Poynter Review, IPCC severely criticise HMRC over data breach
The IPCC's verdict was released alongside the final version of the Poynter review, a stinging report headed by the chairman of Price Waterhouse Coopers Kieran Poynter.
Her Majesty's Revenue and Customs (HMRC) lost two child benefit CDs containing the personal details of 25 million people in October 2007.
Issuing its report today, the IPCC said processes for handling data at HMRC's child benefit office were "woefully inadequate". It said there was no "coherent strategy" for handling large quantities of data and that there was a "muddle-through ethos".
"The IPCC's investigation uncovered failures in institutional practices and procedures concerning the handling of data. Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately," said the IPCC in its report.
The IPCC found that HMRC was reviewing its data procedures at the time of the loss, but that the review was incomplete. Had the review been given a higher priority, the breach might not have happened, the IPCC said.
The IPCC said it would refer its findings to the Information Commissioner.
The Poynter review used much of the same terminology. It said there are "serious institutional deficiencies" at HMRC and that there is "no visible management of data security at any level".
The Information Commissioner Richard Thomas today also received a report from Sir Edmund Burton into the loss of 600,000 personnel records which went missing on a PC from the Ministry of Defence in January.
Thomas was scathing, referring to the two data breaches as "deplorable". He said he would take "enforcement action" against both HMRC and the MoD.
Enforcement action is the toughest sanction the Information Commissioner's Office can issue and it can have severe consequences. Failure to comply with an enforcement notice is a criminal offence.
Thomas said: "It is beyond doubt that both Departments have breached data protection requirements and we intend to use the powers currently available to us to serve formal Enforcement Notices on them."
HMRC's acting chairman Dave Hartnett today wrote to the Treasury. In the letter, he admitted that the breach was avoidable and "a result of serious failings within HMRC".
"This loss was the most serious incident in the department's history and damaged HMRC's reputation for handling our customers' data," he said.
Hartnett added that data security had been "significantly strengthened" since the breach. He said the lost data has not been found, but there has been no evidence of any fraudulent activity resulting from the loss.
Speaking in the House of Commons today, the Chancellor Alistair Darling said: "It is quite clear the loss was entirely avoidable," he said. "I apologise unreservedly".