Discgate

From Orgwiki

UK Government 'loses' records for 25 million individuals and 7.25 million families. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25 million people.


A junior official put all the data on a CD and posted it. At the time, a senior civil servant was made aware of this. The data was not encrypted. Banks were not informed of the loss for six days. Our privacy is important and organisations which process our personal data have to show them respect.


Contents

[edit] What was lost

BBC reports

  • 7.25 million claimants
  • 15.5 million children, including some who no longer qualify but whose family is claiming for a younger child
  • 2.25 million 'alternative payees' such as partners or carers
  • 3,000 'appointees' who claim the benefit under court instructions
  • 12,500 agents who claim the benefit on behalf of a third party

[edit] Time Line

  • 02 October 2007: The National Audit Office [NAO] formally asks HM Revenue and Customs [HMRC] for files on child benefit claimants.
  • 18 October 2007: HMRC sends the CDs by TNT Post (the unregistered bulk mail arm of the secure courier TNT) to the National Audit office in London
  • 24 October 2007: HMRC informed by the NAO that the package had not arrived, the junior HMRC official simply made another copy of the data and sent it again through the post - this time registered - to the NAO.
  • 25 October 2007: The NAO confirms receipt of the second set of discs. It staff point out that the first set has still not arrived.
  • 05 November 2007: HMRC confirms that the first set of CDs is still missing.
  • 08 November 2007: Three weeks after they were lost the HMRC's senior management informed of fact the CDs had gone missing. The NAO begins a search for the missing CDs and the loss of the data is raised formally as a security incident. (BBC claims they were told on the 3rd of November)
  • 10 November 2007: Alistair Darling was then informed in the morning and the Prime Minister shortly after. HMRC with the cooperation of the NAO begins a search for the CDs at the offices of the audit office at Victoria. The NAO has no record of having received the first set of CDs.
  • 14 November 2007: Alistair Darling instructs Paul Gray the HMRC chairman to call in the Metropolitan Police to conduct a full investigation. Darling said the delay in notifying the public about the security breach was on the advice of privacy watchdog the Information Commissioner, the Financial Services Authority and the Serious Organised Crime Agency, in order for HMRC and the banks to take remedial action before a public statement was made. (The banks dispute that they asked for the delay.)

15 November 2007 - Richard Thomas, Information Commissioner, says remedial action must be taken before public is informed

  • 20 November 2007: Alistair Darling makes a statement to the House of Commons on the missing discs and Paul Gray, the chairman of HMRC resigns.
  • 21 November 2007: HMRC issues an apology (apology itself contains sensitive data causing yet more problems)

[edit] Correspondence relating to the lost data

scans of correspondence relating to the lost data

[edit] Not the First Time

Copies of the database were sent, again by CD, to the accounting firm KPMG, although those discs arrived safely and were later returned. No one reported this at the time.

[edit] And Not the Last Time

Sensitive data continues to be lost - HMRC are not alone in failing to properly secure other people's personal details - see UK Privacy Debacles.

[edit] MoD recruitment laptop computer scandal

House of Commons debate MOD (Data Loss) 21 January 2008

  • 153,000 people who submitted detailed application forms
  • 5.700 bank account details
  • Initial belief that the data was encrypted
  • Admissions that the data was not encrypted at all
  • 2 previous stolen recruitment data laptops
  • Cabinet Office review of data handling
  • Yet Another Review - Sir Edmund Burton
  • No resignations by Ministers or senior MoD staff

See Spy Blog for more details Des Browne now admits to 3 stolen, unencrypted Ministry of Defence recruitment laptop computers

[edit] Fallout

[edit] Poynter Review

[edit] Terms of reference

The Treasury has published terms of reference for the Poynter Review, which will investigate security processes and procedures for data handling in Her Majesty’s Revenue & Customs.

To establish the circumstances that led to the significant loss of confidential personal data on Child Benefit recipients and other recent losses of confidential data and the lessons to be learnt, and in the light of those circumstances to examine:

  • HMRC practices and procedures in the handling and transfer of confidential data on taxpayers and benefit/credit recipients;
  • the processes for ensuring that these procedures are communicated to staff and the safeguards in place to ensure they are adhered to;
  • the reasons why these failed to prevent the loss of confidential data;
  • whether these procedures and processes are sufficient to ensure the confidentiality of personal data.

The review will report initially by 14 December on the exact circumstances and events that led to the loss of the Child Benefit data, taking account of the ongoing investigation by the Metropolitan Police. It will make interim recommendations on any further, urgent measures that HMRC should put in place to guarantee the confidentiality of personal data.

The review will also consider wider implications, reporting in the Spring and, in consultation with the Independent Police Complaints Commission (IPCC) and Information Commissioner, make recommendations on:

  • how internal processes and culture can be strengthened to achieve appropriate data security in the future;
  • whether HMRC’s wider procedures for the handling of confidential data and liaison with other organisations should be changed to reduce the risks and how this might be done.

Notes to editors

1. The Chancellor of the Exchequer, the Rt Hon Alistair Darling MP, announced the review in a statement to the House of Commons on 20 November.

2. Kieran Poynter is Chairman and Senior Partner of PricewaterhouseCoopers and will report to the Chancellor of the Exchequer. The review is being carried out with the knowledge and cooperation of the Independent Police Complaints Commission (IPCC) and the Information Commissioner.

[edit] Review of Data Handling procedures in Government

Terms of reference for the Review of Data Handling procedures in Government 23 November 2007

The Prime Minister has asked the Cabinet Secretary to establish a review into data handling procedures in Government.

The Review will be led by Robert Hannigan, Head of Intelligence, Security and Resilience in the Cabinet Office, working closely with heads of departments.

The Cabinet Secretary wrote to all Heads of Departments on Thursday 22 November setting out the terms of the Review.

The terms of Reference of the Review will be:

To Examine:

  • the procedures in Departments and agencies for the protection of data;
  • their consistency with current Government wide policies and standards;
  • the arrangements for ensuring that procedures are being fully and properly implemented;

and to make recommendations on improvements that should be made.

The process will be carried out in two stages:

  • first, to ask urgently for an analysis of Departmental and agency systems and procedures to identify compliance with policies and standards, and recommendations for practical improvements and better management of risk that can be identified. Each Department is asked to complete this, covering their agencies as well, by 10 December so that the Prime Minister can be advised by the end of the year.
  • Second, to then look collectively at improved standards and procedures, including the role of the centre and governance mechanisms as well as the introduction of better compliance and audit arrangements. A plan to deliver any changes will also be produced. The aim is to complete this early in the New Year.

This Review will also take into account the work being done by Kieran Poynter of Pricewaterhouse Coopers into HM Revenue and Customs data handling procedures and the work being done by the Information Commissioner and Mark Walport of the Wellcome Trust on the security of personal data across society as a whole.

[edit] Quotes

House of Commons debate George Osborne 20 November 2007

"Let us be clear about the scale of this catastrophic mistake: the names, the addresses and the dates of birth of every child in the country are sitting on two computer discs that are apparently lost in the post; and the bank account details and national insurance numbers of 10 million parents, guardians and carers have gone missing."

Information Commissioner Richard Thomas, 22 November 2007

"Individuals value their privacy - institutions do not."

Microsoft ID chief Kim Cameron 22 November 2007

Meanwhile, in parliament, Prime Minister Gordon Brown explained that security measures had been breached when the information was downloaded and sent by courier to the National Audit Office, although there had been no “systemic failure”.
This is really the crux of the matter. Because, from a technology point of view, the failure was systemic.
...Isn’t it incredible that “a junior official” could simply “download” detailed personal and financial information on 25 million people? Why would a system be designed this way?
To me this is the equivalent of assembling a vast pile of dynamite in the middle of a city on the assumption that excellent procedures would therefore be put in place, so no one would ever set it off.

Ovum principal analyst Graham Titterington

"This announcement is breathtaking because of the scale of the loss but not because it is a unique event. Indeed, it is the third major data leakage from Her Majesty's Revenue & Customs in just three months."

FBI fraud expert and world renowned ex-con artist Frank Abagnale. Author of Catch me if you can

"It was not just a mistake. I truly believe that someone paid for information to be stolen. It's what happens all the time, that someone acted in collusion with somebody else to steal this data,"
"The government would not ship gold bullion via an unsecured courier or method and in today's environment, one needs to understand that sensitive personal data is worth just as much as gold bullion."

