UPDATE: 29.01.15 The BBC now reports that files relating to the role of the police in the deaths of two other members of the public have apparently been “lost in the post”. This starts to look very serious. END UPDATE
I once heard a rumour that the famous lost HMRC disks of 2007 were not in fact lost after all: the person tasked with posting the disks had, so the rumour went, forgotten to do so, and when the intended recipient, the National Audit Office, had complained, had used the time-honoured excuse “they must be lost in the post”, thinking that this was better than owning up, and that no one would be particularly bothered. I have no idea whether this is true (quite possibly not – the subsequent Poynter report was comprehensive and might have been expected to flush something like that out) but what I think is interesting is that, even if it were, it would not have excused HMRC. The Data Protection Act 1998 (DPA) – which largely languished unloved at the time – requires (by virtue of the seventh principle in Schedule One) a data controller not to prevent specific instances of data loss, but, rather, to take appropriate organisational and technical measures to safeguard against such loss – a contravention of the Act lies in the failure to have these measures in place, not (necessarily) in the failure to prevent a specific incident. The fact that HMRC operated procedures which allowed the sending of huge and excessive amounts of sensitive personal data by post, without encryption measures being used, meant that HMRC were manifestly in contravention of the DPA.
Fast forward seven years or so to the present, and, we hear, the Ministry of Justice (MoJ) appear to have lost a highly sensitive computer disk in the post. The Mail on Sunday reports that
The Government has been hit by a new data security scandal after a secret file on the fatal shooting of Mark Duggan by police went missing.
A computer disk containing details of the case which triggered Britain’s worst riots in a generation is thought to have been lost in the post by the Ministry of Justice.
Details are, of course, relatively scant at the moment, but it is worth noting that there is no mention of whether the disk in question was encrypted. If it wasn’t, it would be extremely hard for the MoJ to argue that it was in compliance with its DPA obligations: the view of the Information Commissioner (ICO) is that
portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information.
where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued.
The data protection regulatory landscape was very different in 2007, and the ICO did not then have powers to serve monetary penalty notices. A serious contravention of the DPA of a kind likely to cause substantial damage or substantial distress can now result in a “fine” of up to £500,000.
The ICO is, we are told, “examining the case”. He will, no doubt, be wanting to know not only about encryption measures, but, more simply, what procedures were in place which allowed such sensitive data to be sent by post. He will also, again no doubt, bear in mind that in recent years he has already served on the MoJ, in the last eighteen months, two monetary penalties totalling £320,000 for not dissimilar failures to have appropriate safeguards in place to protect sensitive personal data.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.