On 15 November 2007, Alistair Darling stood before the House of Commons and confessed that HMRC had lost two CDs containing HMRC’s entire data relating to child benefit claimants. The disks contained details of 25 million individuals including names, addresses and bank details. It has been claimed the disks are worth up to £1.5 billion to criminals.
HMRC’s loss was the latest in a succession by both public bodies and companies including Nationwide and Standard Life. As a consequence, Parliament asked the Justice Committee to prepare a report on data protection. The Justice Committee published its report on 3 January 2008.
Though the report contains no specific recommendations, the Committee recognises that urgent action is required of the legislature in relation to data protection. Such action is likely to include changes to the existing data protection law – primarily, the Data Protection Act 1998 (“DPA”). The Committee recognises that it may be necessary to introduce:
- new reporting requirements whereby an organisation would be required to notify the Information Commissioner's Office if it breached the DPA;
- a new criminal offence for repeated or reckless breaches of the DPA; and
- increased enforcement powers for the Information Commissioner – this may include the right to perform spot-checks to ensure compliance with the DPA.
Measures that organisations may wish to take to stay within the existing legislation include:
- notify the ICO at the earliest opportunity that it collects personal data – the notification fee is £35 pa;
- introduce and enforce coherent data protection and privacy policies;
- collect and retain the bare minimum amount of data;
- restrict access to data;
- encrypt and anonymise data, where possible; and
- perform regular reviews of data protection measures, particularly in light of any technological advances.
In the ever-increasing information age, it is certain that data protection will remain high on both the political and legal agenda. Organisations that collect personal data must take their obligations in relation to data protection seriously.