UK government loses personal information of 25 million people

November 20, 2007 British Chancellor of the Exchequer Alistair Darling announced to a shocked House of Commons today that two password-protected — but not encrypted — computer disks containing the entire Child Benefit database have been lost in transit between the offices of Her Majesty's Revenue and Customs (HMRC) in Washington, Tyne & Wear and the National Audit Office (NAO) in London, in what has been described as "one of the world’s biggest ID protection failures".

The database contains details of all families in the UK who receive Child Benefit — all families with children up to 16 years of age, plus those with children up to 20 years old if they are in full-time education or training — estimated to contain 25 million individuals in 7.25 million families. Among other items of information, the database contains names, addresses, dates of birth, child benefit and National Insurance numbers, and where appropriate, bank or building society account details.

The discs were created by a junior official at the HMRC in response to a request for information by the NAO, and were sent unregistered and unrecorded on 18 October using the courier company TNT — which operates the HMRC's internal mail system. When it was found that the discs had not arrived for audit at the NAO, a further copy of this data was made and sent — this time by registered mail — and this package did arrive. HMRC were not informed that the original discs had been lost until 8 November, and Darling himself was informed on 10 November.

The violation of data protection laws involved in the creation of the discs has led to strong attacks on the government's competence to establish the proposed National Identity Register, when all UK residents will have an identity card. Conservative Shadow Chancellor George Osborne described the loss of data as "catastrophic" and said "They [the government] simply cannot be trusted with people's personal information".

The Chairman of HMRC, Paul Gray, has resigned over the affair, and critics are calling for Darling to do likewise.

This is the third data embarrassment for HMRC in recent weeks — earlier this month it was reported that the details of over 15,000 Standard Life customers had been put on disk, and then lost en route from HMRC in Newcastle to Standard Life in Edinburgh — and last month a laptop containing the data of 400 people with high-value ISAs was stolen from the boot of a car belonging to a HMRC official who had been carrying out a routine audit.