1. On 20 November 2007, the Chancellor of the Exchequer revealed in Parliament that HM Revenue and Customs had lost personal data, including bank account details, relating to families in receipt of child benefit, affecting around 25 million people in total.[1] Disks containing the information had been sent by courier to the National Audit Office on 18 October 2007, in response to a routine audit request. Far more information had been sent than had been requested and, although the information the disks contained was password-protected, the disks were not sent by registered or recorded delivery. The disks have not been found.

2. Since the Chancellor's statement in November a number of other major lapses in data protection for which the Government is responsible have come to light, including:

• The disappearance from a 'secure facility' in Iowa managed by a contractor to the Driving Standards Agency of a hard drive containing records of more than 3 million candidates for the driving theory test;[2]
• The loss of two disks in transit from the Driver and Vehicle Agency in Northern Ireland to the Driver and Vehicle Licensing Agency in Swansea, containing the unencrypted details of 7,500 vehicles and the names and addresses of their owners;[3]
• The theft of a Ministry of Defence laptop containing personal information relating to around 600,000 people, most of whom had expressed an interest in joining the Royal Navy, Royal Marines or the Royal Air Force.[4]

The Information Commissioner referred to "34 incidents that have been reported to us in the last 12 months".[5]

3. The Data Protection Act 1998 sets out a number of principles to guide the collection, processing and use of personal data by both public and private sector organisations. Responsibility for promoting and enforcing the Data Protection Act and the Freedom of Information Act 2000 rests with the Information Commissioner's Office. Speaking on Radio 4, on 21 November, Richard Thomas, the Information Commissioner, described the loss of child benefit data as "shocking" and "almost certain" to be in breach of the Data Protection Act.

4. The Human Rights Act safeguards the right to respect for private life, including the right to respect for personal information, under Article 8 of the European Convention on Human Rights (ECHR). Lapses in data protection by public sector bodies may also contravene the Human Rights Act. In our legislative scrutiny work we consider every Government bill introduced into Parliament and in recent years we have noticed a marked increase in the number of provisions in Government bills which authorise the sharing of personal information, both within the public sector and between the public and the private sectors. We have repeatedly expressed concerns, from a human rights standpoint, about the adequacy of the safeguards accompanying such wide powers to share personal information, but these have, for the most part, been rejected by the Government.[6]

5. On 25 October 2007, the Prime Minister announced that the Information Commissioner and Dr Mark Walport, Director of the Wellcome Trust, would review the use and sharing of personal information in the public and private sectors, in particular focusing on the adequacy of the current legislative framework.[7] Mr Thomas and Dr Walport published their consultation paper on 12 December 2007.[8] A report on the loss of child benefit data by Kieran Poynter is currently being considered by Ministers and the Cabinet Secretary, Sir Gus O'Donnell, is overseeing a review of data handling procedures in Government.[9]

6. The Commons Justice Committee published a report on the protection of private data on 3 January 2008 and a number of other select committees have taken oral evidence on the loss of child benefit data.[10]

7. We heard oral evidence from Michael Wills MP on 26 November 2007 and took the opportunity to ask him about the loss of child benefit data, both in his capacity as human rights minister and in his role as minister for data sharing and data protection.[11] We also heard oral evidence from the Information Commissioner on 14 January 2008. In addition, we received a small amount of written evidence. We are grateful to all our witnesses for the evidence we received. We have decided to pull together some of the themes which have emerged from our legislative scrutiny work with the points that were raised in oral evidence, in particular to highlight that data protection is a human rights issue.

2   HC Deb, 17 Dec 07, cc624-26. Back

3   HC Deb, 17 Dec 07, cc624-26 and BBC News Online, 11 Dec 07. Back

4   HC Deb, 21 Jan 08, cc1225-27. Back

5   Q122. Back

6   See table 1 below. Back

7   Prime Minister's speech on liberty at the University of Westminster on 25 October 2007. Back

8   A consultation paper on the use and sharing of personal information in the public and private sectors, Data Sharing Review, Dec 07. Back

9   Appendix 3; HC Deb, 17 Dec 07, cc612-13; Data Handling Procedures in Government: Interim Progress Report, Cabinet Office, Dec 07. Back

10   Justice Committee, First Report, Session 2007-08, Protection of Private Data, HC 154; Treasury Committee, Minutes of Evidence, HM Revenue and Customs: Administration and Expenditure in 2006-07, HC 57-iii; Public Accounts Committee, Minutes of Evidence, Loss of Data by HM Revenue and Customs, HC 200-i. Also see Home Affairs Committee, Minutes of Evidence, Identity Cards: Data Security Issue, HC 365-i.  Back

11   See paragraph 22 below. Back