In a statement to Parliament at 3.30pm today, Chancellor Alistair Darling blamed a breach of procedures by junior staff at HMRC. Paul Gray, chairman of HMRC, has resigned over the incident.
According to the BBC, two password-protected discs containing the data were sent to the NAO in October. The package was not sent by recorded delivery and it appears that it did not arrive at its destination. A further package was sent by recorded post which did arrive. Darling acknowledged that it is "highly likely" that a breach of the Data Protection Act has occurred.
Information Commissioner Richard Thomas described the incident as "an extremely serious and disturbing security breach."
"This is not the first time that we have been made aware of breaches at the HM Revenue and Customs – we are already investigating two other breaches," he said. "Incidents like these illustrate that any system is only as good as its weakest link."
The Information Commissioner has not been charged with reviewing the breach, though. That job has gone to consultants PricewaterhouseCoopers. The Chancellor said that PwC's report will be made available to the Information Commissioner's Office (ICO) and the ICO will then decide what further action may be appropriate.
"Searching questions need to be answered about systems, procedures and human error inside both HMRC and NAO," said the Commissioner.
Rosemary Jay, a partner at Pinsent Masons, the law firm behind OUT-LAW.COM, said the problem is not just about losing a disc. "You should not have a system where junior staff can copy so much vital data onto a disc. Even if the data had reached the NOA safely that alone suggests that there would have been a breach of the Data Protection Act."
"It suggests that an understanding of the importance of personal data has not gone through the organisation," she said. "It also raises questions about the NAO. Were they used to getting data in this way? Was there no procedure for the secure transfer of files between them?"
While the discs were reported to be password protected, there was no suggestion that the data was encrypted. When asked, HMRC told OUT-LAW that it could not comment because an inquiry is ongoing.
Jay said the incident may put more pressure on the Government to introduce a security breach notification law of a kind that exists in most US states. The loss of the discs was reported to Darling on 10th November. The matter was only reported to police four days later. The public announcement came today (20th November).
A data breach notification law was recommended in a recent report by the House of Lords' Science and Technology Committee. Last month the Government responded (16-page / 90KB PDF) that it was "not so convinced as the Committee that this would immediately lead to an improvement in performance by business in regard to protecting personal information and we do not see that it would have any significant impact on other elements of personal internet safety."
The Government said it would "continue to observe the US experience and consider whether we need to find more formal ways of ensuring that companies do – as a matter of routine – contact the Office of the Information Commissioner when problems arise."