News
People whose personal details are logged on data discs lost by HM Revenue & Customs (HMRC) may be able to sue the government for damages if their details are misused, experts say.
However, says James Mullock, partner at Osborne Clarke, UK laws do not lend themselves to large damages being paid out.
He says: “The Data Protection Act requires damage and distress to be shown to have directly resulted from a breach. The claim would be for a breach of the Act’s 7th principle (use of appropriate technical and organisational measures). A claim in negligence would also be a possibility.”
What is highly likely, says Mullock, is that the Information Commissioner’s Office (ICO) will take action against HMRC—which lost two discs containing names, addresses, bank details and national insurance numbers of child benefit claimants.
“The tack the ICO has taken recently is to require organisations which have breached the Act to sign undertakings stating that they will take steps to reduce the impact of the breach and to prevent a repeat event, thereby giving the regulator the ability to bring a claim for breach of undertaking and for breach of the Act if measures are not adopted,” he says.
Describing the security breach as “extremely serious and disturbing”, the information commissioner, Richard Thomas, confirms that his office is already investigating two other breaches by HMRC.
He says the Chancellor has announced an independent review of the matter by PricewaterhouseCoopers, and a full report will be given to the ICO.
“We will then decide what further action may be appropriate. Searching questions need to be answered about systems, procedures and human error inside both HMRC and the National Audit Office,” says Thomas.
