HMRC scapegoated for Whitehall's data failures
A National Audit Office report into government data security painted HMRC as the worst offender for data breaches across Whitehall’s central departments. But what’s the real story behind the numbers?
The damning report depicted a job-creation culture where 12 separate organisations have responsibility for data security, underpinned by dozens of policy frameworks, with no single direction or strategy. As a consequence of this chaos, nearly 9,000 data security incidents were recorded across central government in 2014-2015.
These incidents included three data breaches at HMRC which were reportable to the Information Commissioner’s Office, as well as 6,038 incidents categorised as “minor incidents that potentially had an impact on customers but were not managed centrally by the department” - in other words, incidents which were violations of internal procedures but not mandated reportable data breaches.
The howls are not what they seem
The indignation which greeted the NAO report such as “UK data security breached 9,000 times” made for superb sensational headlines. Unfortunately the sound bites do not tell the whole story.
Two points are worth considering.
The first is that HMRC is one of only three central government offices, along with the Department for Work and Pensions and the Home Office, which deal with nearly every member of the British population on a personal basis. By contrast, to use just one example, the now-defunct Department for Energy and Climate Change recorded no data breaches. This is not because the latter department had better data policies. To compare consumer-facing organisations handling millions of customer accounts to Whitehall bureaucracies handling the occasional public consultation is to contrast apples and oranges.
The second, and perhaps the more telling point made by the report, is the NAO’s observation that organisations which report higher numbers of personal data breaches, such as HMRC and the Ministry of Justice, are actually safer organisations. The high numbers can indicate cultures where discussions of errors, data breaches and the occasional punitive consequences are open, accepted, and expected. Low numbers, by contrast, can indicate cultures where information security concerns - including data breaches - are swept under the carpet.
The NAO report made it clear that this lack of consistency in reporting data breaches across government, borne out of differences in workplace cultures, is as much of a problem as the breaches themselves. It certainly seems strange, for example, that the DWP logged zero minor and unreported incidents compared to HMRC’s 6,038. In that light, HMRC’s position at the top of the data breach table is somehow far less concerning than the smaller numbers listed below it.
Harder better faster stronger
It is all change for government data security. The newly created National Cyber Security Centre, which opens next month, will consolidate many of the government’s self-serving data security groups and functions under clear and cooperative leadership.
That centre, to close on a somewhat awkward point, has been established as a requirement under the upcoming EU NIS Directive on Cybersecurity.