Tougher criminal penalties for data security breaches are being urged by a committee of MPs as incidents where the government or contractors have lost people’s personal data continue to come to light.
The Commons justice committee also called for a package of measures to give the information commissioner new enforcement powers following a snap parliamentary inquiry called after the HM Revenue and Customs data loss fiasco.
In its report, the MPs said they were “extremely concerned” more cases of data loss by government bodies or contractors were still emerging. These include breaches at NHS trusts and the loss of three million drivers’ records by the Driver Vehicle Licensing Authority.
“There is evidence of a widespread problem within government relating to establishing systems for data protection and operating them adequately,” the report says.
The Justice committee called for new reporting requirements forcing companies to report losses of data and new laws making significant security breaches — where reckless or repeated — a criminal offence.
The call follows the publication of a Cabinet Office report last month, which proposed that government officials could face jail if they were found to be grossly negligent in any failure to protect citizens’ data.
The MPs also demanded swift implementation of new powers for the information commissioner to carry out unannounced data security spot checks and a boost to the data watchdog’s level of resources.
Committee chair Alan Beith MP said: “The scale of the data loss by government bodies and contractors is truly shocking but the evidence we have had points to further hidden problems.”
It was “frankly incredible” that immediate measures put in place by HMRC after the massive data breach, such as encryption of any data to be transferred, were not already in place, he added.
The MPs also sounded a warning note over the government’s controversial ID cards scheme and the ContactPoint database of children’s details. “There must be a sensible balance between achieving the advantages which data sharing will provide and minimizing the risks inherent in maintaining large databases to which a wide range of officials and others can gain access,” the report says.
The committee also noted that concerns over data security were raised two years ago by Mark Walport — now heading a review of data protection ordered by Prime Minister Gordon Brown — in a report commissioned for Brown’s predecessor Tony Blair.
Walport’s November 2005 report urged government departments to “streamline data protection protocols” and improve security in the context of data sharing. His report predicted that unauthorized use of personal data would “damage [the] Government’s reputation — with political ramifications”, the MPs pointed out.