The information commissioner plans to officially censure HMRC for last year's highly publicised loss of two data CDs — a move he hopes will help CEOs across all sectors improve data protection.
The announcement by Richard Thomas follows the publishing of the Poynter report, which blamed the Revenue's culture and communications for the 'entirely avoidable' security breach last autumn.
Mr Thomas stated that he would be 'taking formal enforcement action against HMRC' in response to its 'deplorable failures'.
He went on to say that it is 'of fundamental importance that lessons are learned' from the loss of the disks containing the details of 25 million child benefit claimants.
Mr Thomas (who also intends to take action against the Ministry of Defence for a similar data breach) added that 'information security and other aspects of data protection must be taken a great deal more seriously by those in charge of organisations. No chief executive can now say that data protection doesn't matter'.
The information commissioner then revealed his intention to a serve formal enforcement notice on HMRC. The department will be required to 'use [its] best endeavours to implement all the recommendations outlined in the [Poynter report]'. Failure to comply with an enforcement notice is a criminal offence.
The new paper on the loss of the Revenue CDs - produced by PricewaterhouseCoopers chairman Kieran Poynter — makes a total of 45 recommendations, 39 of which the department is acknowledged to have made good progress on.
Mr Thomas continued: 'We will also be monitoring the situation closely. We will require progress reports to be published after 12, 24 and 36 months, documenting in detail how the recommendations have been, or are being, implemented to improve data protection compliance.
'I welcome the seriousness of the requirements and guidance for central government in the cabinet secretary's data-handling report.
'This material should help chief executives across the whole of the public, private and third sectors achieve better compliance with the Data Protection Act and keep people's personal details more secure.'