WIREDGOV

The Independent Parliamentary Standards Authority (IPSA) has agreed to take action after MPs personal details were accidentally placed at risk on the MPs expenses database, the Information Commissioner’s Office (ICO) said recently.

The expenses claims were accessible for a period of 21 hours, following IT maintenance work in July 2010 which inadvertently allowed those persons with an expenses account, and their clerks, to access the information. The data included MPs banking details, vehicle registrations and home telephone numbers.

Mick Gorrill, Head of Enforcement at the ICO, said:

“This case highlights how any work carried out on a database must be subject to rigorous security testing before being re-launched. MPs carry out a high profile role and the information their expenses claims include could put them at risk of fraud and endanger their security.”

Andrew McDonald, interim IPSA Chief Executive, has now signed a formal undertaking to ensure that changes to the system’s administrator account are reviewed regularly and that breach notification procedures are reviewed and communicated to all MPs and staff. The authority will also implement any other such security measures it deems necessary to protect the MPs personal information.

If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at: www.ico.gov.uk

Notes to Editors

1.The data controller shall, as from the date of this Undertaking and for so long as similar standards are required by the Act or other successor legislation, ensure that personal data are processed in accordance with the Seventh Data Protection Principle in Part I of Schedule 1 to the Act, and in particular that:

. Changes made to the E@W administrator accounts should be reviewed regularly.

. Appropriate changes to the system are introduced so as to ensure that the ‘reports’ field cannot be left blank.

. Breach notification procedures will be reviewed and communicated to all MPs and staff.

. The data controller shall implement such other security measures as, and when, it deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

2.The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

3.The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.

4.For more information about the Information Commissioner’s Office subscribe to our e-newsletter at www.ico.gov.uk. Alternatively, you can find us on Twitter at www.twitter.com/ICOnews.

5.Anyone who processes personal information must comply with eight principles, which make sure that personal information is:

. Fairly and lawfully processed

. Processed for limited purposes

. Adequate, relevant and not excessive

. Accurate and up to date

. Not kept for longer than is necessary

. Processed in line with your rights

. Secure

. Not transferred to other countries without adequate protection

6.The Data Protection Act (1998) does not cover the acts of interception of communications or ‘hacking’ of personal information. The interception of communications falls under the Regulation of Investigatory Powers Act (2000) which is regulated by the Interception of Communications Commissioner.

7.The ICO has legal powers to ensure that organisations comply with the requirements of the Data Protection Act. In using its regulatory powers, the ICO considers the nature and severity of the breach which has occurred. Dependent on circumstances, the powers the ICO has at its disposal include:

. serving information notices requiring organisations to provide the ICO with specified information within a certain time period;

. serving enforcement notices requiring organisations to take specified steps in order to ensure they comply with the law;

. issuing monetary penalties of up to £500,000 for serious breaches of the Data Protection Act;

. conducting audits to assess whether organisations are processing personal data in accordance with good practice;

. reporting to Parliament on data protection issues of concern;

. prosecuting those who commit criminal offences under the Act. The ICO prosecutes individuals and organisations for specific breaches of the Act such as the illegal trading of personal data and non-notification.