office in breach of the Data Protection Act 1998 (DPA) following an investigation into a security breach at the online application facility for UK visas. The breach meant that the personal data of people applying for visas to enter the UK was visible to others visiting the website.
The ICO has now obtained a formal undertaking from the Foreign Office, agreeing to comply with the principles of the DPA. Failure to do so will result in further enforcement action. More DPA failures were alleged in the papers recently. Apparently, an ex-contractor at the Department for Work and Pensions (DWP) had two discs with thousands of benefit claimants' details for more than a year. This individual told a Sunday newspaper that she forgot to return them after she stopped working for the DWP a year ago. The unencrypted discs revealed the type of benefits paid, but a DWP spokesman said they did not contain bank details.
Lack of understanding and implementation of the DPA is at the heart of all these failings. The Act is designed to protect the privacy of individuals through regulating the processing of their personal data. At its heart are the eight data protection principles that govern everything from collection through to archiving and destruction of personal data. Breach of one of the principles is not in itself a criminal offence but it can lead to an investigation and enforcement action by the commissioner.
Principle 7 states: 'Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.'
Note the use of the words 'technical' and 'organisational'. The child benefit fiasco suggests that HMRC needs to have a root-and-branch review of security policies and procedures. Searching questions need to be asked. For example, why was such sensitive data not encrypted but merely password protected? I once read somewhere that the most common password in this country is 'password'.
The Chancellor blamed mistakes by 'junior officials' at HMRC, whom he said had ignored security procedures. One wonders why a junior member of staff was able to access such sensitive data and why he was able to save such a large amount of data on a CD. Principle 7 also places an obligation on the data controller to take reasonable steps to ensure the reliability of any employees who have access to personal data. This is widely interpreted to mean that employees should be made aware of the sensitivity of the data they handle, access to it should be on a strict need-to-know basis, and they should be made aware of their, as well as the organisation's, legal responsibilities.
There is certainly a lot of blame being laid at the door of HMRC at the moment. But is there a claim? Can 7.5 million people sue HMRC or even the government? Section 13 of the Act states that an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of the Act is entitled to compensation for that damage. However, the difficulty for any litigant will lay in proving causation. Many experts have predicted that fraudsters who may have possession of the data will sit on it for months, if not years, before making use of it. Unfortunately, the Act does not allow a claim for distress alone.
The fallout from all the recent data loss stories has finally meant that a government which seemed to be treating the DPA (and sometimes the Information Commissioner) as a barrier to its own policy agenda (see ID cards, e-government and more multi-agency information sharing) has been forced to give both the respect they deserve. During the first Prime Minister's questions after the child benefit story broke, Gordon Brown said the ICO is to be given the power to make 'spot checks' on organisations holding personal data.
The Act does not require a data controller to notify either the ICO or the data subjects that their data has been lost or stolen. Pressure is now mounting on the government to introduce such a law. In September, a House of Lords committee repeated calls for a data-breach notification law following a report that detailed the findings of an inquiry into internet security.
Criminal charges for data security breaches could be brought against both organisations and individuals if the Information Commissioner gets his way. He has repeated his calls for people who are grossly negligent with individuals' personal data to face such action.
With spot checks on the horizon, now is a good time for organisations holding personal data, including solicitors, to revisit their data protection and data security policies. Thought must also be given to raising awareness among staff and service providers and reviewing contractual provisions.
Having advised on major public sector projects, I know from first-hand experience that the data protection provisions are often the last and least-discussed clauses in the contract. From now on, I suspect that they will receive the attention that they rightly deserve. Data protection will never be cool or sexy but recent events have shown that a disregard for it can have serious consequences for both the organisations and individuals involved.
Ibrahim Hasan is also a director of Act Now Training
More from Law
-
NewsA new kind of ‘thing’: digital assets bill introduced
Property (Digital Assets etc) Bill will mean that digital holdings including cryptocurrency, non-fungible tokens and carbon credits can be considered as personal property.
-
-
NewsNew York court picks Scots law for shareholder dispute
Judge backs presumption that law of place of incorporation should apply.
Partnership
Charity Explorer provides a reputable reference tool for solicitors, will-writers and their clients who want to leave a legacy or charitable gift.
Visit Charity Explorer
Whether you are looking for legal expert witnesses, legal training/CPD providers, international law firms, administration of estates, legal software suppliers, barristers chambers or any other general legal service, the Legal Services Directory will provide a suitable option.
Visit Legal Services Directory
No comments yet