And 41 laptops – many containing sensitive financial details relating to members of the public – were stolen from employees at HM Revenue and Customs (HMRC) over the last 12 months, demolishing any notion that the loss of two computer discs containing the details of child benefit claimant was a "one-off" error.

HMRC's record of data losses came to light as it emerged that the National Audit Office (NAO), to which the HMRC was sending the discs, specifically asked for many sensitive details to be filtered out and not sent to it.

But HMRC officials refused to separate the details the NAO wanted to audit from those it did not need – like parents' names and bank details – because it would be "too burdensome" and costly to separate them.

The Conservative MP who chairs the Commons Public Accounts Committee added last night that a briefing note prepared by the NAO for the Chancellor reveals that it was senior HMRC officials who insisted that all the data be sent – quashing the Chancellor's insistence that the crisis was the sole responsibility of a hapless junior official.

Edward Leigh said an unnamed Senior Business Manager at HMRC wrote an email to the NAO, copying in another senior HMRC official at Assistant Director level, stating that the data would not be "desensitised".

HMRC also came under attack yesterday for charging the millions of people whose personal data it lost to call an 0845 helpline for advice, with critics claiming that it was "rubbing salt into the wounds" of claimants.

The scandal intensified last night after Gordon Brown said he "profoundly regretted and apologised" for the losses – but insisted there was no reason why under-fire Chancellor Alistair Darling should resign.


Conservative leader David Cameron told Mr Brown that millions of people were "angry that the Government has failed in its first duty to protect the public" and called on him to admit that there was "systemic failure" at the HMRC, formed when Mr Brown merged the Inland Revenue and HM Customs and Excise as Chancellor.

Mr Brown refused, and instead pledged a review of data handling and security across Whitehall and greater powers for the Information Commissioner – although it also came to light yesterday that the very "spot check" powers proposed by the Prime Minister were dismissed by his Ministers just weeks ago.

A recent House of Lords report called for the Information Commissioner to have the "power to conduct random audits of the security measures in place in businesses and other organisations holding personal data".
But in its official response, issued on October 25, the Government insisted: "The current enforcement regime for data protection is fit for purpose."

The Prime Minister told MPs that there was no sign of any fraudulent activity resulting from the loss of the information – including bank and building society details – and that anyone who lost out would be compensated under the Banking Code.

He added that the Government would do "everything in our power to make sure data is safe", who said there was "no excuse" for the breach of security procedures which caused the current crisis.

But Mr Cameron said the public would find it "bizarre" that the Government was not willing to "stop and think" about the introduction of ID cards in the wake of the blunder.

And he asked: "Won't people think that he has totally lost touch with reality, he is demonstrating no common sense at all? Won't they see a Prime Minister who tries to control everything but actually can't run anything?"

Later, the Tories released a dossier of security breaches at HMRC, detailing 2,111 security breaches in the last year, the theft of 41 laptops, and other recent data breaches.

Earlier in the month, the national insurance, pension and other details of 15,000 Standard Life policy-holders were lost when HMRC posted a disc that never arrived.

In August, a laptop with the details of 400 ISA customers was stolen from the boot of a car after being left overnight, and in May, HMRC posted the details of 42,000 families' tax credits to the wrong people.

Last night, Information Commissioner Richard Thomas welcomed his proposed new powers. "For some time I have been pressing the Government to give my office the power to audit and inspect organisations that process people's personal information without first having to get their consent," he said.

"Ultimately this will ensure better compliance with the law and protect people's data."

Calling for a new law to "make security breaches of this magnitude a criminal offence", he added: "At the moment I can take limited enforcement action, but making this a criminal offence would serve as a strong deterrent and would send a very strong signal that it is completely unacceptable to be cavalier with people's personal information.

"The law needs to be changed urgently so that people's personal details are properly protected."



The Facts
2,111 security breaches in last year at HMRC.

41 HMRC laptops stolen in last year.

September 2005: Unencrypted CD-ROM with sensitive financial information lost in post.
– HMRC said: We are urgently reviewing our procedures to make sure this type of incident does not happen again.

May 2007: 42,000 families tax credit and bank details posted to the wrong people.
– Ministers told Parliament: HMRC take confidentiality very seriously and have robust procedures in place to protect information provided by claimants.

August 2007: HMRC Laptop stolen with 400 customers' ISA details from five companies.
– HMRC said: HMRC places the utmost importance on the security of confidential material and we have in place very clear processes governing the handling of such material.

November 2007: 15,000 people's National Insurance details lost on CD-ROM.
– HMRC said: 'We have also reviewed our arrangements and introduced safeguards to prevent this happening in future'