Three reports were published today relating to last November's
news that two discs containing details of 25 million child benefit
recipients had gone missing after being sent from HMRC to the
National Audit Office (NAO). A fourth report, also published today,
dealt with the theft in January of a Royal Navy recruiter’s laptop
which contained unencrypted records on more than 600,000
people.
The Poynter report
Kieran Poynter, Chairman of PricewaterhouseCoopers, was
commissioned by HM Treasury to investigate the circumstances that
caused the incident. He has recommended systematic, organisational
and management structures to improve HMRC's data handling
performance.
Poynter's
report (109-page / 1MB PDF) found that the loss was
"entirely avoidable" and said the incident showed "serious
institutional deficiencies at HMRC."
Since the incident, a Chief Risk Officer has been appointed and
clear security guidance has been published. Poynter makes 45
recommendations in his report.
Chancellor Alistair Darling said in the House of Commons today
that all of these recommendations have been accepted.
"HMRC has made good progress on 39 of the recommendations
including 13 which have been fully implemented," he said. "Work is
continuing on the remaining recommendations."
OUT-LAW has produced a short briefing
on the Poynter report.
The IPCC report
Secondly, the Independent Police Complaints Commission (IPCC),
acting on its own initiative, investigated the events leading up to
the loss of data to consider whether any criminal conduct or
disciplinary offences had been committed by HMRC staff. The IPCC
has concluded that individual members of staff were not to
blame.
The IPCC
report (61-page / 144KB PDF) found a complete lack of any
meaningful systems; a lack of understanding of the importance of
data handling; and a 'muddle through' ethos.
"Staff found themselves working on a day-to-day basis without
adequate support, training or guidance about how to handle
sensitive personal data appropriately," according to an IPCC
statement. "While an ongoing review of data procedures was being
conducted within HMRC at the time of these events, it had not been
finalised. Had this internal review received a higher priority,
this incident may have been avoided."
"The IPCC's investigation uncovered failures in institutional
practices and procedures concerning the handling of data. It
revealed the absence of a coherent strategy for mass data handling
and, generally speaking, practices and procedures were less than
effective," it said.
Sir Gus O'Donnell's report
Thirdly, Cabinet Secretary Sir Gus O'Donnell has published a
review of information security in Government. His report,
commissioned by the Prime Minister, explains a new framework for
the future to improve the rules, culture, accountability and
scrutiny of data handling.
Sir Gus's report (46-page / 218KB PDF) calls for mandatory
minimum measures across government, including encryption and
compulsory testing by independent experts of the resilience of
systems.
All civil servants dealing with personal data will be required
to undergo mandatory annual training and the Government will be
introducing Privacy Impact Assessments.
Data security roles within departments are being standardised
and enhanced to ensure clear lines of responsibility, according to
the report. Departments will report on their performance under the
scrutiny of the National Audit Office. The Information Commissioner
will perform spot checks.
Sir Gus said that since November, the Civil Service has
responded "with urgency and vigour to improve data security."
"However, I am under no illusion that more still needs to be
done to restore public faith in the Government's ability to handle
personal information safely," he said. "Although no organisation,
public or private, can ever guarantee that it will never make a
mistake, I believe the measures we are announcing today will ensure
that the public can be assured we are taking the necessary measures
to keep people's data secure."
Action already taken to improve security includes the Cabinet
Office issuing new, stricter guidelines on the handling of
sensitive personal data, 90,000 employees at HMRC being given
additional security training and the encryption of 20,000 laptops
at the MOD.
OUT-LAW has produced a short briefing
on Sir Gus O'Donnell's report.
Sir Edmund Burton's report
The fourth report, on the stolen laptop, was published by the
Ministry of Defence. In it, Sir Edmund Burton, chairman of the
Information Assurance Advisory Council, which supports the Cabinet
Office, made
51 recommendations (76-page / 1.1MB PDF) to prevent similar
losses in future.
The MOD said today that it has accepted all of Sir Edmund's
recommendations and has prepared an action plan to implement
them.
The Information Commissioner's response
Information Commissioner Richard Thomas said today that
enforcement notices will be served under the Data Protection
Act.
"I will be taking formal enforcement action against HMRC and MOD
following the serious data breaches that have occurred," he said in
a
statement (2-page PDF). "The reports that have been published
today show deplorable failures at both HMRC and MOD."
"It is beyond doubt that both Departments have breached Data
Protection requirements and we intend to use the powers currently
available to us to serve formal Enforcement Notices on them."
To comply with the terms of the Enforcement Notices HMRC and the
MOD will be required to use their best endeavours to implement all
the recommendations outlined in the reports, said Thomas.
The Commissioner said his office will require progress reports
to be published after 12, 24 and 36 months documenting in detail
how the recommendations have been, or are being, implemented to
improve data protection compliance.
Failure to comply with an Enforcement Notice is a criminal
offence.
How it happened
Sequence of events leading to the loss of data (the IPCC's
account)
The IPCC inquiry focused on events that took place between
December 2006 and March 2007 and between September and October 2007
relating to two separate audits, carried out by the NAO, of the £10
billion expenditure on Child Benefit.
The NAO needed to check the levels of accuracy of payments of
Child Benefit. The NAO asked for the relevant data but without
names, addresses or bank account details. HMRC had already scanned
the data and wanted to make use of existing data in order to avoid
overburdening the business by asking for additional data scans,
without the details included, as they might incur a large cost.
In March 2007 one employee queried supplying all of the data but
was told NAO were entitled to go wherever and have access to
anything without exception. The CDs were sent to the NAO and
returned safely in April 2007.
In September 2007 the NAO wanted to undertake a repeat of the
audit. The NAO asked HMRC to ensure that the CDs were delivered as
safely as possible due to their content. On 18th October the CDs
were sent from Washington, Tyne & Weir through the internal tax
post system, in an envelope addressed to the NAO in London. The
package was not tracked or sent recorded delivery. The CDs never
arrived and copies were made and re-sent.
On 8th November a security breach report was raised by an HMRC
employee. On 15th November HMRC informed the Metropolitan Police of
the loss of the CDs. The following day HMRC formally referred the
incident to the IPCC. The Metropolitan Police formally began their
investigation to find the missing CDs on 18th November.
Training for you: Pinsent Masons, the law firm
behind OUT-LAW.COM, is running a course on Law, Security
and Data Handling (2-page / 146KB PDF), which looks at
minimising the regulatory risks through good governance.