Jenny McCartney 25 November 2007

"For the Government to blame a low-level employee for this fiasco is a bit like allowing a teenage work experience girl access to the nuclear button, and then bleating that she had 'clearly not followed strict rules' when she reached for her skinny latte and accidentally wiped out Tajikistan."

Lords’ Merits of Statutory Instruments Committee following scrutiny of the regulations to bring Contactpoint into being 10 July 2007

However, the Government have not in our view conclusively demonstrated that a universal database is a proportionate response to the problem being addressed. While the Government have taken the need for security seriously, the scale and importance of the scheme increase the risk that any accidental or inadvertent breach of security, or any deliberate misuse of the data, would be likely to bring the whole scheme into disrepute.

Justice Select Committee - Protection of Private Data

"There is evidence of a widespread problem within Government relating to establishing systems for data protection and operating them adequately,"
"It is widely accepted that it is necessary to have a substantial increase in the powers given to the Information Commissioner to enable him to review systems for data protection and their application - recent events have underlined the urgency of this."

[edit] News

[edit] October

2008-10-14 - Computing - MPs slam MoD loss of 1.7 million records
Summary: MPs have criticised continuing government incompetence over government data handling practices after it was revealed a missing Ministry of Defence (MoD) hard drive could contain information on as many as 1.7 million individuals. Armed Forces minister Bob Ainsworth made the admission in a written statement to the Commons, adding that the disk was unlikely to have been encrypted. His estimate is far higher than those originally given for the loss. Officials had placed the potential tally at a modest 100,000 records.

[edit] September

2008-09-27 - BBC - Personnel records stolen from MoD
Summary: The Ministry of Defence (MoD) is investigating the theft of computer files with the records of thousands of serving and former RAF staff on. The information was stored on computer hard drives at the Service Personnel and Veterans Agency at the RAF Innsworth site near Gloucester. The theft of the files took place on 17 September, within a high-security area on the base. It said it was treating the breach "extremely seriously". 900,000 personnel. A spokesman for the MoD police said: "We can confirm that an investigation is being conducted by MoD police, with the support of Gloucestershire Police into the apparent theft of three USB portable hard disk drives.
2008-09-27 - The Guardian - RAF personnel records stolen on hard drives
Author: Mark Rice-Oxley
Summary: The government was facing a fresh data loss embarrassment last night after thieves stole files containing the records of thousands of RAF personnel.
2008-09-27 - The Telegraph - Thousands of personal files stolen from RAF base
Author: Jessica Salter
Summary: The details of up to 50,000 serving and ex-service personnel are at risk after three USB portable hard disc drives were stolen from an RAF station, the Ministry of Defence has admitted.
2008-09-17 - BBC - Data on bankrupt directors stolen
Summary: A laptop computer containing personal details of about the 122 company directors of bankrupt companies has been stolen, from the Insolvency Service.
2008-09-15 - The Telegraph - Personal details of 18,000 staff 'lost in the post'
Author: Aislinn Simpson
Summary: Four computer discs containing the details of 17,990 current and former staff were lost in July 2008 when they were sent between Whittington Hospital NHS Trust in north London and McKesson, a firm providing IT payroll services. They contained the names, dates of birth, national insurance numbers, start dates and pay details of all staff of Whittington Hospital NHS Trust, Islington Primary Care Trust, Camden Primary Care Trust and Camden and Islington NHS Foundation Trust. They also contained the addresses of some staff.
2008-09-11 - Computerworld - Unencrypted data of 15,000 patients stolen from Winchester GP surgery
Author: Leo King
Summary: The data of 15,000 patients was lost after a thief stole unencrypted backup computer tapes from St Paul’s surgery in Winchester. The tapes were not encrypted but instead had password protection.
2008-09-10 - Computing - Troop movements found on USB stick
Author: Tom Young
Summary: A USB stick containing details about troop movements has been discovered on the floor of a Cornish nightclub. The storage device contained times, locations and travel and accommodation details on 70 soldiers from the 3rd Battalion, Yorkshire Regiment. The stick was found by a clubber and sent to The Mirror. MoD tally of lost USB sticks or PDAs this year reaches 58
2008-09-10 - The Register - Home Office screws prison data bunglers
Author: Chris Williams
Summary: The Home Office has today terminated a £1.5m contract with PA Consulting after it lost the personal details of the entire UK prison population. In August the firm admitted to officials that it had downloaded the prisons database to an unencrypted memory stick, against the security terms of its contract to manage the JTrack prolific offender tracking system. The data included names, addresses and dates of birth, and was broken down by how frequently individuals had offended.
2008-09-08 - The Telegraph - Lost prison data disc has not fallen into wrong hands, claims Government
Author: Andrew Porter
Summary: Prison officers believe that their security may have been threatened by the loss of such sensitive information. Unions warned that staff may have to be relocated, at a potential cost of millions to the taxpayer, in order to ensure their safety. Jack Straw, the Justice Secretary, has ordered an inquiry into the lost information. But Michael Wills, the data protection minister, said: "We believe the data is not in the public domain and therefore there are not significant risks to security. ... It is the latest in an embarrassing series of data losses by major Government departments. Last year two discs went missing from a child benefit office in the North East containing the details of 25 million claimants.
2008-09-08 - Computing - 5,000 prison worker records lost
Author: Tom Young
Summary: Justice minister Jack Straw has ordered an inquiry into the loss of a portable hard drive containing the details of 5,000 prison staff. The disc was lost by IT supplier EDS, which has successfully bid to be part of the National Identity Card Programme. "I am extremely concerned about this missing data," said Straw. "I was informed of its loss by the News of the World and have ordered an urgent inquiry into the circumstances and the implications of the data loss and the level of risk involved." "I have also asked for a report as to why I was not informed as soon as my department became aware of this issue."
2008-09-08 - The Times - Hunt begins for missing data on prison officers
Author: Dominic Kennedy
Summary: A computer company delivering the national identity card scheme was frantically hunting yesterday for a lost computer drive containing 5,000 personnel files, including the private details of prison officers. The data storage device, little bigger than a paperback book, was last seen more than a year ago in a storeroom of EDS, one of the world’s biggest new-technology consultancies.
2008-09-07 - Liberal Democrat's Press Release - Government cannot handle large amounts of data
Author: David Howarth MP
Summary: Responding to the news that a computer hard drive containing the personal details of up to 5,000 prison staff has been lost, Liberal Democrat Justice Spokesperson, David Howarth said"The Government has shown once again that it cannot handle large amounts of data. Why it is persisting with the ID card scheme is beyond comprehension and it should be dropped immediately." "All departments were asked to trawl their systems and reveal all data losses last year, so this smacks of a disturbing culture of secrecy and cover up."

[edit] July

2008-07-18 - Computing - HMRC missing disc investigation cost nearly £500,000
Summary: The investigation into the loss of the missing HM Revenue and Customs child benefit records cost nearly half a million pounds. Treasury minister Jane Kennedy revealed the £473,544 price tag in the commons in reply to a question from Independent MP Dai Davies.

