ICO to take action against HMRC, MoD for breaches

The Information Commissioner's Office will be taking "formal enforcement action" against both HM Revenue and Customs (HMRC) and the Ministry of Defence (MoD).

Major reports released today detailed the institutional failures which lead to the loss of 25 million records by HMRC last year, while the MoD was caught out on lost laptops.

Information Commissioner Richard Thomas said: "I will be taking formal enforcement action against HMRC and MOD following the serious data breaches that have occurred."

He said that both departments clearly broke data protection requirements and that the ICO will be serving formal enforcement notices requiring them to meet the recommendations made in the reports. HMRC has already started doing so for one of the reports.

Thomas said the watchdog would monitor the situation closely and require progress reports each year for the next three. He stressed that failure to comply with an enforcement notice is a criminal offence.

He called on all chief executives to learn from the mistakes at HMRC and MoD. "It is of fundamental importance that lessons are learned from these breaches. Information security and other aspects of data protection must be taken a great deal more seriously by those in charge of organisations. No chief executive can now say that data protection doesn't matter."

He continued: "Whilst these breaches have been highly publicised and involve big numbers, sadly they are not isolated cases. It is deeply worrying that many other incidents have been reported, some involving even more sensitive data.

Earlier this year, the ICO said that 94 major data breaches had occurred in the six months following the HMRC debacle.