Council staff making "serious security breaches" of key government database

DWP admits 33 people accessed Customer Information System - containing 75 million citizen records - without justification

DWP: CIS security system is working

Staff at 30 local authorities have made "serious security breaches" of a government database that will form a key part of the National Identity Scheme.

The breaches of the Department for Work and Pensions (DWP) Customer Information System (CIS), which will store biographical data about citizens carrying identity cards, have been occurring since 2006.

The DWP said in a statement that routine checks had unearthed the security breaches.

"To date, since August 2006, 33 local authority staff have been confirmed as accessing records without business justification," it said.

The persistence of the errors prompted the DWP to warn local authorities (LAs) in January that it might prosecute staff found making illegal access to the CIS if the councils did not take action themselves.

"Regrettably checks have identified some LA staff are committing serious security breaches," the DWP said in its Housing Benefit and Council Tax Benefit General Information Bulletin dated 15 January.

"DWP will support your LA to ensure appropriate disciplinary or prosecution action is taken, and may consider prosecuting directly under social security legislation.”

The department said the breaches were all "view only" accesses of personal information stored in CIS records "where there was no 'business justification' for the access".

The Identity and Passport Service said in December 2006 it planned to build its identity systems around the DWP's CIS database.

The system is to be an integral part of the National Identity Scheme through cross-departmental data sharing of the type the government is trying to make more permissible by changes to data protection law in the Coroners and Justice Bill.

CIS contains a record of everyone in Britain who has a national insurance number and is the overarching DWP database, containing 73 million records. Since July 2008 it has also included access to HM Revenue and Customs’ tax credit data.

The DWP said the CIS breaches were few and this demonstrated how secure its systems are.

"The small number of breaches shows that the CIS security system is working and is protected by several different audit and monitoring controls, which actively manage and report attempts at unauthorised or inappropriate access," it said.

Paul Davidson, chief information officer at Sedgemoor District Council, who advises central government and council bodies on data governance, said: "The DWP has a track of all accesses to CIS records so they know which person is accessing which record and when. I believe that as somebody is accessing that system they have to say why they are doing that."

On 10 July 2008 Meg Hillier, the Home Office's under-secretary of state for identity, said in a parliamentary written answer: "The National Identity Register will be highly protected - to the same level as some military databases ".