Information commissioner to act against HMRC, MoD

The privacy watchdog will serve enforcement notices against two government departments over 'deplorable failures' to safeguard data
Written by Tom Espiner, Contributor

The information commissioner is to take action against two government organisations over data-loss incidents.

In an announcement on Wednesday, Richard Thomas said he will take action against HM Revenue & Customs (HMRC) for the loss of 25 million child-benefit claimant details, and against the Ministry of Defence (MoD) for the loss of laptops containing sensitive military data.

Enforcement notices are to be served following publication of a review by the Independent Police Complaints Commission that blames "systemic failure" for the HMRC loss, and a review, due to be published today by Sir Edmund Burton, of the MoD data loss.

"I will be taking formal enforcement action against HMRC and MoD, following the serious data breaches that have occurred," said Thomas. "The reports... show deplorable failures at both HMRC and MoD."

Thomas added that, while these breaches have been highly publicised, they are not isolated cases, and that even more sensitive data has been lost that has not been made public knowledge.

"It is deeply worrying that many other incidents have been reported, some involving even more sensitive data," said Thomas. "It is of fundamental importance that lessons are learned from these breaches. Information security and other aspects of data protection must be taken a great deal more seriously by those in charge of organisations."

Thomas said that it is "beyond doubt that both departments have breached data-protection requirements" and that the Information Commissioner's Office (ICO) intends to serve formal enforcement notices on them.

To comply with the terms of the enforcement notices, HMRC and the MoD will have to implement all the recommendations outlined in the reports. The information commissioner will require progress reports to be published after 12, 24 and 36 months, documenting in detail how the recommendations have been implemented to improve data-protection compliance. Failure to comply with an enforcement notice is a criminal offence.

Editorial standards