By Andy McCue, 23 November 2007 16:29
NEWS
The UK's data protection laws have been branded 'unfit for purpose' in the wake of the loss of CDs containing 25 million records by HM Revenue & Customs (HMRC).
In what is now emerging as the UK's biggest ever data security breach HMRC admitted this week that two CDs containing names, dates of birth, addresses, National Insurance numbers and bank account details of 25 million child benefit recipients have been lost in the post.
Two-thirds of silicon.com's 12-strong CIO Jury IT user panel said the breach shows UK data protection laws are currently not strong enough and not fit for purpose.
Nicholas Evans, European IT director for Key Equipment Finance, backed silicon.com's Full Disclosure campaign, which calls for a law forcing public and private sector organisations to inform regulators and customers if personal data has been compromised.
He said: "The Information Commissioner should be given more powers to carry out security audits where they have reason to believe that standards are not being met and there should be the ability to fine organisations to the level that the Financial Services Authority took with some banks recently. It quite simply beggars belief that any system with such sensitive data could have allowed this quantity of data to be extracted, and that any organisation should have sent the data unencrypted on CDs to save money."
Full Disclosure campaign
silicon.com is aiming to make businesses and government take data security more seriously. Read more here.
Current data protection laws are too focused on closing the stable door after the horse has bolted, according to David Supple, head of IT, marketing and creative services for Ecotec.
He said: "This is about achieving strong governance in organisations that have such critical data and about limiting the scope for abuse in the first place."
Mark Beattie, IT director for waste management company LondonWaste, said: "The laws should be targeted at companies with access to substantial amounts of personal data."
The whole HMRC fiasco was simply labelled a "shambles" by Jacques Rene, CTO for Ascend Aerospace.
The breach also highlights the need for the use of better security and encryption technology. Mike Roberts, IT director for independent Harley Street hospital the London Clinic, said: "The use of encryption for the transmission and transportation of information should be tightened up."
Myron Hrycyk, CIO for NYK Logistics UK, added: "People do not understand or appreciate the strength of security required around personal data and the potential dangers of losing this information. Both these factors give rise to the relaxed way data is handled, referring to recent events. This loss of data, if not found, will be with us for years."
Data access and security is an issue for everyone, according to Nicholas Bellenberg, IT director for publisher Hachette Filipacchi UK. He said: "Every organisation has the same concern over access to data - how little security is necessary to enable people to do their jobs? Which must then be weighed up against the potential for breaches in security such as we have seen this week."
A third of the CIO Jury said the problem is not with the laws themselves but the enforcement.
Mark Foulsham, head of IT for eSure, said: "Given that the breach was a failure to adhere to policy and process, the issue is one of policing and enforcement rather than more regulations."
But Ted Woodhouse, consultant and former director of IT strategy for Leeds Teaching Hospitals NHS Trust, said: "The data protection laws are fine - it's HMRC that's not 'fit for purpose'."
Today's CIO Jury was
Bill Ashworth, IT director for Countrywide Surveyors
Mark Beattie, IT director , LondonWaste
Alastair Behenna, CIO, Harvey Nash
Nicholas Bellenberg, IT director, Hachette Filipacchi UK
Nicholas Evans, European IT director, Key Equipment Finance
Mark Foulsham, head of IT, eSure
Myron Hrycyk, CIO, NYK Logistics UK
Jane Kimberlin, IT director, Domino's Pizza Group
Jacques Rene, CTO, Ascend
Mike Roberts, IT director, The London Clinic
David Supple, head of IT, marketing and creative services, Ecotec
Ted Woodhouse, consultant and ex-director of IT strategy, Leeds Teaching Hospitals NHS Trust
Want to be part of silicon.com's CIO Jury and have your say on the hot issues for IT departments? If you are a CIO, CTO, IT director or equivalent at a large or small company in the private or public sector and you want to be part of silicon.com's CIO Jury pool, or you know an IT chief who should be, then drop us a line at editorial@silicon.com
Comments
There are 3 comments. Join the discussion
1. Karen Challinor
the position of information commissioner was not created to monitor government activity it was created to monitor you and me
the ICO has no teeth with government departments, and until the laws hit the books cannot audit one unannounced, despite Mr Browns announcement I'm not holding my breath for that to happen any time soon
you and I can get a knock on the door and a demand to drop everything and prove our compliance with the data protection act at any time on pain of fines and incarceration
you would almost think this bias were deliberate
2. anonymous
Even if the physical disks are eventually found, shall we ever be sure that they haven't been copied during their month-long sojourn who-knows-where?
3. Roger Huffadine
The UK data protection Act really doesn't have any teeth. It fails to cover many areas where mis-use of data is harmful to individuals. Most of the Act relies on the opinion of the Information Commissioner and there is scant 'case Law' to back it up.
Utilities and Corporates hide behind their interpretation of the act - to avoid talking to customers about screw ups.
I have frequently challenged companies to cite the clause in the Act which prevents them from discussing issues with me over the telephone only to ultimately agree that they should have said that it is 'company policy' to not discuss a particular matter with me.
Like many Laws it was poorly drafted by individuals of limited imagination.