U.K. government reveals its 'biggest privacy disaster': Her Majesty's Revenue and Customs has admitted to losing the details of 25 million individuals, with 7.25 million U.K. families potentially affected.

In a speech to Parliament on Tuesday, the chancellor of the exchequer, Alistair Darling, told of the loss of two discs containing the details of everybody in the U.K. who claims and receives child benefits.

Details on the discs, which were only password-protected, included names, addresses, dates of birth, national insurance numbers, and bank and building society account details.

"This is the biggest privacy disaster by our government," said Jonathan Bamford, assistant information commissioner. "Clearly on the facts available there appears to be a major contravention of data-protection laws."

Speaking on Wednesday at "Fine Balance," a conference in Westminster on privacy-enhancing technologies, Bamford said that some of the eight principles of the Data Protection Act, including that personal information be kept secure, had "clearly been breached."

Bamford added that there should be tougher penalties for persistent or serious breaches of data laws. At present, the toughest legal penalty for the persistent or serious flouting of data laws in the U.K. is a 5,000-pound ($10,300) fine; criminal prosecution is possible only after the Information Commissioner's Office has served notice due to an information breach, and another breach occurs.

"This is an extremely serious matter," said Darling. "HMRC (Her Majesty's Revenue and Customs) failed to meet the high standards expected of it. I recognize that millions of people across the country will be concerned."

The discs were lost during a National Audit Office investigation in October. A junior official in HMRC sent the unencrypted discs to the NAO, but HMRC was not informed until November 8 that the discs had not arrived to be audited. Darling himself was informed of the loss on November 10--three weeks after the discs had failed to arrive at the NAO.

Edward Leigh, the chair of the Public Accounts Committee, later said that the information the NAO requested had specifically been national insurance numbers, and not other personal details.

HMRC had not followed procedures for data transit, said Darling. The agency had given the discs to courier TNT, but had failed to record or register the discs. When those discs did not arrive, two more discs with the same information were sent by registered post. Those discs did arrive.

"Again, they should never have let this happen," said Darling.

(Read Original Article - Via Privacy : Tech news from CNET .)