Evidence has emerged as to why the National Audit Office (NAO)
asked HM Revenue and Customs (HMRC) for a large download of
information from the child benefit database.
After receiving the request, HMRC sent the NAO details of all
child benefit recipients: records for 25 million individuals and
7.25 million families. These included the names of children and
their parents, addresses, dates of birth, child benefit numbers,
national insurance numbers, and even bank or building society
account details.
The National Audit Office had suggested to HMRC that it remove
the names of parents, their addresses and bank details but the
department declined.
In the House of Commons on 20 November 2007 the Chancellor of
Exchequer,
Alistair Darling, asked why the National Audit Office had asked for
so much information from the child benefit database.
Darling said: "It is not at all clear to me why seven million
records would be necessary, or whether it would be possible for
anyone actually to look at seven million records and properly audit
them."
On 21 November 2007
Computer Weekly disclosed that the practice of transferring details
of all child benefit claimants onto CDs became established in March
this year after HMRC's auditors, the National Audit Office
[NAO], ceased to accept sample records for its audit of the
department's accounts.
Now it's becoming clear why the NAO wanted so much information
from the child benefit database rather than merely a sample of
data.
The NAO says that child benefit payments amount to £10bn. "By
any objective measure, Child Benefit is material to [HM Revenue and
Customs'] Resource Accounts and we have to carry out substantive
audit work on this figure, if we are to obtain sufficient
appropriate evidence to support the Comptroller and Auditor
General's audit opinion."
In the past NAO staff, in seeking assurances about possible
levels of fraud and error in child benefit payments, relied mainly
on HM Revenue and Customs' own review of a sample of cases – about
1,500.
This was only a small sample. Before child benefit was run by
HMRC it was administered by the Department of Work and Pensions
(DWP) which used many more sample records – about 20,000 child
benefit cases - to check for fraud and error.
The Tax Credits Act 2002 transferred the responsibility for the
administration of child benefit from the DWP to HMRC.
Worried that HMRC tested too few child benefit cases to give any
assurances for audit purposes, NAO staff decided to do their own
comprehensive analysis of child benefit data - which is why they
asked HMRC to provide the entire child benefit database, though
they suggested the names of parents, addresses and bank account
details were removed first. An NAO employee sent an email to the
Benefits Office, which is part of HMRC, on 13 March: "I do not need
address, bank or parent details in the download – are these
removable to keep the file smaller?"
A Benefits Office employee declined politely to provide edited
information from the child benefit database. The reply to the NAO,
which was emailed about an hour later, said: "I must stress we must
make use of [existing] data we hold and not overburden the business
by asking them to run additional data scans/filters that may incur
a cost to the department."
In deciding to do their own larger-scale checks the NAO staff
were motivated by new, more exacting international standards on
auditing.
An NAO executive has written to an HMRC director to apologise
for not explaining clearly to HMRC's Finance Director the
implications of the change in audit approach. The executive said to
the HMRC director in a letter dated 9 November 2007: "We are
obviously aware that there are a number of lessons to be learned
from this incident [that of the two missing, unencrypted CDs which
contained information on 25 million people on the child benefit
database]. The NAO executive added: "Clearly we have to suspend the
way in which we are currently accessing child benefit data; and I
am happy to confirm that we have now done this. We will need to
discuss with you how we can meet our obligations under the auditing
standards whilst helping you to maintain the high standards of data
security sufficient to satisfy the responsibilities we both have
for data protection."