Watchdog: HMRC did breach data laws

The organisation responsible for administering the UK's data-protection legislation has said the government breached data laws when millions of records were stolen in the data debacle at HM Revenue & Customs.

Twenty-five million records of people claiming or receiving child benefits were lost in transit last month between HMRC and the National Audit Office.

The Information Commissioner's Office said on Tuesday that the government had failed to adequately safeguard the personal data. "It is clear that there was a breach of data-protection requirements," said Richard Thomas, the information commissioner.

After the disclosure of the breach, the government appointed PricewaterhouseCoopers chairman Kieran Poynter to report on the causes. Alistair Darling, the chancellor of the exchequer, presented Poynter's interim findings to Parliament on Monday.

Following Darling's speech, Thomas said: "We have received a copy of Kieran Poynter's initial report and discussed its contents with him. We will decide what further action to take [against HMRC] once the final PricewaterhouseCoopers report is available."

However, despite the concerns of the Information Commissioner's Office (ICO), the sanctions it can currently impose are weak. The current maximum penalty for breaking data laws is a £5,000 fine.

In the aftermath of the HMRC fiasco, the government promised the ICO greater powers of inspection. Darling said in his speech on Monday that data-protection legislation and penalties would be strengthened. "The prime minister has already announced the information commissioner will have the power to conduct spot checks on departments," said Darling. "There will now also be new sanctions under the Data Protection Act for the most serious breaches of its principles."

The ICO, which has been asking for greater powers since its inception in 2001, welcomed the government's proposals. "I welcome the government's commitment to strengthen the powers of my office, enabling us to carry out inspections of organisations which collect and use personal information and to put in place new sanctions for the most serious breaches of data-protection principles," said Thomas.

The information commissioner added that public confidence in new government data schemes, such as the National Identity Register, would be shaken unless the government tightened security and privacy.

"Privacy matters more than ever before, especially as so much of our personal information is now collected and shared," said Thomas. "Public trust and confidence must be earned through tighter security and other data-protection safeguards. Retaining trust and confidence also relies on organisations not collecting or sharing excessive information in the first place."