This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Poynter Review, IPCC severely criticise HMRC over data breach

Share this article:
The Independent Police Complaints Commission has today issued a damning verdict on the circumstances leading to the loss of 25million child benefit records last year.

The IPCC's verdict was released alongside the final version of the Poynter review, a stinging report headed by the chairman of Price Waterhouse Coopers Kieran Poynter.

Her Majesty's Revenue and Customs (HMRC) lost two child benefit CDs containing the personal details of 25 million people in October 2007.

Issuing its report today, the IPCC said processes for handling data at HMRC's child benefit office were "woefully inadequate". It said there was no "coherent strategy" for handling large quantities of data and that there was a "muddle-through ethos".

"The IPCC's investigation uncovered failures in institutional practices and procedures concerning the handling of data. Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately," said the IPCC in its report.

The IPCC found that HMRC was reviewing its data procedures at the time of the loss, but that the review was incomplete. Had the review been given a higher priority, the breach might not have happened, the IPCC said.

The IPCC said it would refer its findings to the Information Commissioner.

The Poynter review used much of the same terminology. It said there are "serious institutional deficiencies" at HMRC and that there is "no visible management of data security at any level".

The Information Commissioner Richard Thomas today also received a report from Sir Edmund Burton into the loss of 600,000 personnel records which went missing on a PC from the Ministry of Defence in January.

Thomas was scathing, referring to the two data breaches as "deplorable". He said he would take "enforcement action" against both HMRC and the MoD.

Enforcement action is the toughest sanction the Information Commissioner's Office can issue and it can have severe consequences. Failure to comply with an enforcement notice is a criminal offence.

Thomas said: "It is beyond doubt that both Departments have breached data protection requirements and we intend to use the powers currently available to us to serve formal Enforcement Notices on them."

HMRC's acting chairman Dave Hartnett today wrote to the Treasury. In the letter, he admitted that the breach was avoidable and "a result of serious failings within HMRC".

"This loss was the most serious incident in the department's history and damaged HMRC's reputation for handling our customers' data," he said.

Hartnett added that data security had been "significantly strengthened" since the breach. He said the lost data has not been found, but there has been no evidence of any fraudulent activity resulting from the loss.

Speaking in the House of Commons today, the Chancellor Alistair Darling said: "It is quite clear the loss was entirely avoidable," he said. "I apologise unreservedly".
Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

GCHQ head says agency was 'never involved in mass surveillance'

GCHQ head says agency was 'never involved in ...

Sir Iain Lobban says GCHQ staff "are normal decent human beings who watch EastEnders and Spooks".

Apple Mac OS criticised for sending search results to third parties

Apple Mac OS criticised for sending search results ...

Apple is under pressure to make changes to the Spotlight feature on the new Mac OS X Yosemite 10.10, which tracks location and sends data back to the firm and ...

China refutes new FBI hacking claims

China refutes new FBI hacking claims

It's been another week of claims and counterclaims as the US and Chinese governments accuse each other of deviant cyber security practices.