[edit] June

2008-06-30 - Computing - Unencrypted NHS laptop lost
Author: Tom Espiner
Summary: An unencrypted laptop containing medical details of several thousand patients has been stolen from the car of a senior Colchester University Hospital manager. The details included names, dates of birth, postcodes and treatment plans.
2008-06-25 - BBC - HMRC culture 'caused discs loss'
Summary: Mistakes that led to the loss of 25 million child benefit records can not be blamed on a single government official, a report is expected to say. The Poynter report could cast doubt on government claims one junior member of staff was responsible for the breach. It will highlight "cultural failures" at HM Revenue and Customs (HMRC) and say practices were "far from what they should have been," sources say.
2008-06-24 - ZDNet - Scottish Ambulance Service loses encrypted 999 disc
Author: Tom Espiner
Summary: The Scottish Ambulance Service has lost a disc containing the encrypted 999 call details of almost one million people. The disc was reported lost last week by courier TNT ... the disc had been encrypted ... included a copy of the record of 894,629 calls made to the ambulance service.
2008-06-24 - ZDNet - Whitehall reports 30 data losses since November
Author: Tom Espiner
Summary: Since HM Revenue & Customs reported in November that it had lost the details of 25 million child-benefits claimants, Whitehall has suffered a further 30 security breaches, the Information Commissioner's Office revealed on Monday. The breaches came to light in a written answer from justice minister Michael Wills to a question from shadow cabinet minister Francis Maude. Wills said Whitehall had reported 30 data breaches to the ICO since November, while local government had reported 17, other public-sector organisations had reported 50, and the private sector had reported 41.
2008-06-20 - The Register - Virgin Media collects customer banking details on CD, then loses it
Author: Chris Williams
Summary: Virgin Media is conducting an internal inquiry into why 3,000 customers' bank details were burned to a CD which was then lost, it emerged today. ... While the financial cost to customers will be zero, and negligible for Virgin Media, the embarrassment should be massive. Public awareness of the dangers of data loss remains high in the wake of last year's HMRC debacle and its many sequels, and if we can't trust a network operator to shift information securely then who can we?
2008-06-08 - BBC - ID cards 'could threaten privacy'
Summary: The government should limit the data it collects on citizens for its ID card scheme to avoid creating a surveillance society, a group of MPs has warned. The home affairs select committee called for proper safeguards on the plans for compulsory ID cards to stop "function creep" threatening privacy. It wants a guarantee the scheme will not be expanded without MPs' approval. The Ministry of Justice said it had to balance protecting the public with protecting a right to privacy. ... The report referred to the loss of two discs containing the personal details of 25m people last year. "The minister's assurances that the government has learned lessons, though welcome, are not sufficient to reassure us or, we suspect, the public," it said.
2008-06-08 - The Register - UK is not a surveillance society, MPs claim
Author: John Oates
Summary: The Home Affairs Committee has called on the government to follow a "minimum data, held for the minimum time" approach to British citizens' personal information in its long-awaited report into surveillance. ... On Home Office use of databases and sharing data the committee said there were three questions to be answered: "Where should the balance between protecting the public and preserving individual freedom lie? How should this balance shift according to the seriousness of the crime? What impact will this have on the individual and on our society as a whole?"
2008-06-08 - Kable - Committee calls for database prudence
Summary: The government should vow to collect only essential data on people and hold it only for as long as is necessary, the Home Affairs Select Committee has recommended The committee says that decisions to create new databases, to start sharing data or to increase surveillance of people should only take place when there is a proven need, in a report issued on 8 June 2008. "In general the government should move to curb the drive to collect more personal information and establish larger databases," the report says. It adds that, as a preliminary risk assessment, privacy impact assessments should be undertaken before the design of a project begins and should then be independently audited.

[edit] May

2008-05-28 - Computing - Ministers back web security position
Author: Tom Young
Summary: Baroness Vadera, parliamentary under-secretary of state for the Department for Business, Enterprise and Regulatory Reform (BERR) supported the government's rejection of calls for a data breach notification law. ... the government specifically rejected calls by the Lords to give the ICO powers to spot-check government departments' data protection policies, saying "the government believes that the current enforcement regime for data protection is fit for purpose". Less than a month later HM Revenue and Customs lost the personal details of 25 million families. The data included names, addresses and bank details.
2008-05-21 - BBC - ICO investigates Tories for emailing voting intentions of 8,000
Summary: The Information Commissioner is launching an investigation after the Conservatives accidentally sent details of 8,000 people to a radio station. The e-mail sent contained the names, addresses, telephone numbers and intentions of voters in the Crewe and Nantwich by-election.
2008-05-21 - BBC - CPS criticised over DNA data disc
Summary: An inquiry has found "significant shortcomings" in the Crown Prosecution Service's handling of DNA data linked to serious crimes abroad. ... The inquiry found no evidence that the disc had been copied or ever left the building. Instead, it blamed individual failings and said they were now the subject of disciplinary action.
2008-05-16 - BBC - Review ordered after disc is lost
Summary: A disc containing personal and protectively marked material relating to the Rosemary Nelson Inquiry has been lost.The inquiry said it deeply regretted "this serious breach of secure data handling protocols". The compact disc went missing on 6 May.
2008-05-11 - politics.co.uk - Government slammed over data breach
Summary: The government has been sending out highly sensitive data in packages with the passwords necessary to access it, it has been revealed today. The admission comes from an internal email at the Department for Work and Pensions (DWP) by one of the department's security advisers which was leaked to internet blog Dizzy Thinks. The email reads: "I have been advised of instances where password protected data has been sent out with the password being sent separately as detailed in Security Notice 02/07. "However, once the data and the separate password are received, staff are then forwarding the data and password on together. This defeats the purpose of the security measure entirely."

[edit] April

2008-04-30 - ZDNet - BCS: Gov't data breaches have eroded public trust
Author: Tom Espiner
Summary: The British Computing Society has criticised the government, claiming its high-profile data breaches have eroded public trust. On Tuesday the BCS published the results of a survey of members of the public. Of the 1,025 respondents, 66 percent said their trust in government departments had decreased due to information breaches such as the loss of 25 million personal records by HM Revenue & Customs last year. ..."People inside the public sector know [it] is not terribly surprising that [breaches such as HMRC's] happened, but for people outside the public sector this was a huge shock."
2008-04-28 - silicon.com - House of Lords backs data loss law change
Author: Nick Heath
Summary: Losing personal data took a step closer to becoming a criminal offence after the House of Lords backed a change in the law. Peers supported an amendment to the criminal justice and immigration bill which would make it a criminal offence to carelessly release or lose personal data. The amendment, proposed by Liberal Democrat Lady Miller, would make it an offence for anyone to "intentionally or recklessly disclose information" or "repeatedly and negligently" allows information to be disclosed.
2008-04-23 - OUT-LAW - Privacy chief notified of 94 data breaches since HMRC debacle
Summary: The Information Commissioner has been notified of almost 100 data breaches by public and private sector organisations since the loss of 25 million people's details by HM Revenue and Customs last November, according to figures released yesterday. Half of the 28 private sector security breaches were by financial services companies. The problem of the loss of personal information gained in profile in the aftermath of HMRC's loss of two discs containing the entire register of people claiming child benefit last year. The information on the discs included names addresses and banking details of 25 million people, leading to widespread fears of identity theft.
2008-04-23 - Kable - Hold less data says information commissioner
Summary: "Data protection to a large extent is about data minimisation," Thomas told the Infosecurity Europe conference in London on 22 April 2008. "Take the missing MoD laptop (reported in January). The media talk about the military person who left the laptop in the back of his car, but there are more fundamental questions." "Why were 600,000 details being collected in the first place, of casual enquirers about joining the armed forces, and applicants and recruits? Why was it kept for so long? Why was data there for 10 years? What use was it being put to, why was it being collected and retained?" "Then, why was the entire database transferred to a laptop? Then, why was the laptop not encrypted? And only then do you get to the question, why did it get left overnight in the back of a car?"
2008-04-22 - The Times - Top officials to be held to account for data losses
Author: Jonathan Richards
Summary: Senior Whitehall figures are to be held personally responsible if their department loses or mishandles personal information, under a range of measures designed to increase data security. Officials across the public sector, including permanent secretaries and chief executives of NHS trusts, are to be forced to take data protection "much more seriously" under proposals due to be laid out by Gus O'Donnell, the Cabinet Secretary. In the coming weeks Mr O'Donnell is expected to present the findings of a report on data security. The report was commissioned by the Prime Minister in the wake of the loss of 25 million child benefit claimant records by the HMRC in November.
2008-04-22 - Kable - Minister seeks to cut £30 ID card cost
Summary: Home Office minister Meg Hillier has said the government wants industry to help drive down the cost of the identity cards to the public. ... Hillier said that some 60% of citizens are in favour of identity cards and that the percentage has remained steady, despite the huge data loss at HM Revenue and Customs. She predicted that as identity cards are rolled out people will realise the benefits of carrying them.
2008-04-09 - BBC - Data loss prompts security move
Author: Niall Blaney
Summary: Thousands of "ultra-secure" computers costing £6m are to be bought by the NI executive following a series of embarrassing losses of personal data. About 4,000 high-security laptops and 10,000 new desktop computers are being bought. The BBC has also learned the Civil Service is to launch a secure system which may do away with sending people's details through the post. Discs containing the details of 6,000 NI drivers went missing in December.

