LONDON – The Information Commissioner has slammed the U.K. government for creating too many large scale databases, without “sufficient openness, transparency or public debate.”
On a dark day for the government’s data handling, Richard Thomas also simultaneously served enforcement notices on the Revenue and Customs department for its loss of two discs containing 25 million records, and on the Ministry of Defence for losing a laptop containing the details of up to 600,000 recruits.
The news comes days after Thomas called for increased powers and better resources.
Thomas criticised government plans to launch a database of all calls and e-mails made in the U.K. as “a step too far” that would raise serious data protection concerns. When news emerged in May of the planned database, a number of figures in the IT industry told Computerworld UK they felt the move would be a mistake.
He said he understood the need for tracking the communications of terrorist suspects. But at the launch of the ICO’s annual report, he added “there needs to be the fullest public debate about the justification for, and implications of” the database. Thomas said he “welcomed” the Home Affairs Committee’s report that urged the government to stop creating large databases on citizens without first proving they are necessary. “Sadly, there have been too many developments where there has not been sufficient openness, transparency or public debate,” he said.
Meanwhile, Thomas served enforcement notices on HM Revenue & Customs and on the Ministry of Defence. The two government departments will have to provide regular progress reports on their compliance, and any failure to comply with the notice is a criminal offense, the ICO said.
In the enforcement notice on HMRC, Richard Thomas said “the personal data processed on the missing compact discs were excessive for the purpose for which they were processed.” HMRC had also “failed to take appropriate measures to ensure the security of its data,” he said. HMRC now has three years to fully comply with the Poynter Report, he said.
The Ministry of Defence was served an enforcement notice in which Thomas said that, like HMRC, the data stolen was excessive for the medium it was on, and that not enough measures had been taken to ensure security.
The MoD has until 2009 to comply with the recommendations of the Burton Report, and must report to the Information Commissioner every three months on progress.