Share this content

HMRC’s data loss: Poynter’s recommendations

30th Jun 2008
Share this content

It might be astonishing to find that HMRC had never considered that the potential loss of data is a risk worth managing but then again, looking at the recommendations of the Poynter report into the loss of the child benefit data, that was just the tip of the iceberg that led to HMRC’s biggest ever disaster…

PWC chief, Keiran Poynter's 45 recommendations to patch up HMRC's data security problems are as follows:

  1. The role of information security as a corporate objective should be acknowledged by HMRC and work should immediately begin to formalise this objective within its mission and strategy(s).
  2. Line of Business objectives for information security should be set to support the overall achievement of information security corporate objectives.
  3. HMRC’s Business and IT Strategy should be updated to make them consistent with the direction of travel set out in this report.
  4. HMRC should initiate a review of any policies or legislation that might need to be changed if it is to be able to specify the manner in which its customers should interact with it.
  5. HMRC should initiate an exercise to formalise its information security strategy, making sure it supports its updated Business and IT Strategy.
  6. HMRC should identify ‘quick wins’ to set it off on the right direction of travel.
  7. HMRC should identify and investigate initiatives which will take it further along the new direction of travel in the medium term.
  8. HMRC should seek to achieve a better balance between strategic and tactical investment.
  9. The HMRC Data Security Programme should start to coordinate and manage current security activities and initiatives as a coordinated, integrated body of work.
  10. The Data Security Programme Board should be sponsored by an ExCom member and have members who are senior enough to ensure effective coordination and implementation.
  11. HMRC should appoint a Chief Risk Officer (CRO).
  12. HMRC should appoint a Chief Information Security Officer (CISO) at a senior level, reporting to the CRO.
  13. HMRC should establish a professional risk management function, whose roles should include supporting the Lines of Business in managing their risks through a common, Department-wide process, and supporting the CRO, the CFO and other ExCom members in the identification and assessment of strategic risks.
  14. The Chairman, Chief Executive, Chief Operating Officer and CFO and their senior advisers should use periodic meetings with the Directors-General of Lines of Business and their senior management teams as a forum to support and challenge the Lines of Business on information security.
  15. HMRC should engage its staff by communicating the direction of travel detailed in this report. This communication needs to recognise how far removed from today’s reality this will seem and be alive to staff perception that HMRC’s priorities constantly change and that this may therefore be initially viewed with a degree of scepticism.
  16. HMRC should commence the alignment of HR, Communications, Learning and change activities to ensure that information security policies and processes are embedded into day-to-day working life and behaviours.
  17. HMRC should ensure that staff, at all levels, understand their responsibilities and accountabilities for information security and apply information security policies and principles in their day-to-day roles.
  18. Information security messages and controls should be incorporated into all employee life-cycle processes, from attraction and recruitment through to exit.
  19. HMRC should develop and implement a information security awareness programme that includes regular refresher training to remind and update staff of the risks and of their responsibilities.
  20. HMRC should build appropriate levels of capability in the management of information security across the Department.
  21. HMRC should consider using Pacesetter as the means of driving changes in behaviour around information security
  22. Information security guidance should be simplified, shortened and made more accessible
  23. Central guidance on information security policy and standards from S&BC should be translated by all Business Units into locally applicable procedures and the accountabilities between BC and the Lines of Business made clear.
  24. HMRC should enhance its S&BC capabilities to take a more proactive stance on incident management.
  25. HMRC should adopt a structured approach to assuring and auditing performance in relation to information security, based on the unambiguous accountability of Business Directors for information security within their areas of management control; assurance and audit activity carried out on behalf of Line of Business Directors-General; and corporate assurance and audit activity undertaken by the CISO and the CISO’s staff.
  26. Each Line of Business should identify an information security sponsor on its Management Board and should appoint an information security professional to provide leadership for information security across the Line of Business.
  27. Line of Business should identify an appropriate risk management sponsor on its Management Board and should appoint a risk management professional to provide leadership for risk management.
  28. HMRC should ensure that the mechanisms that it provides for managing key linkages between interdependent functions, for example those between the Business Units and shared resources such as Customer Contact, Debt Management, IMSand ESS, are effective.
  29. The Data Guardian, and any professional information security role at the Line of Business level, should include explicit responsibility for the people-related aspects of information security.
  30. Each Line of Business should in the short term have a clear point of accountability for the security of mail handling, including the handling of mail by post-rooms owned by both ESS and itself.
  31. HMRC should make its access control consistent across all of its systems and estate.
  32. Each Business Unit should conduct a capacity review for paper storage to determine its future requirements so that it can be compliant with the clear desk policy.
  33. HMRC should map its end to end data flows at the right level of detail to enable effective information security risk identification and management.
  34. Service level agreements should be agreed to ensure that the service meets the operational needs of the business.
  35. HMRC should initiate a programme of Third Party Assurance in respect of information security requirements.
  36. IMS should enhance the current approach to project approval for new IT systems (RMADS) to ensure that business owners understand the risks they are being asked to accept.
  37. IMS should initiate a review of the ASPIRE contract to determine whether it reflects adequate information security.
  38. HMRC should urgently draw up its strategy for the replacement of Child Benefit systems and the transfer of the contract for Child Benefit IT Provision across from DWP.
  39. HMRC should move to an IT investment model that includes more of an emphasis on risk quantification.
  40. HMRC should strengthen business requirement specification, particularly around non-functional requirements.
  41. HMRC should enhance its business continuity management.
  42. HMRC should continue to move the emphasis from Business Unit commissioning of IT projects to corporate prioritisation of IT projects.
  43. Build the business case for the new direction of travel outlined in this report, including determining the route map to get there, the timescales, and the level of investment required.
  44. HMRC should engage professional help to flesh out the new direction of travel, the business case behind it and the route map to get to it.
  45. HMRC should enhance the capabilities of IMSso that it is able to drive ASPIREto deliver the enabling IT that underpins the direction of travel.

Replies (9)

Please login or register to join the discussion.

By Anonymous
08th Jul 2008 16:42

Don't knock it...this is brilliant ...nothing could more eloquently summarise why this country is in the state it is....before the asylum is completely taken over my personal road map will immediately initiate a financial capacity review based on a uplifted strategy of sustainable personal risk management to ensure that my life cycle processes are enhanced through a direction of travel based on the first flight out of here.....

Thanks (1)
By Anonymous
07th Jul 2008 18:51

Accountability ....
It really is very simple

Assign a penalty charge per item of lost data (say £100)
Calculate the overall penalty cost (£100 * number of lost records)
Apportion this penalty in the ratio of salaries over the entire HMRC department

Everyone is in the firing line and naturally there will be collective responsibility, born out of self interest, for ensuring it does not occur again

Not a difficult concept, but very effective

PS. Direction of travel = how far you have to go for the next job

Thanks (0)
By Anonymous
01st Jul 2008 14:37

An HMRC customer comments

Did anyone else fail to understand all of this utter garbage Newspeak from a member of the parallel world of the Big 4? I sometimes wonder if I am still functionally fluent in English as spoken by HR people and consultants. Take away the jargon and the content would be cut by 50% and just could be comprehensible. He missed out “mission statement” and “going forward”, capital crimes for an IT strategy report.

May I say that as a customer of HMRC I am not impressed with 45 points of platitudes that any business studies student could have cut and pasted from a standard management bestseller. Not worth even £500.

Graded at D-

Thanks (0)
By coolmanwithbeard
01st Jul 2008 00:22

THis is typical PWC twaddle

Although I think there is much that HMRC need to do - I pity anyone who has to "identify ‘quick wins’ to set it off on the right direction of travel. "

How would you know when you'd met it?

What HMRC need now is some clear guidance and support not this expensive rubbish

Surely Accounting Web should put up a prize for the best meeting of this recommendation?

Thanks (0)
By Peter Tucker
30th Jun 2008 23:44

IT Basics
I can not see any reference to the fact that HMRC allowed the creation of, and no doubt paid a considerable sum of money, a Database which despite the fact that it would hold secure or sensitive information, could be “dumped" to disc, without any alerts being advised to very senior Managers.
If the attitude towards the holding of data is at this level, why not do away with the notion of an IT Partner and just use Microsoft’s Excel and Access products. Should save millions in fees to Consultants and various IT Companies?
Could also reduce the number of well paid “Senior HMRC Managers” !

Thanks (0)
By AnonymousUser
30th Jun 2008 17:19

44. HMRC should ENGAGE PROFESSIONAL HELP to flesh out the new direction of travel, the business case behind it and the route map to get to it.
(my capitals for emphasis)

In other words - now I have told you what a pile of sh*t you computer systems are, as I know the problems better than anyone else please can you pay me sackoads of money to try and get it right.

No wonder the report was not scathing of the senior managemnt - he needs them to give him the job!!

Thanks (1)
By Springfield
30th Jun 2008 15:47

What on earth is going on??
My recommendation is to remind all HMRC staff from time to time that they must:

1 treat all data as though it related to them or their family.

2 not release or send any data without checking the identity of the recipient

3 use only designated methods of transmitting data whether computer based or paper.

4 assume that if you lose data someone will find it and hand it to theSun newspaper.

HMRC - you can have this for free.

Thanks (0)
By buttocks
30th Jun 2008 15:23

Direction of travel
These recommendations are just gibberish and why on earth do they keep saying 'direction of travel' .

Thanks (0)
By Antony Rose
30th Jun 2008 15:04

I've just completed my bulls**t bingo card based on the above.

Where's my prize?

Thanks (0)