Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

HMRC disc loss was 'entirely avoidable'

Scathing reports published.

Article comments

Systematic failures and "woefully inadequate" processes for handling data at HM Revenue and Customs (HMRC) led to the loss of personal details of 25 million people, according to two scathing reports published Wednesday.

Fragmented and complex IT systems made it difficult for the organisation to identify and manage its information security risks, the Poynter report stated.

The report - which highlighted serious structural failings at HMRC offices and said the loss was "entirely avoidable" - was the result of a review into HMRC's security procedures by PricewaterhouseCoopers chairman, Kieran Poynter, in consultation with the Independent Police Complaints Commission (IPCC).

Another report by the IPCC also dealt HMRC a heavy blow, stating information security "simply wasn't a management priority". The IPCC report looked into the series of events that lead up to the loss of data to consider whether any criminal conduct or disciplinary offenses had been committed by HMRC staff.

While IPCC found no evidence of criminal misconduct, it said corporate data handling was "clearly woefully inadequate."

The investigation found "the absence of a coherent strategy for mass data handling" and a whole department that demonstrates a "muddle through ethos". HMRC staff often found themselves working "without adequate support, training or guidance about how to handle sensitive personal data appropriately," the report continued.

After the loss of the two child benefit discs last autumn, HMRC has pledged £155 million over three years to improve data security. The Poynter report made a number of recommendations for HMRC to overhaul its IT systems and its processes so as to reduce the "islands of information", reduce the need for data transfer and improve data integrity.

"To merely augment controls around HMRC's existing processes will not sufficiently reduce information security risk, especially given the fragmented nature of HMRC's IT estate," the report stated.

Information commissioner Richard Thomas said formal enforcement action had been taken against the HMRC following the data breaches. He added it is "beyond doubt" that the department breached Data Protection requirements.

In a letter to the financial secretary to the Treasury, Dave Hartnett, HMRC acting chairman welcomed the reports' findings. Hartnett said that since the child benefit data loss incident, HMRC has introduced a number of data security measures. "As we have discussed, since the incident HMRC has significantly strengthened data security, including removing the ability of all staff to save data to portable media such as CDs and memory sticks and reintroducing this only where there is a compelling business case to do so."

"We have introduced tight restrictions on the bulk transfer of sensitive information and are conforming to new cross government rules on encryption. We are also reviewing all bulk data transfers and have stopped those which are not business critical. And we are working with our stakeholders to further improve the security of bulk data transfers that do still need to be made."

The Poynter report listed urgent actions for HMRC to take, which includes:

    - A reminder to all staff from the Chairman of HMRC of the importance of data security with some specific guidance;

    - The appointment of a senior official to the new post of Director of Data Security;

    - The appointment of Data Guardians in each area of HMRC;

    - The imposition of a complete ban on the transfer of bulk data onto removable media without adequate security protection such as encryption;

    - The disabling of the download function on all personal and laptop computers in use across HMRC, to prevent their use to download data onto removable media;

    - The utilisation of secure couriers and appropriate tamper proof packaging in the transport of bulk data stored on removable media.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *