Privacy chief notified of 94 data breaches since HMRC debacle

The Information Commissioner has been notified of almost 100 data breaches by public and private sector organisations since the loss of 25 million people's details by HM Revenue and Customs last November, according to figures released yesterday.

Half of the 28 private sector security breaches were by financial services companies.

The problem of the loss of personal information gained in profile in the aftermath of HMRC's loss of two discs containing the entire register of people claiming child benefit last year. The information on the discs included names addresses and banking details of 25 million people, leading to widespread fears of identity theft.

Since then, though, organisations in the public, private and charity sectors have all lost data in circumstances that led to them being reported to the Information Commissioner's Office (ICO).

"It is particularly disappointing that the HMRC breaches have not prevented other unacceptable security breaches from occurring," said Information Commissioner Richard Thomas. "The government, banks and other organisations need to regain the public’s trust by being far more careful with people’s personal information."

The cases which have been reported to the ICO include the loss of whole computers, USB memory sticks containing data and computer discs containing unencrypted data. Paper records have also gone missing, and the information on all these formats has included financial records, health records and other personal information.

Information has been stolen, but it has also been lost in transit, either by post or with courier services.

Information has only so far been recovered in three of these cases. In 16 of them the ICO has ordered a change to data management processes, including ordering the encryption of data in the future.

Of the 62 breaches in the public sector a third involved central government and its agencies and a fifth involved the NHS.

The ICO has published new guidance on how to deal with data security breaches.

"Once again I urge business and public sector leaders to make data protection a priority in their organisation," said Thomas. "The level of understanding about data protection and the need to safeguard people’s personal information have no doubt increased and I am encouraged that more chief executives and permanent secretaries appear to be taking data protection more seriously, but the evidence shows that more must be done to eradicate inexcusable security breaches."

Most US states have security breach notification laws. A significant number of breaches have come to light because of the laws. But at present there is no general rule to notify security breaches in the EU.

The European Commission announced plans last year to introduce such a requirement for telecoms companies. Earlier this month the privacy watchdog for EU institutions, the European Data Protection Supervisor (EDPS), called for that proposal to extend to banks, businesses and medical bodies.