The recent disaster at HM Revenue and Customs underlines the fact that data protection is still not being taken seriously by Government. And it’s not a failure of technology, it’s a failure of policy.

The loss of 25 million child benefit records by HMRC in November 2007, whilst the most serious data security incident ever recorded, is not the only problem to emerge in recent years. The UK Visa application system was revealed to allow applicants to see others’ details by simply changing a few digits in the website address. I could carry on reeling off examples, but it’s frankly embarrassing.

It’s not just the Government that’s irresponsible with personal data, although they’re by far the worst culprits. The discount chain TK Maxx lost millions of credit card numbers to hackers in December 2006 from its US parent company, which also raised the question about what the data on UK citizens was doing in the United States to start with. Any data exported to the US loses the protections that it has under UK law, and American companies can (and some do) tend to move it around indiscriminately.

When businesses and organisations set up new systems that will store and process customer data, data protection should be integral to the system’s design. But all too often data protection is seen as a legal obstacle, not a technical one. Getting suppliers to sign data protection terms in contracts is not the solution – in the case of many of the public sector incidents, the supplier will have been well within their obligations, while the department that actually uses the system does so in a way that ends in disaster.

Surely the problem is obvious – these organisations are trying to solve data security with procedure, and procedure requires people to get things right all of the time, which they don’t.

So if we accept that people occasionally make cock-ups, and also accept that there are a lot of low-paid people working with public sector IT systems, and multiply the probability of any individual making an error by the number of people capable of making that error, it’s actually surprising that we don’t see this kind of thing happening all the time.

So what’s the best way to address this? Taking the two components of the problem individually, you could train all your staff to make it less likely that any one individual makes a mistake, or you could reduce the number of people who have the capability of making the mistake. Take the HMRC incident. It seems to be the case that a fairly junior member of IT staff, probably on a low salary, was able to download a complete copy of the child benefit database. It cannot make sense to train this person to a sufficiently high standard that you can rely on him not to make this mistake, because there will be tens of thousands of people requiring such training.

However, you could simply prevent that user from accessing the data in the first place. Make such a function only accessible to higher-level users, who are more highly paid, better trained, and fewer in number.

Better still, remove the feature entirely. Why should anyone need to download the entire dataset? If this needs to be done regularly, then you need to take a step back and work out what problem you’re solving with such a cavalier approach, and find a better way. In this case the National Audit Office wanted the data for audit purposes. And they request the same data on a regular basis. Why then, is there not an automatic process built into the HMRC system that exports, compresses, encrypts and transmits the necessary data directly to NAO each month?

What makes this incident even worse is that the NAO didn’t even want the sensitive data. They only wanted a subset of the database, but HMRC felt it was too expensive to process into the form requested.

There is clearly a need for a very senior information security manager to have the ability to export complete datasets, in any large database system. Every other function should be proportionate to its objective, and taking the attitude that any member of IT staff can just fire and forget the entire database anywhere they like is not just irresponsible, it’s also illegal.

The Government protests that ‘the procedures were in place – but they weren’t followed!’. When you want to protect your money, you don’t pile it in the middle of the street, draw a line around it and enact a law making it illegal to steal it. You lock it in a bank and remove the possibility altogether. Procedures are flaky. Technology works. Let’s just hope that one day Government learns to use it properly.