Updated: UK Chancellor discusses measures to prevent future data losses

New security measures for handling data unveiled in the House of Commons

Chancellor Alistair Darling has announced to the House of Commons new security measures which are intended to guard against repeats of the HM Revenue and Customs (HMRC) data loss.

Measures that HMRC have already put in place since the loss include a ban on the transfer of bulk data and on the download of data, unless there are adequate security measures in place, such as encryption. In addition HMRC will disable elements of its users' laptops to avoid the download of data to removable media.

The current HMRC chairman has proposed a “simpler organisational structure with clearer accountability” for the department. The proposals build on the Capability Review, a report announced in July 2006 that called for increased transparency in HMRC. A more transparent organisation will make these recommendations easier to implement, Darling pointed out.

Darling announced to the Commons that the Prime Minister has decided to create new sanctions under the Data Protection Act for serious breaches. This will ensure high levels of data security and data sharing practices are conducted with “legal certainty,” Darling said. “We will consult early in the New Year on how this can best be done,” Darling added. This builds on the spot checks the Prime Minister granted to the Information Commissioner last month.

However the opposition criticised the government, arguing that not enough was being done to establish systems and processes that need to be in place to prevent future data breaches. Industry commentators picked up on many of the opposition’s remarks.

Jamie Cowper, director of marketing at data protection expert PGP Corporation, said, “the real key to effective data protection is the managed enforcement and automation of security policies, because it’s unrealistic to expect civil servants to safeguard data simply on their own initiative.”

Criticism was also made surrounding the government’s transformational agenda, and the move to breakdown certain data sharing barriers between government departments. “The danger is that if there are not proper safeguards then it will compound the danger they are already experiencing,” said a spokesman for the opposition, echoing the frequent heard criticisms of the agenda.

Darling’s response was to reinforce the need to tighten procedures but to keep on with the agenda.

Responding to this, a Cabinet Office spokesman said: "Transformational Government is about improving people's lives, making it easier for citizens to access the services they need. Keeping personal information safe has always been at the heart of the Transformation strategy and we will use the findings of the reviews being carried out by the Cabinet Secretary and Keiran Poynter to strengthen our data security further."

However, the Foundation for Information Policy Research (FIPR), an independent body that studies the interaction between information technology and society, said “their refusal to abandon the headlong rush towards Transformational Government—the enormous centralised database being built to regulate every walk of life—is not just pig-headed but profoundly mistaken.”

FIPR pointed to a number of transformational government initiatives that show the government “putting all of the eggs into the one basket” and which are increasing the likelihood of an individual’s data going missing: the identity card scheme, the National Health Spine, ContactPoint and the universal pensioner’s bus pass scheme.

Ross Anderson, Chair of FIPR and Professor of Security Engineering at the University of Cambridge said the Government’s idea to build secure databases but allow hundreds of thousands of people access is “nonsense”.

“We just don't know how to build such systems and perhaps we never will,” said Anderson. “The correct way to design such systems is to localise the data, in a school, in your local GP practice,” Anderson added. “That way when there is a compromise because of a technical failure or a dishonest user then the damage is limited,” he added.

Once more, the Chancellor expressed his regret at the loss of the discs. “The loss of this data was extremely serious and should not have happened and again I apologise to everyone who has been affected.”