Digital Law Specialist WebDevLaw
Share this content

HMRC scapegoated for Whitehall's data failures

21st Sep 2016
Digital Law Specialist WebDevLaw
Share this content
data locked in a filing cabinet

A National Audit Office report into government data security painted HMRC as the worst offender for data breaches across Whitehall’s central departments. But what’s the real story behind the numbers?

The damning report depicted a job-creation culture where 12 separate organisations have responsibility for data security, underpinned by dozens of policy frameworks, with no single direction or strategy. As a consequence of this chaos, nearly 9,000 data security incidents were recorded across central government in 2014-2015.

These incidents included three data breaches at HMRC which were reportable to the Information Commissioner’s Office, as well as 6,038 incidents categorised as “minor incidents that potentially had an impact on customers but were not managed centrally by the department” - in other words, incidents which were violations of internal procedures but not mandated reportable data breaches.

The howls are not what they seem

The indignation which greeted the NAO report such as “UK data security breached 9,000 times” made for superb sensational headlines. Unfortunately the sound bites do not tell the whole story.

Two points are worth considering.

The first is that HMRC is one of only three central government offices, along with the Department for Work and Pensions and the Home Office, which deal with nearly every member of the British population on a personal basis. By contrast, to use just one example, the now-defunct Department for Energy and Climate Change recorded no data breaches. This is not because the latter department had better data policies. To compare consumer-facing organisations handling millions of customer accounts to Whitehall bureaucracies handling the occasional public consultation is to contrast apples and oranges.

The second, and perhaps the more telling point made by the report, is the NAO’s observation that organisations which report higher numbers of personal data breaches, such as HMRC and the Ministry of Justice, are actually safer organisations. The high numbers can indicate cultures where discussions of errors, data breaches and the occasional punitive consequences are open, accepted, and expected. Low numbers, by contrast, can indicate cultures where information security concerns - including data breaches - are swept under the carpet.

The NAO report made it clear that this lack of consistency in reporting data breaches across government, borne out of differences in workplace cultures, is as much of a problem as the breaches themselves. It certainly seems strange, for example, that the DWP logged zero minor and unreported incidents compared to HMRC’s 6,038. In that light, HMRC’s position at the top of the data breach table is somehow far less concerning than the smaller numbers listed below it.

Harder better faster stronger

It is all change for government data security. The newly created National Cyber Security Centre, which opens next month, will consolidate many of the government’s self-serving data security groups and functions under clear and cooperative leadership.

That centre, to close on a somewhat awkward point, has been established as a requirement under the upcoming EU NIS Directive on Cybersecurity.


Replies (5)

Please login or register to join the discussion.

By DotasScandalDotOrg
21st Sep 2016 16:37

Data and confidentiality breaches are an everyday thing at HMRC. A typical scenario is HMRC sending confidential taxpayer data to a random agent from a taxpayer's past, despite having been duly notified and having the details of the current one.
It's really great fun when HMRC leaks your latest to the adviser you have just dismissed.
As always, the problem is utter lack of any sort of accountability of HM's civil servants. Can't see the "work" culture changing anytime soon, unless the question of accountability is properly addressed.

Thanks (2)
Replying to DotasScandalDotOrg:
Heather Burns profile image
By Heather Burns
21st Sep 2016 19:22

To be clear, HMRC clearly have many areas of data and confidentiality which need improvement. My worry is that the "name and shame" tactic the NAO used in their report will have the reverse effect than what was intended. By effectively punishing the central government departments which are demonstrating *good practice* in logging and dealing with data breaches, the other branches which do not demonstrate good practice - as in, zero data errors, nothing to see here, move along people - will have nothing to fear.

Thanks (5)
By Springfield
23rd Sep 2016 12:08

A good time to look back at the "quick wins" and multiple "directions of travel" contained in the 45 (yes 45) recommendations that appeared in the June 2008 Poynter Report on HMRC Data Security following the great HMRC CD Rom disaster of 2007?

It was politely suggested at the time on this very message board that this Report was "corporate gibberish speak", "garbage" and "twaddle".

Eight years on - you decide.

Thanks (1)
Replying to Springfield:
Heather Burns profile image
By Heather Burns
23rd Sep 2016 13:36

The 2008 data breach was cited in point 1.10 of the NAO report.

Thanks (0)
By North East Accountant
26th Sep 2016 09:41

First email on a case from HMRC last week, asking us to agree to the conditions (email not secure etc) to use email on the case.

Large word attachment with all correspondence relating to another taxpayer for whom we don't act was attached.


Thanks (0)