The top security chief in Whitehall is to carry out a comprehensive review of data protection across the Government within a matter of weeks after the child benefit records scandal.

Robert Hannigan, head of intelligence, security and resilience in the Cabinet Office, will scrutinise existing practice in departments by December 10 and draw up new guidelines for the Prime Minister by the new year.

The announcement came as it emerged that both Revenue & Customs and the junior official blamed for sending the missing discs — which contained the child benefit records of 25 million people — are likely to escape prosecution, even if they are found to have breached their legal duty to safeguard the records.

Richard Thomas, the Information Commissioner, said that a new offence was urgently needed to cover “reckless breaches of data protection law”.

The worst that Revenue & Customs can expect is to be served with an enforcement notice by the Information Commissioner setting out steps that it must take to prevent another failure.

Only if the department breached the terms of the notice would it face criminal proceedings, with a maximum fine of £5,000 if dealt with in a magistrates’ court but unlimited fines if heard by the Crown Court.

The junior official blamed for sending the missing discs may also escape any sanction from the discplinary inquiry under way if, as widely reported, he has resigned from his post. The most severe sanction available in such an inquiry would be dismissal from the service, with lesser punishments ranging from a block on promotion for a set period or suspension.

But the Revenue admitted yesterday that it could take no further action if the official left the service unless the matter were referred to the police.

Mr Thomas said that the scale of the breach highlighted the weaknesses of his powers. “It is important that the law is changed to make security breaches of this magnitude a criminal offence,” he said. “At the moment I can take limited action, but making this a criminal offence would serve as a strong deterrent and would send a very strong signal that it is completely unacceptable to be cavalier with people’s personal information.”

Alistair Darling, the Chancellor, has admitted to MPs that it is “highly likely” that the Revenue committed breaches of the Data Protection Act in the chain of events that led to the loss of two discs.

The Times has been told that the most probable failures could come under the duty in the Act to keep personal information secure, by having in place technical and organisational measures in case of accidental loss.

Mr Darling repeatedly dodged questions yesterday over whether he had considered resigning over the lost data, saying only: “This is a difficult issue and I intend to see it through.”

He pointed out that the Revenue was separate from mainstream government and run by a commission headed by a chairman, who had responsibility for operational matters.

Mr Hannigan’s review, which will examine in detail departments’ data protection procedures, will dovetail with a separate study by PricewaterhouseCoopers into what went wrong at Revenue & Customs. He has asked each permanent secretary to “identify compliance with policies and standards” in their departments and agencies and recommend improvements. He will then look at how data protection can be improved.

Tax officials said that a blunder in which part of a recorded telephone conversation was sent to a stranger appeared to be an isolated case. A member of the public from the City requested a copy of conversations with call-centre staff. A CD was sent in the post that also included part of another person’s call.

Times Recommends

• Third of Muslim students back killings
• Curfew tames feral yobs of Cornwall
• £3,000-a-month drug free abroad