[edit] March

2008-03-25 - Computing - One in 10 citizens trust government with data
Author: Tom Young
Summary: Only one in 10 people trust the government with their personal data, according to a survey by ICM Research for supplier Data Encryption Systems (DES). The survey highlights the extent to which the government's track record on data security has impacted public opinion.
2008-03-20 - Computing - Public losing confidence in government security
Author: Tom Young
Summary: The recent spate of high-profile data losses has led the public to take more care of their personal information, according to the Information Commissioner’s Office (ICO). Some 85 per cent of people now refuse to give out personal details wherever possible.
2008-03-20 - ZDNet - Public gets more savvy about data security
Author: Tim Ferguson
Summary: People in the UK are becoming much savvier with their personal information, suggesting the recent spate of high-profile data breaches has had an impact. An Information Commissioner's Office (ICO) survey has found eight out of 10 people are now taking more care with their personal information.
2008-03-18 - out-law - Government must take data protection more seriously, says Parliament committee
Summary: The minister responsible for data protection should be more powerful according to a Parliamentary committee which has also condemned the Government for not taking data protection seriously enough. The Joint Committee on Human Rights said that a spate of recent losses of personal data by the Government or its agencies is "symptomatic of the Government's persistent failure to take data protection safeguards sufficiently seriously … the rapid increase in the amount of data sharing has not been accompanied by a sufficiently strong commitment to the need for safeguards." "The fundamental problem is a cultural one: there is insufficient respect for the right to respect for personal data in the public sector," the Committee said. The Committee was reporting on a series of data protection breaches by public authorities, the most serious of which was the loss of personal and banking details of 25 million people by HM Revenue and Customs last November.
2008-03-17 - ZDNet - HMRC named 'internet villain' of the year
Author: David Meyer
Summary: This year, HM Revenue & Customs (HMRC) won the villain award for losing millions of citizens' personal data.
2008-03-17 - Kable - Data breaches damage trust in government
Summary: Two thirds of Britons trust government less as a result of recent data losses, according to research for the British Computer Society. When asked to describe their level of trust in established institutions, such as government departments, to correctly manage their data following recent data breaches and losses, 66% said their trust had decreased, 31% said it had stayed the same, and 1% said it had increased.
2008-03-14 - ZDNet - MoD admits loss of over 11,000 ID cards
Author: Nick Heath
Summary: The Ministry of Defence has admitted that more than 11,000 military ID cards have been lost or stolen in the past two years.
2008-03-14 - Information World Review - MPs raise fears over data protection for national ID register
Summary: Repeated breaches of data protection laws by government departments raise huge question marks over plans for the national identity register required for ID cards and biometric passport, an influential parliamentary human rights watchdog has warned. MPs and peers on the Lords and Commons Joint Committee on Human Rights said repeated losses of personal information by departments had increased their concern, and announced they "intend to take a close interest in the government's detailed proposals for the national identity register as and when they emerge."
2008-03-14 - Kable - Government's "insufficient respect" for personal data
Summary: MPs have said recent data protection breaches are "symptomatic of the government's failure to take safeguards sufficiently seriously". The report from Parliament's joint committee on human rights says that the problem with government data protection is cultural: "There is insufficient respect for personal data in the public sector."
2008-03-11 - Justice Committee Press Release - Government response to Committee report on private data loss published
Summary: Chairman of the Committee, Rt Hon Alan Beith MP said: "I think it was a shock to the public to find that such sensitive personal data could so easily be accessed and downloaded, and that it was possible for such data to be so easily lost, and of course further examples have come to light since the massive scale of the HMRC data loss was revealed. The public are going to take a lot more convincing that the Government has got a grip on this problem."
2008-03-06 - The Register - Tories call for big changes to cybercrime offences
Author: John Oates
Summary: Civil servants who lose public data could be prosecuted under proposals announced by the Conservative Party. It's one of a number of measures touted, as the Tories call for major changes in how the UK deals with cybercrime and data protection. ... the Tories are also calling for a "breach law" - forcing financial services companies to inform the Financial Services Authority if their systems are hacked or compromised in some way and confidential data is at risk.
2008-03-04 - The Guardian - More than 1,000 government laptops lost or stolen, new figures show
Author: Elizabeth Stewart
Summary: More than 1,000 laptops have been lost or stolen from government departments in recent years, new figures have revealed. Details of departmental losses were disclosed to MPs in a series of written ministerial answers to the House of Commons which reveal that at least 1,052 laptops have gone missing, including 200 in the last year alone.

[edit] February

2008-02-28 - BBC - Home Office CD in auction laptop
Summary: A highly confidential Home Office disk was found hidden in a laptop computer sold on eBay. The CD was found between the keyboard and circuit board of the laptop by computer repair technicians in Westhoughton, near Bolton. When engineers took off the keyboard they found a CD marked "Home Office - highly confidential".
2008-02-27 - Kable - Minister defends ID security
Summary: The National Identity Register will have very limited access, stringent security and no risk of 'discs flying around', MPs have been told Home Office minister Meg Hillier defended the government's plans for its controversial National Identity Scheme, as she faced questions about data security from a committee of MPs. Hillier, who has responsibility for identity cards, said it was important to win public confidence in the scheme, particularly following a number of recent cases in which the government had misplaced or lost confidential data. The biggest loss was at HM Revenue and Customs (HMRC). It sent two discs with the details of 25m families to the National Audit Office by courier, which failed to arrive.
2008-02-22 - The Telegraph - Child database 'will never be fully secure'
Summary: Ministers faced calls to scrap a controversial database containing the personal details of every child in England yesterday after warnings that it would never be completely secure. An independent report called for tighter security to be put in place for the £224?million ContactPoint system, which is due to be introduced later this year. Ministers asked the consultants Deloitte to review arrangements for the database after the lost computer discs scandal at HM Revenue and Customs last November. MPs called on the Government to release the report in full after ministers decided to publish no more than a five-page summary for security reasons.
2008-02-21 - NO2ID - Government tries to ignore security risk to millions of families
Summary: A report commissioned by the government following the HMRC Child Benefit data breach last year confirms that the ContactPoint database, intended to contain the details of every child and parent in the country, can never be made secure. This confirms objections that NO2ID and other campaigners have been pressing since the passing of the Children Act 2004. The report by Deloitte and Touche, of which a summary was published this afternoon, says: "It should be noted that risk can only be managed, not eliminated, and therefore there will always be a risk of data security incidents occurring." The government has refused to publish the full report, 'for security reasons'. In essence it is trying to ignore the problem. It appears from the Executive Summary that has been published that Deloitte confirms some of the issues identified by campaigners well before the legislation had been passed. Phil Booth, NO2ID’s national coordinator, said: "If the report identifies problems in ContactPoint, then the government should face up to them – not try to keep them secret. Ministers can no longer say, "You’ll just have to trust us". We know we can't." "If the government's own report says no system accessible by over 300,000 people can ever be made secure, the answer is not to ignore it and hope everyone forgets. What will they do when - not if - the system is abused? Hide that too?" "ContactPoint is just one more case where official face-saving trumps the basic rights of the general public. Behind the cosy slogan, 'every child matters' seems to mean putting every child equally at risk. If the government cared about more than sloganising, it would scrap the whole scheme immediately."
2008-02-20 - Finacial Times - MPs deride £5.4bn cure-all
Author: Jim Pickard and Jimmy Burns
Summary: Meg Hillier, Home Office minister, will next week outline details of the next phase of Britain's £5.4bn ID card programme - with the government insisting that the public still wants the scheme. But with MPs yesterday calling for the project to be ditched, ministers have a fight on their hands to justify not only its cost but its scope. ... a series of public data losses have further dented confidence in the scheme.
2008-02-18 - The Sun - 20,000 bank files found in squat
Author: Oliver Harvey
Summary: Sensitive information on 20,000 people – including their bank account numbers and health details – has been found dumped in a hippy squat. ...Documents included names, phone numbers and addresses, dates of birth, pay slips, bank forms and details of private interviews with benefit claimants. ...The Haringey Council files – many stamped "Confidential" - date from the 1980s to 1993.
2008-02-15 - ZDNet - ICO: Data-breach spate 'no worse' than normal
Author: Tom Espiner
Summary: The Information Commissioner's Office has said that the rash of data-breach reports in the past five months is due not to more data breaches, but to more people admitting to them. HM Revenue & Customs' loss of 25 million details of people claiming and receiving child benefit was the catalyst for a surge of data-loss reports, an ICO spokesperson told ZDNet.co.uk on Friday. "More people are stepping forward as they realise the importance of data breaches," said the spokesperson. "We don't think the situation is any worse. Back in July last year we highlighted the need for more data protection."
2008-02-14 - BBC - Medical records laptop is stolen
Summary: A laptop containing the medical records with information on 5,123 patients has been stolen from a Black Country hospital.
2008-02-10 - The Observer - We trusted this country. Look how it treats us
Author: John Gray
Summary: The fiascos of 'e-government' are not anomalies that can be corrected by more rigorous procedures. The billions that have been squandered on unworkable computer networks in the NHS and the repeated loss of data throughout government are signs of a dysfunctional system. The disappearance of millions of learner drivers' details somewhere in the Midwest is par for the course. Nothing that has been announced by Gordon Brown will prevent similar debacles. Inevitably, there will be more such incidents - plenty more.
2008-01-06 - The Guardian - Poll shows growing opposition to ID cards over data fears
Author: Alan Travis
Summary: 25% now strongly against their use, says ICM survey, Majority concerned about sharing of personal details, 50% against 47% in favour. The number of people strongly opposed to the introduction of a national identity card scheme has risen sharply, according to the results of an ICM poll to be published today. Those campaigning against ID cards said last night that the poll, with results showing that 25% of the public are deeply opposed to the idea, raises the prospect that the potential number of those likely to refuse to register for the card has risen. If the poll's findings were reflected in the wider population, as many as 10 million people may be expected to refuse to comply. The ICM survey also shows that a majority of the British people say they are "uncomfortable" with the idea that personal data provided to the government for one purpose should be shared between all Whitehall-run public services.
2008-02-05 - ZDNet - BlackBerrys grounded by Whitehall data ban
Author: Nick Heath
Summary: Government BlackBerry devices and PDAs have been grounded by the Whitehall-wide ban on the movement of unencrypted personal data. The devices have fallen foul of the department-wide ban imposed by cabinet secretary Sir Gus O’Donnell in the wake of the revelations about the Ministry of Defence data loss last month that resulted from a stolen laptop. The Cabinet Office confirmed that any government electronic device, even down to a mobile phone, would have to have any personal data encrypted before it could leave Whitehall premises.
2008-02-04 - Liberal Democrate Press Release - 100,000 families didn't receive letter of apology over lost discs fiasco
Author: Danny Alexander MP
Summary: Over 100,000 families didn’t receive a letter of apology from the Government after their child benefit data was lost last year, according to figures obtained by the Liberal Democrats. After losing the personal details of every child benefit recipient last year, the Chancellor promised to send out a letter informing each of the 7.25 million households of the error and apologising. But 101,500 of the addresses lost were not ‘current’, perhaps because the records had not been updated since a family had moved, so these households have still not yet received a letter. Commenting, Liberal Democrat Shadow Work and Pensions Secretary, Danny Alexander said: "The loss of millions of families’ personal details was beyond incompetent yet the Government has gone one better by failing to contact all the families affected." "It's bad enough that people are now at risk of fraud and identity theft, but the least ministers could do is make a serious effort to contact each family to apologise." "From losing personal records to wrongly paying tax credits, this bungling Government is failing families across the board."
2008-02-01 - OUT-LAW - Expect Government to be interested in your IT security
Author: Dr Chris Pounder
Summary: Disaster has struck and all big organisations should be preparing to pay the price. In the aftermath of the HM Revenue & Customs (HMRC) loss -of personal information and a subsequent flood of data security breaches, large organisations should be ready to prove that they can take care of personal information. Anyone who thought that the HMRC disaster was a one-off could not hold that view for long as a Ministry of Defence laptop, a Marks & Spencer employee database and others have created an ever-growing list of organisations suffering a loss of important or confidential data. ... Already the Government has conceded that it intends to provide increased power to the Information Commissioner to carry out inspections and audits, and has introduced a two-year custodial offence where malpractice with respect to personal data can be linked to staff malfeasance.

