Mary Reid

Did I really hear Gordon Brown saying that the loss of data about 25 million people was due to some junior civil servant not following procedures?  Yes, I did - he said this

"When mistakes happen in enforcing procedures, we have a duty to do everything we can to protect the public."

Did senior management at HM Revenues and Customs really believe that they could keep huge amounts of sensitive data safe from incompetence, laziness and fraud by simply enforcing a few rules? If so, then a major government department is seriously in breach of the Data Protection Act.

Murphy's Law states that "If anything can go wrong it will go wrong". And that should be the first and most important guiding principle of any data security system. Or put another way, "If something can be done then someone will do it"

The second principle is to design out errors and (more difficult) the unauthorised access to and handling of data.  A system as sensitive as this should have had layer upon layer of technical safeguards built into it. These would have made it impossible for someone to copy such a vast amount of unencrypted data onto CDs and ultra-safe data channels should have been developed for transferring the data from one centre to another.

This catastrophe was not due to unenforced procedures, as Brown tells us, but to a major systemic design flaw. And that cannot be put right by rewriting some procedures, but only through a very extensive analysis and rebuild of the system.