Poynter review: HMRC has radically reduced security risks

HMRC has radically improved its data security measures since the breach which caused it to lose 25 million child benefit records in October last year.

Those are the thoughts of Kieran Poynter, chairman of Price Waterhouse Coopers, whose review into the data breach was published yesterday.

The positive statement was published as part of a largely critical report which said there were "serious institutional deficiencies" and "no visible management of data security at any level" of HMRC.

But Poynter did take the opportunity to outline HMRC's achievements since the breach.

Among the more important he picked out were:

- Creating a new post of director of data security;
- Issuing clearer at-a-glance data security guidance, which gives examples of what can be sent by what mechanism, and in what circumstances;
- Mandatory attendance at a half-day information security workshop for all staff;
- A review of post room processes and practice to identify high risk security issues;
- Locking down write access to removable drives, with reversal of that policy only able to be made by a small number of designated personnel;
- A ban on the use of unencrypted laptops outside secure premises;
- The introduction of new controls for bulk data transmissions;
- Progress on developing a mechanism for secure electronic transfer of information with external partners.

"I am pleased to say that HMRC has significantly reduced the risk of further data loss since the incident," said Poynter.

Also published yesterday was a review of data handling in the Government by Cabinet Secretary Gus O'Donnell. O'Donnell was commissioned by the Prime Minster to produce the review following the HMRC breach. His work follows extensive conversations with both Government departments and independent security experts.

He concluded: "A lot has already been done, but there is more to do".

In his review, he highlighted a number of significant actions, including:

- The introduction of mandatory minimum security measures across government when handling personal data, including encryption and resilience testing by outside parties;
- Mandatory annual training for those involved with handling personal data;
- An increased role for the use of Privacy Impact Assessments;
- The standardisation of data security roles to ensure clear lines of responsibility;
- A requirement for Government departments to report on their data security performance under the scrutiny of the National Audit Office.

Rosemary Jay, head of information law at legal firm Pinsent Masons said there was a hint that the Goverment might be regarding itself as the custodian of people's information, rather than regarding such information as its own.

Writing on Out-law.com, a Pinsent Mason website, she said: "The report does not address the question of whether a straightforward solution would be for the Government to collect less data. Nor does it address the risks being run by the consolidation of datasets. But that was never intended to be the focus of the exercise.

"[The report] deals with security as a management issue for Government and eschews the language of data protection. For organisations outside the public sector, the main impact of Sir Gus's report will be on those with public sector contractual relationships.

"We have already seen the impact on those who currently have large central Government contracts but eventually this will cascade through the entire public sector and all those involved will need to be prepared."

O'Donnell said: "The action already underway will raise our game, but the task of improving information security will always be a continuing process."

Sign up to our newsletters