Firms woken up by HMRC breach, says ICO

Firms woken up by HMRC breach, says ICO


Data watchdog, the Information Commissioner, says that the HMRC breach could have a positive outcome

The fallout from the HMRC fiasco could turn out to be positive for security in the UK after the Information Commissioner, Richard Thomas, reported that organisations have gone to his office with questions about security processes in the wake of the massive data breach.

During a House of Commons Justice Committee meeting this week on data privacy issues, Thomas said, “A number of organisations, both public and private sector have come to me saying they think they have found a problem …[and] bringing to our attention problems they have with security inside their own organisations.”

He added: “None appear to be on anything like the same scale as anything like that involving the HMRC, but there is certainly more to come out of the wash as we move forward. This incident has been a massive wake-up call to the very top of organisations … who are at long last asking questions to make sure that proper arrangements are in place. If they are not being given the reassurances that they require where problems come to light, they are starting to share those with us and take remedial action. Already there are some signs of projects being put on hold, or that a freeze is put on a transfer of data.”

Thomas also said there had been a “tripartite arrangement” between auditor PricewaterhouseCoopers, the Independent Police Complaints Commission (IPCC) and his own office, to have “sensible coordination” between thr groups over data privacy matters. PricewaterhouseCoopers is currently undertaking a review of the HMRC breach.

Malcolm Etchells, managing director of email monitoring vendor Waterford Technologies, argued that the ICO should be looking for ways to encourage firms to comply with DPA and implement best practices rather than seeking greater punitive powers.

"There's no problem with enforcing the law where criminality is suspected but I'd argue that most firms do their best efforts to comply," he added. "Instead of the 'stick' approach of frequent audits, they should maybe think about awarding firms for the best DPA compliance or best practices implementation."

He added that any spot checks should be focused initially on firms which handle a high volume public data, such as telemarketing firms, rather than private businesses which handle mainly employee data.