Over 600 staff at the U.K. HM Revenue and Customs agency have been disciplined or fired in a three year period after they accessed sensitive data without authorization.
Jane Kennedy, financial secretary to the Treasury, said the staff were either given a warning or were sacked following “inappropriate access to personal or sensitive data” between when HMRC replaced the Inland Revenue, in April 2005, and December last year. Many of the data breaches resulted in dismissal, she said.
HMRC had a “strict policy” in place to prevent staff from accessing citizen records unless there was a legitimate need, Kennedy explained. “Breaches of this policy are taken seriously and any breach will result in the commencement of disciplinary proceedings.”
HMRC discussed 11 data security incidents with the Information Commissioner during the period.
Kennedy said that HMRC now has more stringent controls in place, ensuring that transfers on bulk data on removable devices would only take place when there was “adequate security protection.”
Last November, HMRC lost 25 million child benefit records and a CD containing 15,000 names, national insurance numbers and dates of birth of thousands of holders of Standard Life pensions.
In March this year, HMRC was named ‘Internet Villain’ of the year by the Internet Services Providers’ Association (ISPA).
The House of Lords this week backed an amendment to the Criminal Justice and Immigration Bill, meaning losing personal data may soon become a criminal offence.