In a speech to Parliament on Tuesday, the chancellor of the exchequer, Alistair Darling, told of the loss of two discs containing the details of everybody in the U.K. who claims and receives child benefits.
Details on the discs, which were only password-protected, included names, addresses, dates of birth, national insurance numbers, and bank and building society account details.
"This is the biggest privacy disaster by our government," said Jonathan Bamford, assistant information commissioner. "Clearly on the facts available there appears to be a major contravention of data-protection laws."
Speaking on Wednesday at "Fine Balance," a conference in Westminster on privacy-enhancing technologies, Bamford said that some of the eight principles of the Data Protection Act, including that personal information be kept secure, had "clearly been breached."
Bamford added that there should be tougher penalties for persistent or serious breaches of data laws. At present, the toughest legal penalty for the persistent or serious flouting of data laws in the U.K. is a 5,000-pound ($10,300) fine; criminal prosecution is possible only after the Information Commissioner's Office has served notice due to an information breach, and another breach occurs.
"This is an extremely serious matter," said Darling. "HMRC (Her Majesty's Revenue and Customs) failed to meet the high standards expected of it. I recognize that millions of people across the country will be concerned."
The discs were lost during a National Audit Office investigation in October. A junior official in HMRC sent the unencrypted discs to the NAO, but HMRC was not informed until November 8 that the discs had not arrived to be audited. Darling himself was informed of the loss on November 10--three weeks after the discs had failed to arrive at the NAO.
Edward Leigh, the chair of the Public Accounts Committee, later said that the information the NAO requested had specifically been national insurance numbers, and not other personal details.
HMRC had not followed procedures for data transit, said Darling. The agency had given the discs to courier TNT, but had failed to record or register the discs. When those discs did not arrive, two more discs with the same information were sent by registered post. Those discs did arrive.
"Again, they should never have let this happen," said Darling.
When Darling was informed on November 10, he ordered searches for the data. When nothing had been found by November 14, Darling asked the Metropolitan Police to become involved.
Darling said that there had, as yet, been no evidence of fraudulent activity.
"So far the data has not been found," said Darling. "The police told me there was no reason to believe the discs have fallen into the wrong hands, or been used for fraudulent purposes."
Last week Paul Gray, chairman of HMRC, offered to resign over the matter, and he did so formally on Tuesday.
This is the second major data-loss incident involving HMRC to emerge this month. On November 6, it was revealed that the pension details of 15,000 Standard Life customers were sent to the pension provider by HMRC via an unnamed third-party courier at the end of September. The disc went missing and was not encrypted.
Tom Espiner of ZDNet UK reported from London.