Privacy & Information Security Law Blog

On May 28, 2010, the UK Information Commissioner’s Office issued a press release stating that it has been notified of more than 1,000 data security breaches since it began keeping records in late 2007.  There is no mandatory reporting requirement in the UK, so the actual number of breaches is likely to be significantly higher.  The ICO’s press release notes that the majority of breaches occur as a result of human or technical errors, such as employees improperly disclosing data to third parties or automated machines sending out letters to the wrong addresses.

The press release was published just a few days after Her Majesty’s Revenue and Customs (“HMRC”) mistakenly sent confidential information containing the private financial details of up to 50,000 people who claim tax credits to the wrong claimants.  The breach resulted in claimants receiving highly sensitive information including bank details, National Insurance numbers and earnings of other claimants, in addition to their own annual award notice.  A spokesperson for HMRC said that “the error occurred in one of the tax credits print runs, causing some customer information to be wrongly formatted.”

Since the breach, HMRC has launched an investigation to identify why the error was overlooked.  HMRC was responsible for a serious data breach in 2007 when 25 million child benefit records, stored on two unencrypted CDs, were lost in the mail.  As a result of that incident, the ICO brought an enforcement action against HMRC.  It remains to be seen what action will follow this latest incident.