Data Protection and the HMRC Fiasco

November 22, 2007

We asked a number of data protection experts for comment on the controversial loss of disks with details of 25 million individuals. The overwhelming reaction was that it was proof positive that greater care is needed and that a deeply ingrained cultural shift may be required in many organisations.

Information Commissioner, Richard Thomas, who described the latest breach as ‘extremely serious and disturbing’ said that ‘it is imperative that organisations earn public trust by addressing security and other data protection safeguards’.

Simon Morrisey of Lewis Silkin commented:

‘It is a breach of the Data Protection Act for the government to have sent the disks in this way. This is because the Act requires persons using data to use appropriate technical measures to safeguard the security of personal data. The Act does not identify what would be appropriate in any given situation. However, sensitive personal data, for example data relating to a person’s health or race, would require a higher standard of security. In addition, it would also be relevant to ascertain what harm might flow if a person’s data became freely available. In this case, the data included details of people’s bank accounts and, in that situation, it would be very difficult to argue that an appropriate level of protection did not include encryption.’

He speculated on what technology might be used to get 7.5m records on to two disks?
‘It depends on the type of program and disk – CD or DVD – that HMRC were using to transfer the information. It is likely to be a DVD as a CD can only hold 620MB whereas a single layer DVD can hold 4.7GB and a dual layer DVD can hold 8.5GB.
1GB of capacity can hold around 1,000 novels of around 100,000 words each in an uncompressed format.  A dual layer DVD can hold 8,500 novels of 100,000 words each before compression. When compressed the capacity rises by between 20 and 30 percent which means that depending on how big each person’s record was, the technology available would have no difficulty in accommodating 25 million people’s records.’
Simon Morisey was also asked to comment on whether this technology should be used by the government going forward? How good is the encryption that might have been used – wouldn’t that have been cracked within minutes anyway?
‘The government has announced that whilst the disks were password protected the data contained on them was not encrypted. This means that if it falls into the hands of criminals, once they have found the password to the disk, they have access to the information. There are programs easily available on the internet whose sole purpose is to identify passwords.
‘Typically encryption used on the internet for secure payments uses 128 bit encryption. As an example, on a very powerful computer a 58 bit encryption programme would take around four weeks to crack and each additional bit would take a further two weeks. As such it would take over two years to crack the algorithm.‘

Laurence Kaye of Laurence Kaye Solicitors in his blog ( identifies three key problems which give rise to these sorts of difficulties:

‘Arcane nature of data protection law and terminology: Terms such as “Data Controller”, “Data Subject”, “Structured Filing Systems” and even the term “data protection”make the subject sound technical and more concerned with the protection of the data itself rather than that of citizen’s privacy. The language of the law needs to be simplified and demystified.
Lack of teeth: Penalties for non-compliance are derisory and the Information Commissioner lacks a number of key enforcement powers, including the right to enter premises to inspect where serious breaches are suspected.
The value of information: For many online businesses, its customer database is one of its most valuable assets. In co-branding deals, joint ventures and other online deals, the contracts will talk about ownership of that data and the parties’ rights to use it.  So there is an inherent tension between the ownership and exploitable value of customer data on the one hand and the privacy rights of those customer on the other. This is not an irreconcilable conflict. It can – and should – be dealt with contractually, through privacy policies and proper data protection compliance policies.’

There was practical advice too from Maragaret Tofalides of Addleshaw Goddard:

‘The victims of such data losses are likely to contact the organisations concerned and it is important that such organisations have a strategy for dealing with such enquiries in a way that re-builds confidence.
Individuals who fear they may have been a victim of identity theft, resulting from such data breaches, may wish to check their credit file to see if any unusual applications for credit have been made, or debts accrued.  Everyone has the legal right to obtain a copy of their credit file, from any credit reference agency (‘CRA’), on payment of the statutory fee of £2.
The CRAs also provide on-line credit monitoring services which will provide those signed up to the service with a notification whenever an application is made for credit in their name.  Concerned individuals may also wish to register with fraud prevention agencies such as CIFAS to put additional security checks in place.’


Richard Stone has written a short article, advocating that the UK follows the USA’s lead in this area: click here to view it.