Save content
Have you found this content useful? Use the button above to save it to your profile.
AIA

HMRC data loss: ‘Institutional deficiencies’ or plain bad management?

by
27th Jun 2008
Save content
Have you found this content useful? Use the button above to save it to your profile.

Following HMRC’s 2007 blockbuster disaster - the loss of the two child benefit data disks, PWC’s Keiran Poynter has finally completed his review of information and security at HMRC and put forward his recommendations. He says that "a great deal of work will be required to bring HMRC up to and to sustain the world class standard for information security to which it now properly aspires.”

The data loss incident arose following a sequence of communications failures between junior HMRC officials and between them and the National Audit Office (“NAO”). Poynter observes that the loss was “entirely avoidable and the fact that it could happen points to serious institutional deficiencies at HMRC.”

He says that “much can be done in the short and medium term to establish and consolidate control, but in the longer term, investment is required in new systems.” He adds that HMRC has made progress on 39 out of his report's 45 proposals, implementing 13 to date.

Overall, Poynter reports, “HMRC people lacked sufficient awareness and training on information security matters” and there was “a lack of clarity governance, accountability and communication in respect of data guardianship.”

HMRC has also been found to have breached the 7th Data Protection Principle, which requires appropriate technical and organisational measures to be taken against accidental loss of personal data. The Data Protection Commissioner will be issuing an Enforcement Notice on HMRC under section 40 of the Data Protection Act 1998. The Commissioner envisages that the “specified steps” in such a Notice will – with a view to ensuring full compliance with the 7th Principle - require HMRC to use its best endeavours to give effect to the Recommendations of this Report. It is envisaged by the Commissioner that the Notice will go on to require HMRC to publish progress reports after 12, 24 and 36 months documenting in detail how the Recommendations have been, or are being, implemented to achieve that compliance.

Poynters’ key findings can be summarised as follows:

  • Information security, at the time of the incident, simply wasn’t a management priority;
  • Even had it been a priority, HMRC’s organisational design and the governance and accountabilities underpinning it would have made it extremely difficult for it to be felt as such;
  • Even with a more suitable organisational structure, the fragmentation and complexity that has accompanied the changes that HMRC has had to absorb makes information security difficult to control;
  • HMRC’s information security policies were inadequate and those that they had were unduly complex and not adequately translated into guidance or training for the junior officials who needed them;
  • HMRC continues to operate processes that hark back to a paper-based, rather than a digital, world; and
  • Morale is low in HMRC and management needs to continue to focus on engaging with staff as the department embarks on a period of further change.

The Independent Police Complaints commission also published its report into the data loss, and its finding was similar to those of Keiran Poynter. It says in its report that there was “a complete lack of any meaningful systems; a lack of understanding of the importance of data handling; and a ‘muddle through’ ethos.

Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately. While an ongoing review of data procedures was being conducted within HMRC at the time of these events, it had not been finalised. Had this internal review received a higher priority, this incident may have been avoided.”

The chancellor, Alastair Darling, in responding to the report noted: “In recent years we have seen problems in both the public and private sectors as organisations struggle to keep pace with the development of technology in data storage and transfer.”

Acting chairman, Dave Hartnett said that “ While the IPCC found no evidence whatsoever of misconduct or criminality by any member of HMRC, the two reports make it clear that the data loss was avoidable and a result of serious failings within HMRC. In short, it should never have happened.

Immediately following the data loss, both HMRC and the police carried out extensive searches in an attempt to locate the missing data. While the data has not been found I can confirm that there is no evidence of any fraudulent activity as a result of this loss.

The progress made by HMRC since the data loss occurred is acknowledged by Mr Poynter. He notes that of his 45 recommendations, which are designed to ensure HMRC achieves the highest standards of data security, HMRC has made good progress on 39, including 13 which have been implemented. He also notes that the issues that led directly to the data loss have now been addressed.”

Links:
http://www.hm-treasury.gov.uk/independent_reviews/poynter_review/poynter_review_index.cfm

Tags:

Replies (4)

Please login or register to join the discussion.

avatar
By Frank_Shailes
03rd Jul 2008 15:09

There already is one...
Mike Whittaker wrote:
"Far be it from me to suggest more quangos, but I can't help thinking that if there was an independent body such as the NCC setting and auditing IT security & procedures in various government sectors, things would not have become so bad. "

What about the CESG?

"CESG aims to protect and promote the vital interests of the UK by providing advice and assistance on the security of communications and electronic data. We deliver information assurance policy, services and advice that government and other customers need to protect vital information services. We work on a cost recovery basis for all customer-specific solutions and services, though IA policy and Guidance documentation is usually free of charge to the UK official community."

CESG is the Information Assurance (IA) arm of GCHQ and we are based in Cheltenham, Gloucestershire, UK. We are the UK Government's National Technical Authority for IA, responsible for enabling secure and trusted knowledge sharing to help our customers achieve their business aims.

There are five key principles, essential for safe electronic transactions: etc etc

Their website URL is http://www.cesg.gov.uk/index.shtml


Thanks (0)
avatar
By mikewhit
02nd Jul 2008 10:18

C'era, una volta, il NCC ...
There once was a government body called the National Computing Centre (NCC) one of whose remits was creation of standards for UK computing systems and technologies.

Far be it from me to suggest more quangos, but I can't help thinking that if there was an independent body such as the NCC setting and auditing IT security & procedures in various government sectors, things would not have become so bad.

Thanks (0)
avatar
By Malcolm Veall
01st Jul 2008 16:28

More Fundamental Change Needed
The key problem is addressed by the Poynter report as follows:


"As products have been added to HMRC’s portfolio over time, little integration between them has taken place. The products effectively operate as discrete businesses, each with its own set of processes and supporting systems, but are also served by cross-cutting functions such as customer contact and debt management.

"Thus PAYE, National Insurance, Child Benefit and Tax Credits (to name but a few) each have their own supporting systems, each of which contains a separate customer record – meaning that the same individual customer can have four separate customer records.

"Maintaining these separate records is both inefficient and increases information security risk because of the constant need to bring this information together (e.g. for compliance purposes and for management information purposes). Putting better controls around the existing set of processes and supporting systems will improve information security, but to reduce information security risk to acceptable levels will require more fundamental change."


This is the real problem: multiple systems dupicating data unnecessarily and requiring taxpayers to contact a multiplicity of HMRC offices.

Thanks (0)
avatar
By The Black Knight
30th Jun 2008 15:53

no evidence
Is there a common theme in all these investigations that being,
"there is no evidence of misconduct or criminality"
surely someone ought to change the words around before copying the previous report, or look a bit harder.

Thanks (0)