Darling: Greater accountability key to data security

Alistair Darling has admitted the government needs clearer lines of responsibility for data loss and 'simpler structures' after the HMRC data breach

The government needs to simplify organisational structures in some departments and review data-protection laws, chancellor of the exchequer Alistair Darling has admitted.

In the wake of the loss of 25 million personal records by HM Revenue & Customs at the end of November, and the presentation of an interim report into that data loss by PricewaterhouseCoopers chairman Kieran Poynter on Monday, Darling said that HMRC needs to have clearer lines of responsibility for data in order to "ensure security".

"The [interim Poynter review] shows the necessity of setting up a simpler organisational structure with clearer accountabilities," Darling told Parliament on Monday, adding that in future there would be "restrictions on the bulk transfer of data" between government departments.

Darling said that the Information Commissioner's Office, as well as being given powers to "spot check" public-sector organisations, would receive "new sanction under the Data Protection Act to take account of its principles, to ensure sensible data-protection practices and greater security".

Philip Hammond, shadow chief secretary to the Treasury, said the public felt "a sense of anger and betrayal over the loss of the data", which included the names, addresses, national insurance numbers and bank details of those claiming and receiving child benefits.

"The ability [for a member of staff] to be able to download the data signalled an absence of data-protection systems," said Hammond. "While we welcome the [proposed] ban on the transfer of bulk data, why on earth wasn't this simple procedure in place?"

Hammond said that there had been a systemic failure, and that the "responsibility for systemic failure lies at the top".

Vincent Cable, the Liberal Democrat Treasury spokesman, said he hoped the chancellor "appreciates the damage to public confidence" caused by the HMRC breach, and that it was "difficult to see how the government could proceed with the compulsory ID cards scheme" and other government database projects following the breach.

The interim Poynter review was set up to look at what led to the loss of the HMRC discs, and to make recommendations on how procedures should be changed to mitigate future data loss. In a letter to Darling, Poynter noted: "The longer-term solution will rely on a combination of factors which I will address as the review progresses. As envisaged in my terms of reference, these include the management accountability framework, tone from the top, culture and training, as well as technical measures."

Transport secretary Ruth Kelly then gave a statement to Parliament about the loss of over 7,600 motorists' personal details by the Driver and Vehicle Agency (DVA) of Northern Ireland earlier this month.

The DVA admitted losing data on a total of 7,685 vehicle owners and their vehicles. The missing information consisted of the owner's name and address, and details of the vehicle, including its make, model, colour, registration and chassis number.

The data, which was contained on two CDs, was being sent from the DVA in Coleraine to the DVLA (Driver and Vehicle Licensing Agency) in Swansea in response to vehicle manufacturers needing to contact owners about potential faults with vehicles. The CDs went missing in transit after being sent via a Parcelforce Worldwide tracked courier service.

Kelly said part of the problem lay in the fact that the DVA and DVLA have separate databases. She said that, to improve data transfer in future, the databases of the DVA and the DVLA in Swansea would be merged, procedures would be put in place for sending data via secure electronic transfer, and data transfer by tape between the two offices would cease.