#Office of the Privacy Commissioner RSS Feed Office of the Privacy Commissioner of Canada / Commissariat à la protection de la vie privée du Canada Canada Privacy Commissioner of Canada - blog.privcom.gc.ca * Français * Home * Contact Us * Help * Search * Canada Site « U.S. Intelligence official argues for balance between security and privacy PIPWatch: Privacy technology for Canadian Internet users » A complete and utter failure Posted on November 21st, 2007 by Colin McKay When privacy advocates try to imagine their idea of the worst possible data breach, I doubt they could think up this catastrophe. Last month, a British government agency, Her Majesty’s Revenue and Customs, lost a copy of the records for over 7 million families, or 25 million individuals, who receive child benefits. Diskettes with the records were apparently sent by in-house courier across London - breaking departmental standards - and were never received. The diskettes included a trove of information, including names, addresses and dates-of-birth of the children, and their national insurance numbers. Some of the records may have included the bank details of parents claiming child benefits. As a result, Paul Gray, the chairman of HM Revenue and Customs, resigned. It appears several HMRC protocols were broken: * the data records, while password protected, should not have been shared in the format used; * when the data was shipped, no record was made of its departure, and no proof was required of its delivery; and * senior management was not informed of the loss for another three weeks. The impact - even if the records are found to have been simply misplaced and their delivery unrecorded in some sub-office - has been profound. Child benefit recipients are having their accounts monitored for signs of fraud. Financial institutions across the country have had to begin reconstructing transactions completed since the data breach to make sure fraud hasn’t already taken place. This is a costly and time-consuming exercise. The sheer scale of the data lost is staggering. The fact that a junior official apparently had the access to this information is disturbing - but that official’s apparent disregard for the security of such a vulnerable population is shattering. The message for governments everywhere is clear: even in an organization clearly aware of the sensitivity of its data holdings, even with management dedicated to organizational efficiency and responsibility, the security of vital personal data cannot be taken for granted. A failure of apparently rote safeguards, process or procedure can have potentially devastating consequences: for vulnerable populations, for their families, for civil servants, and possibly for governments. This entry was posted on Wednesday, November 21st, 2007 at 11:50 am and is filed under Identity Theft, Privacy Breach, Public Organizations. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. 2 Responses to “A complete and utter failure” 1. Law links for 2007-11-22 « ideas Revolutionary Says: November 22nd, 2007 at 2:10 pm [...] A complete and utter failure - “Last month, a British government agency, Her Majesty’s Revenue and Customs, lost a copy of the records for over 7 million families, or 25 million individuals, who receive child benefits.“ [...] 2. Cory Says: December 16th, 2007 at 12:16 pm I would like to know where someone can access information or to talk to someone via email as well about privacy in organizations run by unions. The provincial law does not cover the privacy of individuals who work in a nonprofit union run organization. I would appreciate any assistance I can get. Leave a Reply 1. Name (required) ______________________ 2. Mail (will not be published) (required) ______________________ 3. Website ______________________ 4. Comment: ________________________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ ________________________________________ Submit Comment * Office of the Privacy Commissioner + Mandate and Mission + Privacy Legislation + Information for Individuals + Information for Businesses + Parliamentary Activities + Media Centre + Commissioner's Findings + Privacy Impact Assessments + Reports and Publications + Resource Centre + Key Issues + Fact Sheets + Privacy Quiz + Proactive Disclosure * Blog Info + A welcome note + Blog Mission + Comment Policy + Filing a Complaint? + Hyperlinking Notice + Videos * Categories + Administrative Notes (1) + Biometric data (6) + Child protection online (15) + copyright (2) + Data mining (2) + Global standards (14) + Identity Theft (10) + International Conference (10) + Internet (18) + National Security (7) + Other Privacy Authorities (5) + PIPEDA (14) + Privacy Act (4) + Privacy Breach (9) + Privacy Online (53) + Private Organizations (9) + Public Organizations (18) + Retail (1) + RFID (5) + Social Networks (17) + Surveillance (13) + Uncategorized (6) + Video (11) * Subscribe + RSS 2.0 Feed Youth Privacy Online, an initiative of the Privacy Commissioner of Canada and the Provincial and Territorial Privacy Commissioners _________________________________________________________________ Date Modified: 2007-11-21 Important Notices Top of Page