The loss of two disks with details of 25 million people was far from an isolated incident. What is going on at HMRC?
The aspiration to become a 'learning organisation' was regularly voiced in the corridors of the Department of Health a few years ago. The ambition was that government should learn from past mistakes and be more in touch with the concerns of the public; yet the recent loss of confidential data of almost half the population while in transit from HM Revenues & Customs (HMRC) to the National Audit Office (NAO) shows how far from reality this is.
HMRC's ineptitude has provoked outrage and derision in almost equal measure. A full explanation of how the disaster happened won't emerge until investigations are concluded, but what we know is that as part of a routine check on government spending on child benefit, details of all current claims were requested by NAO on 2 October 2007. NAO required only the name, National Insurance and child benefit numbers of all children qualifying for the benefit in the year 2007 to 2008, an estimated 7.25 million individuals.
Rather than providing just this information, HMRC extracted the records of parents, guardians and children with current claims in its systems, around 25 million people. These records included sensitive information such as address, date of birth and bank details. Exactly why HMRC did so is a question for the investigators, but correspondence published on the NAO website suggests that HMRC wanted to avoid the financial cost of extracting the data subset.
On 18 October, an employee at HMRC offices in Tyne & Wear sent two disks containing the information to NAO offices in London using parcel service TNT. It appears that the data on the disks was unencrypted, protected only by a password, and that a signature from the recipient wasn't required.
On 24 October, NAO contacted HMRC to say the disks had yet to arrive, and asked for a second set, which was duly delivered by TNT's registered overnight service the following day. HMRC emailed NAO on 5 November to check if the first set had arrived, and brought the loss to the attention of senior managers for the first time on 8 November.
A week later, HMRC called in the Independent Police Complaints Commission (IPCC), a Home Office body empowered to investigate serious complaints against HMRC staff. The weekend of 17 and 18 November brought a flurry of activity to NAO premises, with a search of its offices in Victoria by a team from HMRC, then by an NAO team, followed by a visit from the Metropolitan Police.
In an emergency statement in the Commons on 20 November, Chancellor of the Exchequer Alistair Darling claimed that he first learned about the missing disks some ten days earlier on 10 November and ordered an immediate investigation. HMRC chairman Paul Gray was told to notify the police on 14 November, according to Darling.
Having stumbled into this mess, a great deal hangs now on a vigorous, thorough and purposeful response from the Government. Darling's first move was to appoint Kieran Poynter, the chairman of PricewaterhouseCoopers, to lead an investigation into the processes and policies government has in place for handling data. An interim report on the findings was expected in December 2007, and the full report in spring 2008. According to the Chancellor, Poynter will work with the IPCC and the Information Commissioner's Office (ICO).
Just how effective this three-handed partnership will be remains to be seen, but there is no doubt that the ICO takes the HMRC case extremely seriously. Even before the loss of the disks, the department's habit of sending sensitive data in the post may have been a breach of the Data Protection Act, the body says. "We don't know all the facts yet, but it's almost certain that HMRC was breaking the law," an ICO spokesperson claims.
While HMRC and NAO staff were ransacking government offices for the lost disks, Information Commissioner Richard Thomas was telling a House of Lords constitution committee inquiry of the need for a tougher data-protection regime, including powers enabling the ICO to perform spot checks on organisations and tougher laws holding individuals as well as public bodies personally responsible for gross negligence in handling personal data.
Unfortunately, this isn't the first time HMRC has taken such a slipshod approach to data security. In March 2007 HMRC sent similar data on disks through the post to NAO, although they arrived without mishap on that occasion, and were returned safely.
Neither is this the first time concern has been expressed by the ICO. Last September, an HMRC employee reported a laptop stolen from his car, containing customer details from around 15 financial institutions, albeit in encrypted form. The laptop bag also contained some details about individuals that had been printed out on forms. A month later, HMRC sent a disk via courier to financial services provider Standard Life, but it was "lost en route". The data was not encrypted and contained details of 15,000 Standard Life customers such as names and National Insurance numbers.
Taken together, these cases suggest fundamental weaknesses in HMRC's security policy. Worse, it may well be symptomatic of wider failures in central government. "What is most disturbing is the attitude that caused senior officials to allow security processes to be overridden on what appears to have become a routine basis," says Philip Virgo, strategic adviser to the Institute for the Management of Information Systems.
In theory, all departments are required to implement information security policy in accordance with guidance laid down by the Central Sponsor for Information Assurance (CSIA). This branch of the Cabinet Office draws on the expertise of security experts across government, including the Serious Organised Crime Agency and the Communications-Electronics Security Group, which grew out of GCHQ.
However, CSIA has limited powers when it comes to ensuring compliance, it seems. "The Cabinet Office draws up perfectly robust guidance," a spokesperson says. "But it is up to each department to implement it. I believe they are supposed to have a senior manager responsible for this, but job titles will differ from department to department." The Cabinet Office is to launch its own investigation into policy compliance under the direction of Robert Hannigan, its head of intelligence, security and resilience.
Government tells us that information security is a high priority, but the reality is often different, says the Earl of Erroll, one of a small but active group of technology-savvy peers. This is because there is a tendency to see security as a technology issue, and much government IT has been contracted out to private-sector suppliers, he suggests. "The problem is that government departments feel above it," he claims. "They tell us everything is perfectly alright, but now I think they're terrified that what has happened at HMRC is a systemic problem."
Responsibility for security has not been made enough of an issue for senior people, the Earl of Erroll complains. "In a department, the person responsible for security won't be the budget holder. When it comes to cutting costs what happens to security?"
Government must put this right, he adds. "It's destroying what little faith people have in government. The other danger is that it will put the brakes on data sharing between departments, which is necessary if people are to receive the services they need."