The Rural Payments Agency has ignored basic government requirements for protecting farmers’ confidential information.
Following a Farmers Weekly investigation, the agency has admitted losing two computer tapes containing bank details, addresses, passwords and security questions of English farmers.
The data tapes had not been encrypted – a step which would secure the data so it could not be accessed if it fell into the wrong hands.
The admission revealed the agency had flouted basic data handling rules, set out after HM Revenue and Customs lost the confidential details of 25m child benefit recipients.
The procedures, published in a report by the Cabinet Office in June 2008, said data put on computer discs, tapes or laptops should be encrypted as a “minimum requirement”.
While government departments could set higher levels of protection, encrypting information and monitoring its whereabouts was a core obligation.
IT security expert David Lacey said there was a “systematic ignorance” throughout government about the need to secure data properly.
“It’s difficult to encrypt data and lots of people have difficulty even sending an encrypted email,” he said.
“People are ignorant of the risks of not encrypting information.”
While DEFRA claimed farmers’ details contained on the tapes were at a very low risk, Mr Lacey said any loss of unencrypted data could lead to identity theft.
“You can’t say there’s no damage done – you can’t be relaxed about any personal data going missing. It’s an outrage for anyone affected.”
Ian Grant, senior reporter for Computer Weekly, said regardless of whether farmers’ details were encrypted, the whereabouts of the data tapes should have been recorded.
“They should also have a very explicit audit trail for who had the tapes and when,” he said.
“Even if you have a third party processing the information they should be looking after it – making a note of when they get the tapes, who got them, where they are. They should know that down to the second.
“When that data wasn’t accounted for, it should have triggered alarm bells.”
RPA in turmoil: