CIOs: UK data laws unfit for purpose

The UK's data-protection laws have been branded "unfit for purpose" in the wake of the loss of CDs containing 25 million records by HM Revenue & Customs.

In what is now emerging as the UK's biggest-ever data-security breach, HMRC admitted last week that two CDs containing names, dates of birth, addresses, national insurance numbers and bank account details of 25 million child-benefit recipients have been lost in the post.

Two-thirds of a 12-strong CIO Jury IT user panel, brought together by ZDNet.co.uk's sister site silicon.com, said the breach shows UK data-protection laws are currently not strong enough and not fit for purpose.

Nicholas Evans, European IT director for Key Equipment Finance, said: "The information commissioner should be given more powers to carry out security audits where they have reason to believe that standards are not being met, and there should be the ability to fine organisations to the level that the Financial Services Authority took with some banks recently. It quite simply beggars belief that any system with such sensitive data could have allowed this quantity of data to be extracted, and that any organisation should have sent the data unencrypted on CDs to save money."

Current data-protection laws are too focused on closing the stable door after the horse has bolted, according to David Supple, head of IT, marketing and creative services for Ecotec.

Supple said: "This is about achieving strong governance in organisations that have such critical data and about limiting the scope for abuse in the first place."

Mark Beattie, IT director for waste-management company LondonWaste, said: "The laws should be targeted at companies with access to substantial amounts of personal data."

The whole HMRC fiasco was simply labelled a "shambles" by Jacques Rene, chief technology officer for Ascend Aerospace.

The breach also highlights the need for the use of better security and encryption technology. Mike Roberts, IT director for independent Harley Street hospital the London Clinic, said: "The use of encryption for the transmission and transportation of information should be tightened up."

Myron Hrycyk, chief information officer for NYK Logistics UK, added: "People do not understand or appreciate the strength of security required around personal data and the potential dangers of losing this information. Both these factors give rise to the relaxed way data is handled, referring to recent events. This loss of data, if [it is] not found, will be with us for years."

Data access and security is an issue for everyone, according to Nicholas Bellenberg, IT director for publisher Hachette Filipacchi UK. He said: "Every organisation has the same concern over access to data — how little security is necessary to enable people to do their jobs? [That] must then be weighed up against the potential for breaches in security, such as we have seen this week."

A third of the jury said the problem is not with the laws themselves but the enforcement.

Mark Foulsham, head of IT for esure, said: "Given that the breach was a failure to adhere to policy and process, the issue is one of policing and enforcement rather than more regulations."

Ted Woodhouse, consultant and former director of IT strategy for Leeds Teaching Hospitals NHS Trust, said: "The data-protection laws are fine — it's HMRC that's not 'fit for purpose'."