HM Revenue & Customs’ (HMRC’s) loss of CDs containing child benefit records for 25 million people ­ including the bank details of 7.25 million families ­ is the worst data security breach in UK history.

Chancellor Alistair Darling admitted in his parliamentary statement that the situation represents an “extremely serious failure by HMRC in their responsibility to the public”.

But the furore is also emblematic of the need for widespread change in our approach to personal information ­ not just in government, but in the commercial sector and in society as a whole.

The chancellor was keen to emphasise that when a junior official copied the child benefit database onto CDs and sent the unencrypted data through the post, the department’s data-handling procedures had not been followed.

But the events still illustrate woefully inadequate data protection safeguards.

“Classic risk management strategy is to plan around the worst scenario rather than everyone following procedure,” said Eric Woods, government practice director at analyst Ovum.

HMRC violated three basic principles of good practice.

First, information should be encrypted when downloaded to any kind of portable media.

Second, the data should be anonymised, so that it can not be linked with its owner.

Third, information should only be accessible by relevant personnel, with multiple sign-offs needed by junior staff members.

On the last point, there is continued debate ­ with the National Audit Office claiming the downloads were signed off by senior civil servants at HMRC.

But beyond political in-fighting and the short-term blame game is a far more significant problem.

Not only is the current fiasco the third breach at HMRC in as many months, the likelihood of such incidents is only increasing as the amount of data held by organisations of all kinds grows exponentially.

The National Identity Register and NHS IT programme are creating vast new data banks. The UK’s four million-record DNA database is already the biggest in the world. And private sector companies are increasing the amount of information they hold at an equally precipitous rate ­ particularly supermarkets, credit agencies and financial services providers.

Keeping control of such enormous amounts of data is not easy, according to Richard Hackworth, former chief information security officer at HSBC.

“You can apply access controls of a kind that were not in use at HMRC and make sure the data is encrypted,” he said.

“But if lots of people need to get to the information, that becomes irrelevant.”

There is a balance to be struck. And good practice must be cultural, not just technical.

“The controls to manage data have to be everywhere,” said Hackworth.

“Right now there is not the technology to do this ­ so ultimately it is a management issue. You have to educate people,” he said.

Instigating the necessary cultural change is crucial for both the public and private sectors, according to the information commissioner, Richard Thomas.

“Alarm bells must ring in every boardroom,” he said. “It is imperative that all organisations take the protection of individuals’ information more seriously.”

Thomas insists that changes to the law will help reinforce the message that personal data is a valuable commodity.

The general public needs little convincing.

Nine out of 10 people regard the safety of their information as a more pressing social concern than the NHS, national security issues or the environment, according to a recent survey by the Information Commissioner’s Office.

The issue is that the government considers public information to be state property, according to David Murakami-Wood, a surveillance expert at Newcastle University.
“People need to realise that their information is an asset that belongs to them and not the government,” he said.

Technology needs to catch up with itself. It can collect and manipulate masses of records, but not necessarily protect them in sufficiently flexible ways.

But progress is being made, according to European Commission head of IT security research Jacques Bus.

“There are some privacy-enhancing technologies being developed that will mean a person’s personal data can’t be accessed by a new organisation unless that person gives personal confirmation ­ giving control back to the public,” he said.

Additional reporting by Sarah Arnott