<b>AccountingWEB Exclusive</b>: HMRC admits human error over website flaw. By Dan Martin

I was extremely disturbed to find that private data was accessed by another party. Is this because HMRC insist on using Internet explorer which has too many security loopholes to be considered safe?

I personally use Mozilla Firefox which is more secure but sometimes the online software crashes when using it. I believe its time for HMRC to look at a different operating system from Windows which is open to hackers.

I've had a note from Julian Hatt at HMRC pointing out that I may have put the wrong interpretation on his comments at the Digita conference last week. When he used the phrase "You haven't communicated with us", I misinterpreted this as spoken from his (and HMRC's) point of view, when he was in fact summarising the attitudes of most accountants.

Like computer programmers, busy journalists sometimes make mistakes and I'm happy to hold my hands up in this instance.

To clarify his position, Hatt explains: "I sought to acknowledge that the Inland Revenue had perhaps taken the profession for granted vis-a-vis their need for support and stronger communications and that HMRC's new business model and the customer-centric ethos propounded by Sir David Varney and his Board provided a real opportunity to try to put that right.

"It wasn't the audience I was rebuking for 'sitting back and not communicating with HMRC effectively', quite the opposite. Lest it were needed to provide additional impetus, Lord Carter's recent report exhorts HMRC to communicate more effectively with tax practitioners."

My apologies to Mr Hatt, and also to John Price and any other practitioner who was incensed by the remarks as quoted below. My main hope is that this episode will not undermine the need recognised on all sides for a full and robust exchange of views.

John Stokdyk
Technology editor
AccountingWEB.co.uk

Practically all so-called 'computer errors' are in fact due to human errors.

So what is the HMRC trying to tell us ?

Mike,

Thanks for your comment on this story. I was at the Digita event today where HMRC's head of marketing for online services, Julian Hatt, mentioned the 21 March "glitch" and gave an explanation of how it came about.

The breach occurred during configuration work to expand the capabilities of the new DPS system. Currently it works only for PAYE filing, but will be extended during the year to provide information on personal and corporation tax filings. Apparently someone may have inadvertently removed the restriction that prevents users from looking into other agents' client data files.

"It was a fairly simple thing," he said. "We have put in place a different process. We are sorry we got it wrong and we have put it right."

AccountingWEB had submitted a request for HMRC to clarify the situation regarding the DPS data breach earlier this week and are still waiting for word to arrive from the press office. This situation is probably pretty familiar to accountants who raise a fundamental technical query and wait days for a reply.

What is very encouraging about this story is that once the new marketing man got the answer, he was prepared to go public with the information to give us some understanding of what was going on and the potential impact for tax agents.

This new awareness of the need to communicate honestly and effectively should be applauded, and even though I've had my exasperations in dealing with the department in the past, I would encourage all AccountingWEB members to try and move away from the habitual blame culture and to try and engage in a more constructive dialogue (if Lord Carter permits).

[Julian Hatt has pointed out that the next paragraph misinterpreted the meaning of his comments, which are clarified above. However we have left this paragraph unchanged so as not to make the thread incomprehensible - Ed]. Interestingly, the official gave the audience at the Digita conference some stick for sitting back and not communicating with HMRC effectively. We'll put in a request for an interview with our new contact to give him an opportunity to expand on some of these themes. Feel free to post any questions you might like him to address.

John Stokdyk
Technology editor
AccountingWEB.co.uk

Confused by the comment ..

'..Apparently someone may have inadvertently removed the restriction that prevents users from looking into other agents' client data files..'

Firstly
This seems to suggest that the 'de-facto' standard is that all data is accessible by all agents irrespective of client ownership.

The question has to be - why is the system set up like this in the first place & what is the underlying reasoning behind this flag?

Secondly
OK so mistakes happen - but what about migration, staging servers, test plans such as MTS approach (this check should have been in the original test plan; so was that incorrect or has it not been adhered to?) and all the paraphernalia that goes with moving from test to live environments.

Essentially the mistake hasn't just been missed by one aspect but by all elements of the process. Unless this flag has been newly introduced it should have been included in the original test plan and therefore automatically picked up when re-running it.

With all these checks & balances '..may have inadvertently..' is not really an acceptable answer. Was it in the test plan? If not then why not?

John Stokdyk

I am worried by your comment that Julian Hatt claimed to people at the Digital conference that they tended to sit back and not to communicate with HMRC effectively. I suspect that he has no perception of the reality!

On 22 March, I put in detailed comment by e-mail to the HMRC Web editors concerning defective aspects of the alerts received by e-mail and pages on the website to which they were related. Seven working days later, I have not even received an acknowledgement, let alone any response. Admittedly, on a number of occasions on which I have pointed out relatively straightforward mistakes on the website in the same way, I have had a quick response in the past. However, it is only the website people, who have responded promptly.

Throughout the rest of the Department, I usually hear nothing. Yet, when I put in comments, they are in detail with specific examples, not merely general criticisms. It is as if the Department does not like receiving criticisms and believes the best way of dealing with them is to say nothing! Another aspect appears to be that no one within the department ever wants to take the decision, which is usually necessary in order to get anything put right!

These criticisms are based on numerous detailed attempts to help. I have been pointing out to the Department, in relation to VAT matters, for nearly 30 years on how it could improve its ability to communicate, or rather the lack of it! The response has never been wholehearted although I did achieve some results in the first 20 years. In the last 10, I have been mostly ignored. When I had a response, it was usually been to the effect that my comments would be taken into account the next time the material in question was looked at.

Now if an author of a serious book and of numerous articles does not get a response to detailed comments, I do wonder how Julian Hatt supposes that the average busy person, whether in industry or in a profession, is likely to be prepared to put any time into trying to help. My initial reaction is that Mr Hatt has no perception of how the Department communicates, or repeatedly fails to do so -- just as numerous senior members of the Department have in the past demonstrated their lack of understanding!

Of course, if this was just "life as it is", the above comments might not matter. However, yet again, we have a consultation process -- just started. I have yet to read the details of it. However, its very existence is, to me, evidence of the lack of understanding by the Department in general of what it needs to do. Mr Hatt's comments sound as evidence that yet another senior person has no clue!

If the HMRC can suddenly make confidential information open to everyone who has access to it why should we have confidence that a data base of biometric data for everyone in the UK will be secure?
Richard

"If the HMRC can suddenly make confidential information open to everyone who has access to it why should we have confidence that a data base of biometric data for everyone in the UK will be secure?
Richard" - and when you take into account that there are plans afoot to link the medical data base to the ID data base, it all becomes even more sinister! Join No2Id and campaign against the ID cards!