PLEASE NOTE: Our website uses a technology called cookies to improve your experience. One of the cookies we use is essential for parts of the site to operate and may have already been set. You may delete and block all cookies from this site, but parts of the site will not work. For more information see our privacy policy.

To accept cookies from this site (and hide this notice) please check this box and click the continue button.

HomeThe IssuesOur ServicesOur TeamPublicationsTestimonialsNewsletterContact us

On the case - January 2008

Is it time for data breaches to go public?


Fact, in November 2007 Her Majesty’s Revenue and Customs department admitted losing two discs with 25 million sensitive personal records on them while in transit to another government department. The data was not just financial but related to children and their parents and guardians; it is hard to imagine a more emotive data breach. Things were not improved when it took over two weeks for the breach to be made public and longer still for the individuals affected to receive advice and an apology from the Government.

There was a mixed bag of reactions to what has to be one of the most significant (known) breaches of the UK’s Data Protection Act. The UK’s popular press grabbed the story with glee and pummeled the government for having dual standards by imposing restrictive data protection legislation on the private sector while apparently being cavalier with the records of just about every parent and child in the country.

 The Information Commissioner did not mince his words, “This is an extremely serious and disturbing security breach. This is not the first time that we have been made aware of breaches at the HM Revenue and Customs – we are already investigating two other breaches. Incidents like these illustrate that any system is only as good as its weakest link. The alarm bells must now ring in every organisation about the risks of not protecting people’s personal information properly. As I highlighted earlier this year, it is imperative that organisations earn public trust and confidence by addressing security and other data protection safeguards with the utmost vigour.”

The direct marketing industry was split.

 Many operators breathed a sigh of relief that the breach – and the inevitable scrutiny that will follow – was at the government’s rather than the industry’s door for a change. Others were less sanguine, seeing the impact of such a public (and wide-ranging) breach would be to make individuals more concerned about allowing their data to be used by any organisation.

And the word on the street certainly corroborated that view. Overnight, consumer awareness of data protection legislation soared and there were plenty of instant experts pontificating about data abuse. Inevitably, this will all have an impact on customer behaviour and registration levels in the future. The cynics might say it is a miracle that we found out about this breach at all. Unlike many
US states, the UK does not have a law which requires notification of data breaches . . . yet.

Other recent items: