Having worked on a project for schools in Scotland that required the export and trasportation of some personal information I cannot believe the basic flaws that have been made by the "technical people" at HM Revenue and Customs.
Here is it in one line.
DO NOT ALLOW CLEAR TEXT EXPORT OF PERSONAL INFORMATION !!
This is not difficult. The technologies are far enough advanced. In an attempt to save the trillions of consultancy fees, here is how to fix this.
1. Give every member of staff a certificate and/or smart card.
2. Ensure they use a very strong password when using that certificate
3. Any EXPORT routine MUST ask for the private key of the user exporting the data and signs that data. This ensure you know who exported the data.
4. Additionally, any export routine MUST ask for the public key of the EXACT user you intend to send the data to and encrypt that data. Now only that person can read that data as only they have the private key for that certificate.
5. Now, with the IMPORT routine, when the person wants to read the data they need their own private key to decrypt the data.
6. The IMPORT routine should also check the signature an alert the user as to confirm who SENT them the data.
Additional steps should be :
7 .Use Key Revocation to ensure that should any key be lost, that key becomes IMMEDIATELY invalid and hence can't be used to view the data.
8. Know and ensure that every application that uses this data has a common import/export routine with encryption and logging as standard.
9. Log every interaction with that data. You don't even need the personal data to do this - just an identifier for the user (say the certificate hash) and an identifier for the data items.
This stuff sounds tricker than it is. I have now done this with the Government, Barclays and a few other places.... in short - you CANNOT just allow people to export this kind of data.
Now we are all checking our bank accounts - i have an additional post coming next on the business side of this ...