"down to an individual circumventing the regulations"
What utter crap. Anybody with the slightest understanding of information security knows that this is a complete fabrication and a pathetic attempt to offload the blame from the criminally incompetent management of this department.
The questions that need to be asked are:
1) Which senior managers in the NAO and HMRC agreed the transfer request for the data? If none then file criminal charges against the directors of both departments and dismiss the ministers / civil servants responsible.
2) When senior manager permission for the data transfer was given what analysis was done of which data fields were actually necessary for the purposes of the NAO work to allow the data to be masked before transit? This was clearly not done as there is too much identifying information, the records are clearly just a database dump. The resolution here is the same, criminal charges for directors and immediate dismissal of the ministers / civil servants responsible.
3) How was a junior who was unaware of the alleged processes able to access this data without senior management approval? How many thousands of pimply faced youths in HRMC have un-audited and unrestricted access to this data? With this level of systemic insecurity we must regard the data as completely compromised from the instant HMRC have it as the probability of it not leaking out is almost zero. The resolution is again, criminal charges for the directors and immediate dismissal of the politicians / civil servants responsible.
4) Why did the access log for the database that showed a complete export not flag a security check that required confirmation of receipt instead of waiting for the PFY to report it? The explanation is simple, there is no access security or logging in use on this system, it was designed be the incompetent at the request of the inept. (consultant - politician). Same resolution except the directors may wish to point the finger at the outsourcer in their court defence. In a private company the restrictions on who has access to a customer database for an export are significant and any unauthorised access attempt is logged and actioned.
The issues around the alleged processes, data encryption, method of shipping are all competely secondary, this was not an IT failure. This is indicative of a pervasive and systemic failure of all involved from the minister down to understand even the basics of information security, be it on paper, disk or any other media. You have to understand that sooner or later you will lose media and have processes that work in this inevitable circumstance.
With a previous employer where we did managed hosting we would not even allow customers data to be sent to a shared tape library without being encrypted first to avoid the risk of accidentally restoring one customers data to another customers system.
The idea that the UK government is competent to operate a national identity register would be laughable if it were not so serious. Once the NIR is in place the brain dead politicians and plod will assume that your identity is valid unless you can prove otherwise, "it was checked 'gainst yer biometrics weren't it?". How do you plan to prove otherwise when every dodgy 419er can bittorrent your entire NIR entry and print out some contact lenses and false fingerprints?
Perhaps we should transfer Sir Ian Blair's MP5 toting death squads to the Information Commissioner's office, perhaps the threat of immediate and permanent resolution of data security issues would change behaviour in government and industry. Whilst there are no effective penalties why should anybody care about these laws?