[edit] January

2008-01-31 - The Guardian - Our state collects more data than the Stasi ever did. We need to fight back
Author: Timothy Garton Ash
Summary: To trust in the good intentions of our rulers is to put liberty at risk. I'd go to jail rather than accept this kind of ID card. ... Today, the people of East Germany are much less spied upon than the people of Britain. The human rights group Privacy International rates Britain as an "endemic surveillance society", along with China and Russia, whereas Germany scores much better. ... All this from a government which, having collected so much data on us, goes around losing it like a late-night drunk spreading the contents of his pockets down the street. Twenty-five million people's details mislaid by Her Majesty's Revenue and Customs; at least 100,000 more on an awol Royal Navy laptop; and so it goes on. ... The Liberal Democrat leader Nick Clegg has said he would go to jail rather than accept an ID card of this intrusive kind. So would I. And so, I believe, would many thousands of our fellow-citizens. (There's a good website called NO2ID where you can join the fray.) Which is why, I suspect, the government won't be so foolish. But we need to draw the line well before ID cards. There are liberties that we have already given away, while sleeping, and we must claim them back.
2008-01-28 - The Telegraph - Online tax system 'too risky' for the famous
Author: Robert Winnett
Summary: Thousands of "high profile" people have been secretly barred from using the online tax return system amid concerns that their confidential details would be put at risk. This provoked anger from consumer groups and accountants who said the same levels of security should be offered to all taxpayers regardless of their perceived fame. HMRC was responsible for losing 25 million child benefit records and the latest admission will concern millions of people entrusting the online system with their confidential financial records.
2008-01-27 - Financial Times - No ID, no problem
Summary: In the two years since legislation for a UK national identity card scheme gained royal assent, the case against the multi-billion pound programme has become overwhelming. ... Ministers argue that ID cards would reduce identity and benefit fraud. But Revenue & Customs’ loss of two computer discs containing personal details of 25m people, including bank account numbers, has instead exposed the opportunity for abuse on an undreamed of scale.
2008-01-24 - Computing - Why personal data loss must not be tolerated
Author: Mike Howse
Summary: In the recent HM Revenue & Customs (HMRC) data debacle (Discgate), employees at all levels of seniority neglected security policies and procedures, copied database information to disks, and sent data unencrypted in the post. In the past few weeks we have seen multiple data loss reports: Northern Ireland drivers’ licence details, Merseyside health workers’ data and HMRC’s admission that its Cardiff office either lost the personal details of more than 6,500 people claiming pensions and/or sent the data to unauthorised recipients
2008-01-23 - The Independent - Court case data discs go missing
Author: Vicky Shaw
Summary: Personal details from court cases contained on four CDs have gone missing in the post, the Government said today. The Ministry of Justice launched an investigation after the information was lost when it was sent recorded delivery. A spokeswoman would not comment on a report that the missing courtroom data discs contained details of at least 55 defendants and other restricted data not released in open court, potentially including the names and addresses of alleged victims and witnesses. ... The MoJ released a brief statement which said: "Her Majesty's Inspectorate of Court Administration (HMICA) confirms that four CD-Roms are missing." "They were sent recorded delivery. Ministers and the Information Commissioner were notified immediately it was recognised that personal data had been lost." "An investigation is under way so it would be inappropriate to comment further at this stage." Yesterday saw a new ban come into place on Whitehall staff removing unencrypted laptops containing personal data from their offices.
2008-01-23 - Computer Active - ID cards to arrive in 2012
Author: Andrea-Marie Vassou
Summary: UK citizens will receive their compulsory national ID card two years after the proposed date, according to documents leaked to the Conservative party. ... Security expert Richard Clayton agreed, attributing the delay to the Government's recent "incompetent handling of private data". Becky Hogge, director at the the Open Rights Group told Computeractive: "It would come as no surprise if the Government was to reconsider its plans for ID cards given its recent record on data protection."
2008-01-22 - The Register - MoD laptop losses expose government data indifference
Author: John Oates
Summary: The latest data giveaway by the UK's Ministry of Defence shows that not even the most basic IT policies are being followed. There are various ways to ensure laptops do not go astray when loaded up with sensitive information. The most basic is that such information should not be on any machine unless absolutely necessary. The second policy would be to take some action to ensure the laptop was kept physically safe - so leaving such a laptop in an empty car overnight is probably not a good idea. Assuming one or both of these steps were followed, the MoD could then use various types of technology to ensure the data was safe if the worst did happen and the machine was stolen - it could password protect the machine and it could encrypt the data.
2008-02-23 - The Scotsman - 'Two-year delay' blow for ID card proposals
Author: Gerri Peev
Summary: Gordon Brown's plans for identity cards were dealt a blow last night after leaked documents revealed the government plans to delay a national roll out of the scheme for at least two years. ... David Davis, the shadow home secretary said: "I should think this scheme is in the intensive care ward." "There are clear faults in the whole government strategy as demonstrated from disc-gate to Birmingham-gate or whatever you want to call it." "There is a clear fracture in public confidence. When we started there were 80 per cent for it. Now I suspect 80 per cent oppose it." "It all amounts to giving the government an insoluble problem." "It is a political nightmare for them which why there have been serial delays."
2008-01-22 - The Guardian - MoD admits inquiry into 69 lost laptops
Author: Richard Norton-Taylor
Summary: Stolen files not encrypted, Browne tells Commons as Whitehall issues staff ban on movement of data. ... two further laptops containing unencrypted information on at least 500 people had been stolen since 2005. A Royal Navy laptop was stolen from a car in Manchester in October 2006 and an army laptop was stolen from a careers office in Edinburgh in December 2005. These losses were on top of the 69 laptops and seven PCs reported stolen from the ministry.
2008-01-22 - Kable - Navy recruiters broke data regulations
Summary: Defence minister Des Browne has told the House of Commons that officials broke Ministry of Defence (MoD) procedures by placing individuals' data on laptops. ... "It's not clear why recruiting officers routinely carry information on a large number of people or why the database should carry all that information at all," he said.
2008-01-22 - ZDNet - MoD lost three unencrypted laptops
Author: Tom Espiner
Summary: Secretary of state for defence Des Browne has admitted that the laptop lost by the Ministry of Defence containing details of up to 600,000 defence personnel was not encrypted, and also that services personnel have previously lost two more laptops containing similar unencrypted recruitment information.
2008-01-22 - Computing - Whitehall looks to encryption
Summary: Urgent moves to boost the capacity of Whitehall departments to encrypt data are underway following a ban on removing laptops containing unencrypted personal data from government offices. Orders were issued by cabinet secretary Sir Gus O'Donnell as MPs grilled defence secretary Des Browne on the loss of two further Ministry of Defence (MoD) laptops prior to the one containing data on 600,000 recruits nearly two weeks ago. Browne announced that, in addition to the Whitehall-wide review, he has commissioned an investigation into weaknesses in MoD information security by Information Advisory Council chairman Sir Edmund Burton.
2008-01-21 - Three military laptops with secure data missing
Author: Nico Hines
Summary: Three military laptops containing personal details of new recruits have been stolen from Ministry of Defence staff since 2005, Des Browne was forced to admit today. The Defence Secretary was making a statement to the House of Commons explaining the loss of a laptop containing the personal data of 600,000 people earlier this month when he made the embarrassing admission.
2008-01-21 - The Guardian - The national ID register will leak like a battered bucket
Author: Jackie Ashley
Summary: The record of lost data of the past few years should be a warning to us all: our personal details are safe in nobody's hands. ... last year when the child benefit records for a mere 25 million people, including dates of birth, national insurance numbers and bank and building society details, were lost by HM Revenue and Customs (HMRC). ... As it happens, the HMRC had lost details of 15,000 people when they were sent to Standard Life the previous month. Also in September an HMRC laptop was lost with the details of 400 Isa holders on it. ... And there were other similar incidents, going back at least to 2005. Indeed, according to parliamentary answers HMRC had in the previous year been responsible for a modest 2,111 data-protection breaches. ... The government is going to introduce a single system for all our identities. And I promise, you can't trust it. It will leak like a battered old bucket.
2008-01-21 - ZDNet - Government at a loss over data security
Summary: With the Ministry of Defence's loss of more than half a million personal details from a car in Birmingham, the best that can be said is that it's nearly 24.5 million fewer records than HMRC managed. No doubt Gordon Brown will be announcing this as a 97.5 percent reduction in serious stupidity per quarter. Even at this rate, however, the entire country's private information will be in criminal hands by 2012. The Home Office could save time by starting up an RSS feed.
2008-01-21 - ZDNet - MoD loses 600,000 personal details
Author: Tom Espiner
Summary: The Ministry of Defence has admitted losing the details of 600,000 people after the theft of a laptop from a Royal Navy officer in Birmingham last week. The MoD also lost the bank details of approximately 3,500 of those people
2008-01-21 - BBC - More MoD laptop thefts revealed
Summary: Defence Secretary Des Browne says a probe into the loss of a laptop with details of 600,000 people has uncovered two similar thefts since 2005. The other two laptops held similar data but on fewer people, he told MPs. ... the information was not encrypted. ... Dr Fox said it was potentially more damaging than HM Revenue and Customs' loss of 25 million people's child benefit details. He also said some 68 MoD laptops had been stolen in 2007, 66 in 2006, 40 in 2005 and 173 in 2004.
2008-01-19 - The Telegraph - MoD under pressure to explain data loss
Author: Robert Winnett and Juliet Turner
Summary: Des Browne, the Defence Secretary, has come under intense pressure to explain the loss of the personal details of 600,000 people interested in joining the Armed Forces. The data was saved on a laptop computer that was stolen from a Royal Navy officer in Birmingham last week on the night of January 9, but the MoD only disclosed it had been lost late last night. ... Simon Davis from the privacy watchdog Privacy International said: "I'm flabbergasted. I cannot believe that our flagship security unit the MOD cannot get the handling of information right. "To think that somebody would have a laptop containing unencrypted information rivals the HMRC data breech." "The problem is that there are so many procedures in place to protect information that nobody knows which one's in place. Junior officials can't remember them and nobody knows what's happening." "We need to slim-down the amount of procedures in place to protect information."
2008-01-19 - The Independent - Ministers face embarrassment over stolen laptop and further data losses
Author: Nigel Morris
Summary: Ministers faced further questions over data security last night after a laptop computer containing the details of 600,000 people was stolen and hundreds of documents listing personal data on benefits claimants were found dumped at a roadside. The disclosures - three months after computer discs listing child benefit records of 26 million people vanished – left the Government facing fresh embarrassment over the security of personal data
2008-01-19 - The Scotsman - 600,000 armed forces files lost – but MoD takes nine days to admit theft of laptop
Author: Russell Jackson
Summary: The goverment was at the centre of another data-breach row last night after revealing a Royal Navy officer's laptop containing the details of 600,000 people had been stolen. ... Information experts immediately asked why the sensitive information was not encrypted. The government has been dogged by information breaches since October when it admitted losing the entire child-benefit database after two CDs went missing from HMRC.
2008-01-18 - ZDNet - HMRC letters of apology cost £2.25m
Author: Nick Heath
Summary: The government has admitted it cost £2.25m to send letters of apology to people affected by the loss of 25 million child-benefit records by HM Revenue & Customs.
2008-01-15 - Web User - HMRC up for web villain award
Summary: The Internet Service Providers Association (ISPA) has named the candidates for its Internet Villain of the Year 2007 award. ... HM Revenue and Customs (HMRC) was nominated for the Villain of the Year award for "failing to take the protection of peoples' personal data seriously and highlighting bad practice in protecting data by losing computer disks containing confidential details of 25 million child benefit recipients," ISPA said.
2008-01-15 - ZDNet - Police demand HMRC foots bill for disc search
Author: Nick Heath
Summary: Scotland Yard will demand HM Revenue & Customs foots the record bill for the police force's hunt for the missing data discs containing 25 million child-benefit records. ... A spokeswoman for HMRC said the department has agreed to pay the costs that "we have triggered as a result of the police investigation into the disappearance of the child-benefit data".
2008-01-15 - The Guardian - Personal data is as hot as nuclear waste
Author: Cory Doctorow
Summary: We should treat personal electronic data with the same care and respect as weapons-grade plutonium - it is dangerous, long-lasting and once it has leaked there's no getting it back
2008-01-13 - The Telegraph - Hunt for data discs lost in post is called off
Author: Richard Edwards
Summary: Police have given up the search for the missing Customs and Revenue discs containing personal details of 25 million people after an operation costing the taxpayer tens of thousands of pounds. Scotland Yard sources said the six-week operation was the "most expensive lost property inquiry ever known". Officers found other mislaid documents "stuffed away in cupboards" during a forensic search of the Government department at the centre of the fiasco, but now believe the discs will never be found.
2008-01-10 - Accountancy Age - Bonus payouts for HMRC staff that lost benefit discs
Author: Penny Sukhraj
Summary: The HMRC department that caused the blunder which saw the personal details of 25 million families go missing, has been given £19m in performance-related bonuses. ... Conservative chairman of the Treasury sub-committee, Michael Fallon, described the scale of the payout as 'staggering'. 'Given the over-payments of tax credits and data loss mistakes, constituents might be surprised to learn that a third of staff at HMRC shared a performance-related bonus,' said Fallon.
2008-01-08 - BBC - Clarkson stung after bank prank
Summary: Jeremy Clarkson revealed his account numbers after rubbishing the furore over the loss of 25 million people's personal details on two computer discs. He wanted to prove the story was a fuss about nothing. But Clarkson admitted he was "wrong" after discovered a reader had used the details to create a £500 direct debit to the charity Diabetes UK. ... Clarkson now says of the case: "Contrary to what I said at the time, we must go after the idiots who lost the discs and stick cocktail sticks in their eyes until they beg for mercy."
2008-01-07 - The Telegraph - Government's record year of data loss
Author: David Harrison
Summary: A record 37 million items of personal data went missing last year, new research reveals. Most of the data was lost by government officials but councils, NHS trusts, banks, insurance companies and chain stores also mislaid or published personal information about staff or members of the public. Many losses were caused through CDs going missing in the post, laptop thefts, and inadequate security systems that failed to stop hackers reading information stored on computers.
2008-01-05 - BBC - Teachers 'put pupil data at risk'
Summary: Teachers in nearly half of England's primary schools back up pupil data on CDs and memory sticks, which they then take out of school, research suggests. RM blamed a lack of clear guidance, but the government said it published advice for schools on the issue. The warning comes after a string of data security breaches by government departments and associated agencies.
2008-01-03 - The Guardian - MPs say losing computer data should be made a crime
Author: Tania Branigan
Summary: Recklessly or repeatedly mishandling personal information should become a criminal offence, a committee of MPs urges today in the wake of the child benefit fiasco. A report from the justice select committee says there is evidence of a widespread problem within government and expresses concern that further cases of data loss are still coming to light, adding that concerns about systemic failings were raised two years ago by the man now in charge of the government's review of security. The committee says that companies should be obliged to report information losses.
2008-01-03 - The Register - MPs call for stronger data protection laws
Author: John Oates
Summary: The Commons Justice Committee recommended the introduction of new offences so that a data controller could be charged for recklessly or intentionally disclosing, or obtaining, personal data. MPs echoed fears raised by Information Commissioner that there could well be further data breaches. The committee also noted that government departments cannot currently be held responsible for data breaches.
2008-01-03 - BBC - Tougher data laws needed, say MPs
Summary: Reckless or repeated breaches of data security should become a criminal offence, a committee of MPs has said. Currently, government departments cannot be held criminally responsible for data protection breaches. But a report on the "truly shocking" loss of 25m people's personal details by HM Revenue and Customs, the Commons justice committee demands tougher laws.
2008-01-03 - The Times - Whitehall should be prosecuted over data loss, say MPs in call for new law
Author: Greg Hurst
Summary: MPs are calling for new offences to allow Whitehall departments to be prosecuted for data security blunders such as the loss of child benefit records for 25 million people. The cross-party Commons Justice Committee says that the criminal law must be strengthened to close loopholes and reflect the gravity of offences involving the theft or loss of personal data. Ministers are already planning to toughen sanctions for data protection offences. Government sources suggest that penalties will include up to two years’ imprisonment rather than fines as at present.
2008-01-03 - Computing - Government data needs attention
Summary: The government must balance moves to join up services with the risk of data privacy problems, say MPs. The Commons justice committee report published today re-emphasises the need for wider powers for the Information Commissioner in the aftermath of the HM Revenue & Customs lost discs fiasco.
2008-01-03 - Justice Select Committee - Protection of Private Data
Summary: We are gravely concerned that this incident is not an isolated example

[edit] December

2007-12-31 - BBC - Clegg pledging to fight ID cards
Summary: The new Lib Dem leader has pledged to campaign "tirelessly" against "expensive, invasive" ID cards in 2008. Nick Clegg said the recent data loss "scandals" had created a lack of public confidence in the government's ability to look after personal information. His comments were made in his New Year message to the Lib Dem party.
2007-12-30 - The Guardian - Doctors revolt on patient records
Author: Eileen Fairweather
Summary: SENIOR doctors are encouraging a mass revolt against the government’s £12 billion national health database by supporting a campaign to urge patients to opt out. Activists in the British Medical Association (BMA) have produced a pro forma letter that people can send to their GP to stop their records going onto the database. The doctors fear that patients’ records could be misused if they are made available to health workers across the country, as is planned under the Connecting for Health system.
2007-12-30 - The Sunday Times - Beware the state’s ID card sharks
Author: David Davis MP the shadow home secretary
Summary: If Gordon Brown picks one failure from his first six months to learn from, it should be the loss of 25m people’s personal details. If he makes one resolution for 2008, it should be to scrap his reckless plan to introduce compulsory ID cards. "Discgate" was the result of ministerial incompetence, but also flawed policy. As chancellor, Brown relentlessly pursued his forlorn vision of a "joined-up identity management regime" across public services. As prime minister, he continues this vain search, like an obsessed alchemist, for a giant database that his closest advisers ominously refer to as a "single source of truth".
2007-12-27 - The Guardian - Primary school pupils' personal data 'at risk'
Summary: Personal details of 2 million primary schoolchildren in England are being put at risk by staff taking home unprotected data. A survey of almost 1,000 primary schools found that 49% were backing up pupil data on to discs, memory sticks or tapes which were taken off the school premises, exposing the material to loss or theft. IT experts RM School Management Solutions, which carried out the survey, said that only 1% of respondents encrypted the data. A further 4% of schools were leaving sensitive and unprotected data at unsecured locations on the school premises.
2007-12-24 - The Independent - PM in new pledge to secure databases
Author: Andrew Grice
Summary: Gordon Brown has accepted that the Government will need to bring in new safeguards to restore public confidence in the huge databases held by state-run services. ... His pledge came during a telephone conversation with Nick Clegg in the past week.
2007-12-24 - The Financial Times - Concern over data handling grows in UK
Author: Jimmy Burns
Summary: The Department of Health confirmed that nine National Health Service trusts in England and Wales had admitted losing patients' records. The loss, thought to involve data on hundreds of thousands of adults and -children, emerged as part of a government-wide data security review following security breaches in other departments. ... Andrew Lansley, the opposition home affairs spokesman, said the latest loss underlined the case against the government developing centralised data bases. It also raised serious questions over how the planned electronic patients database in the NHS would be able to protect sensitive medical records, he said. "For over two years we have argued for data to be held locally, with networking rather than one central database. The government should accept that this would offer us greater protection," Mr Lansley said.
2007-12-24 - The Guardian - Primarolo admits ignorance over data losses by nine NHS trusts
Author: Patrick Wintour
Summary: The health minister, Dawn Primarolo does not know exactly what is has been lost by nine NHS trusts. Ministers will be worried that the loss will further undermine confidence in the department's plans for a new computer database of all NHS patients' records. ... The data losses appear to have emerged locally, with potentially the biggest loss by City and Hackney Primary Care Trust in London, which has reportedly mislaid the details of 160,000 children after a computer disc failed to arrive at its destination at St Leonard's hospital. ... The campaign group NO2ID, which opposes ID cards and moves to centralise all NHS records, said: "We are now starting to see the consequences of the government obsession with information 'sharing' and centralised IT in the NHS. If you care about your privacy, then keep your medical records between you and your doctor, and out of the hands of the Department of Health, if you can."
2007-12-23 - Yahoo! News - NHS trusts lose patients` details
Summary: Nine NHS trusts have admitted losing patients' information in the aftermath of the HM Revenue and Customs (HMRC) data loss scandal, it has emerged.
2007-12-23 - The Sunday Mirror - Data scandal is a sickener
Summary: Today the Sunday Mirror reveals that medical records have been lost by nine separate health service trusts. Once again, the incompetence is staggering. The most personal details of thousands of people have been treated with scandalous disrespect.
2007-12-23 - The Sunday Mirror - 9 trusts lose files
Author: Vincent Moss and Justin Penrose
Summary: Hundreds of thousands of Health Service patients' details have gone missing in a new data scandal. Sensitive details about adults and children were lost in 10 incidents at NINE separate NHS Trusts. Health Secretary Alan Johnson's department last night confirmed details - kept on computer discs or memory sticks - had gone missing. But the Department of Health refused to reveal how many patients were involved or the exact nature of the blunders. Cases include the loss of a CD holding 160,000 children's names and addresses by a Trust in East London and the loss of 244 cancer patients' details by the Maidstone and Tunbridge Wells health trust in Kent. In one case, in Norfolk and Norwich, medical papers on patients with lung, breast and colon cancer were dumped in a wheelie bin. ... THE TRUSTS: Bolton Royal Hospital, Sutton and Merton, Maidstone and Tunbridge Wells (two incidents), Sefton Merseyside, City and Hackney, Mid Essex, East and North Herts, Norfolk and Norwich, Gloucester Partnership Foundation Trust
2007-12-20 - ZDNet - The lonesome death of data protection
Author: Tom Espiner
Summary: Discgate as Bob Dylan would have song about it.
2007-12-20 - The Guardian - Chattering classes deserve a debate about e-government
Author: Michael Cross
Summary: In the continuing fallout from the child benefit disc disaster, the government's IT chiefs can draw one small consolation: the "transformational government" programme to join up public services through IT is now on the chattering classes' agenda. The chattering is mainly hostile, of course, with a consensus that e-government will create a snooper's paradise or a permanent milch cow for IT consultancies. Or both. ... It involves an old IT management technique called the "scream test": the way to find out what a rambling old IT system is really being used for is to turn it off and see who screams. To kick-start the e-government debate, we should do the same. That's right: turn it all off, from your council's webcam to NHS Healthspace to the DVLA's car tax online service. The whole shooting match, off. The screams, I suspect, will be louder than the chattering classes would have us believe.
2007-12-19 - The Economist - Learning the embarrassing way
