Gov't needs greater accountability to "ensure security", says Darling

The government needs to simplify organisational structures in some departments and review data-protection laws, Chancellor of the Exchequer Alistair Darling has admitted.

In the wake of the loss of 25 million personal records by Her Majesty's Revenue & Customs (HMRC) last month, and the presentation of an interim report into that data loss by PricewaterhouseCoopers chairman Kieran Poynter, Darling said HMRC needs to have clearer lines of responsibility for data in order to "ensure security".

Darling told Parliament yesterday: "The [interim Poynter review] shows the necessity of setting up a simpler organisational structure with clearer accountabilities." He added in future there would be "restrictions on the bulk transfer of data" between government departments.

Darling said the Information Commissioner's Office, as well as being given powers to "spot check" public-sector organisations, would receive "new sanction under the Data Protection Act to take account of its principles, to ensure sensible data-protection practices and greater security".

Philip Hammond, shadow chief secretary to the Treasury, said the public felt "a sense of anger and betrayal over the loss of the data", which included the names, addresses, national insurance numbers and bank details of those claiming and receiving child benefits.

Hammond said: "The ability [for a member of staff] to be able to download the data signalled an absence of data-protection systems. While we welcome the [proposed] ban on the transfer of bulk data, why on earth wasn't this simple procedure in place?"

Hammond said there had been a systemic failure and that the "responsibility for systemic failure lies at the top".

Vincent Cable, the Liberal Democrat Treasury spokesman, said he hoped the chancellor "appreciates the damage to public confidence" caused by the HMRC breach, and that it was "difficult to see how the government could proceed with the compulsory ID cards scheme" and other government database projects following the breach.

The interim Poynter review was set up to look at what led to the loss of the HMRC discs and to make recommendations on how procedures should be changed to mitigate future data loss. Writing in a letter to Darling, Poynter noted: "The longer-term solution will rely on a combination of factors which I will address as the review progresses. As envisaged in my terms of reference, these include the management accountability framework, tone from the top, culture and training, as well as technical measures."

Transport secretary Ruth Kelly then gave a statement to Parliament about the loss of over 7,600 motorists' personal details by the Driver and Vehicle Agency (DVA) of Northern Ireland earlier this month.

The DVA admitted losing data on a total of 7,685 vehicle owners and their vehicles. The missing information consisted of the owner's name and address and details of the vehicle, including its make, model, colour, registration and chassis number.

The data, which was contained on two CDs, was being sent from the DVA in Coleraine to the DVLA (Driver and Vehicle Licensing Agency) in Swansea in response to vehicle manufacturers needing to contact owners about potential faults with vehicles. The CDs went missing in transit after being sent via a Parcelforce Worldwide tracked courier service.

Kelly said part of the problem lay in the fact that the DVA and DVLA have separate databases. She said, to improve data transfer in future, the databases of the DVA and the DVLA in Swansea would be merged, procedures would be put in place for sending data via secure electronic transfer and data transfer by tape between the two offices would cease.

Tom Espiner writes for ZDNet.co.uk