‘No fingerpointing’ over HMRC data loss
The loss of 25 million people’s data by HM Revenue and Customs (HMRC) last year cannot be blamed on any one official, a review has revealed today.
In November last year chancellor Alistair Darling ordered Kieran Poynter to investigate the loss of data discs with details of 25 million people sent via courier TNT from the HMRC’s base in the north-east to the National Audit Office in October.
At the time, Mr Darling blamed an oversight by a single official, but the report is expected to blame “cultural failures” at HMRC.
Outlining the Poynter findings in parliament today, Mr Darling explained the review found “serious institutional” failures and a sequence of communications failures.
“[Mr Poynter] finds that the loss was entirely avoidable and the fact that it could have happened points to serious institutional deficiencies at HMRC,” the chancellor said.
“Information security simply was not the management priority it should have been. Moreover, he points to a lack of clarity in communications and the failure to involve senior HMRC staff as being contributing factors in both cases.”
He added the report found these failings had now been addressed.
The Poynter review also highlighted 45 changes that need to be made to improve data security.
The report found staff were unaware of guidance – which was unclear – about sending data and so senior clearance was not called for.
Mr Darling also apologised unreservedly over the affair.
“It is quite clear that the loss was entirely avoidable and again I apologise unreservedly to everyone who has been affected,” he said.
Shadow chancellor George Osborne said the Poynter review outlined incompetences and a guide of how not to run data security.
He added theories held by the chancellor that a single official was to blame was “blown out of the water”.
Mr Osborne added the government had now lost 37 million pieces of individuals’ data.
A further report into the data loss from the Independent Police Complaints Commission (IPCC) is due to be published, while the Cabinet Office is investigating how to improve Whitehall data handling.
The IPCC found “individual members of staff were not to blame for losing the missing Child Benefit data CDs” but “uncovered failures in institutional practices and procedures concerning the handling of data”.
IPCC commissioner Gary Garland, who oversaw the investigation, said: “The failings identified by our investigation are significant. Because of this, and the high level of public concern about this incident.”
Mr Garland found members of staff involved did not recognise the highly sensitive nature of the data and even though those who had concerns did voice them.
The fallout of the report will be pressure on the prime minister, as it was Gordon Brown’s decision to merge Customs & Excise and Inland Revenue to form HMRC while he was chancellor.
Meanwhile, the Cabinet Office report is expected to outline measures brought in to halt further data losses such as giving greater powers to the Information Commissioner.