Summary: For many years Britain's tiny band of civil libertarians have been trying to alert their countrymen to the danger of proliferating government databases, which allow bureaucrats to share citizens' information among themselves with the minimum of fuss. A string of recent blunders have made their case more powerfully than years of lobbying. The latest to emerge has been the loss earlier this year of 3m driving-test records held at a data centre in Iowa. ... Others see a more fundamental problem. The Foundation for Information Policy Research points out that data losses are an inevitable consequence of the government's determination to build massive databases to keep tabs on its citizens. And despite the embarrassments of the past few weeks, it shows no sign of abandoning the biggest project of all: its plan to introduce identity cards for everyone.
2007-12-19 - The FT - The price of trust
Author: Sue Cameron
Summary: Public trust in HMRC has come in for a further battering this week. First came the progress report on what happened over the missing discs containing half the nation's bank details and what urgent measures should be taken. The report, by Kieran Poynter, chairman of PwC, tells Alistair Darling, the chancellor: "I have seen no evidence thus far that would lead me to conclude that the statement given by you to parliament was inaccurate." Hm. Very guarded. Mr Poynter, whose work is "far from complete", has called for the download function on all HMRC laptops and PCs to be disabled, among other moves, but has shown heroic reticence about criticising HMRC.
2007-12-18 - The Times - Millions more ID records go missing
Author: Philip Webster
Summary: The records of more than three million British learner drivers have gone missing from a "secure facility" in the US, an embarrassed Government admitted last night. Labour’s dismal autumn hit another low as, minutes after ministers admitted that they still did not know the whereabouts of two discs holding sensitive information on 25 million people, they were forced to confess they had lost the details of all candidates for the driving theory test between 2004 and 2007.
2007-12-18 - ZDNet - HMRC did breach data laws
Author: Tom Espiner
Summary: The organisation responsible for administering the UK's data-protection legislation has said the government breached data laws when millions of records were stolen in the data debacle at HM Revenue & Customs.
2007-12-17 - foundation for information policy research - The Government misses the point on Poynter
Summary: The Foundation for Information Policy Research (FIPR) believes that the Government's response to the interim Poynter report shows that they just don't understand what has gone wrong. Their refusal to abandon the headlong rush towards Transformational Government -- the enormous centralised databases being built to regulate every walk of life -- is not just pig-headed but profoundly mistaken. Both Alasdair Darling, commenting on the HMRC fiasco, and Ruth Kelly, telling the House about the loss of 3 million people's personal information, told us that once 'lessons have been learned' and 'procedures tightened' the march to ever-larger database systems will continue. Before Transformational Government came along, only small amounts of data were lost -- but as the new databases cover the whole population, everyone's affected now, not just a few unlucky people. Transformational Government means putting all of the eggs into one basket and it is creating: The multi-billion pound identity card scheme, to hold data on the whole population. The National Health spine, which will make everyone's health records available for browsing by a million NHS workers. ContactPoint which will record details on every child in England, with details of their parents, carers and indicators of whether they have any contact with social services. Three hundred thousand people can look that information up. A universal pensioner's bus pass scheme which will hold the data on 17 million people, and in principle will let any bus driver learn your age and address -- when all that it should record is an entitlement to free travel. Ross Anderson, Chair of FIPR and Professor of Security Engineering at the University of Cambridge said, "the Government believes that you can build secure databases and let hundreds of thousands of people access them. This is nonsense -- we just don't know how to build such systems and perhaps we never will. The correct way to design such systems is to localise the data, in a school, in your local GP practice. That way when there is a compromise because of a technical failure or a dishonest user then the damage is limited. "You can have security, or functionality, or scale -- you can even have any two of these. But you can't have all three, and the Government will eventually be forced to admit this. In the meantime, billions of pounds are being wasted on gigantic systems projects that usually don't work, and that place citizens' privacy and safety at risk when they do." Richard Clayton, FIPR Treasurer said, "Personal data ought to be handled as if it were little pellets of plutonium -- kept in secure containers, handled as seldom as possible, and escorted whenever it has to travel. Should it get out into the environment it will be a danger for years to come. Putting it into one huge pile is really asking for trouble. The Government needs to completely rethink its approach and abandon its Transformational Government disaster."
2007-12-17 - Downing Street Says - Data Security
Summary: Asked if the new measures re data security related to Government or just to HMRC, the Prime Minister's Spokesman said that they related to Government; the O’Donnell review was about looking at all departments.
2007-12-14 - Kable - Police call off discs search
Summary: UK police are to stop searching for the missing child benefit CDs early next week
2007-12-13 - The Register - Brown quizzed on gov IT failures
Author: John Oates
Summary: Prime Minister Gordon Brown admitted this morning that the government has "a long way to go" to a coherent IT strategy. Asked by MP Edward Leigh about systemic failures at the HMRC, which led to the loss of two CDs containing the entire child benefit database, Brown said there was a difference between rules not being followed and failure of procedures and systems. He also said no one had lost any money.
2007-12-12 - Evening Standard - Children's data discs lost in hospital blunder
Author: Mark Prigg
Summary: The personal details of 160,000 children have been lost at a London hospital in a fresh blunder over confidential information. A computer disc containing the data was sent to St Leonard's Hospital in Hackney but failed to reach the right department - even though it was signed for by hospital staff. The disc contained their names, dates of birth and addresses.
2007-12-12 - BBC - Loan application forms go missing
Summary: 800 budgeting loan applications containing personal and confidential information about members of the public were lost by the Department for Work and Pensions. The forms contained applicants' names, addresses, dates of birth, National Insurance numbers and bank details.
2007-12-12 - The Register - Six in ten UK punters fear what gov will do with private data
Author: John Oates
Summary: Research sponsored by Symantec reveals that six out of ten UK citizens do not believe their data is safe with government departments.
2007-12-12 - Ministory of Justice Press Release - Consultation launched into the use and sharing of personal information
Summary: A consultation into how personal information is used and shared in the public and private sectors has been launched today by Richard Thomas and Dr Mark Walport. The consultation forms part of an independent review into the use and sharing of personal information announced by the Prime Minister on 25 October. It asks how and why information is shared and used; whether the Data Protection Act offers sufficient safeguards; what impact technological advances have had on the protection of personal information; and whether there are lessons the UK can learn from other countries.
2007-12-12 -Scotsman - Government under fire after three new data mix-ups
Author: Angus Howarth
Summary