Systemic failures at HMRC exposed personal data of 25 million people, says PwC

HM Revenue and Customs embarrassing loss of  two discs containing the personal details of 25 million people was the result of systemic failure an independent review of information security at the department has concluded.

The 100 page report carried out by Kieran Poynter, chairman and senior partner at PricewaterhouseCoopers was presented to parliament today. The data loss was avoidable and was the result of systemic failings within HMRC, it concluded.

The report highlighted weakness in information security policies at the department which were too complicated and difficult for staff to navigate,. It pointed to  inadequate security awareness, a lack of communication and training on data security and a lack of clarity around the governance and accountability for data protection.

Chancellor Alistair Darling told Parliament today that the culture within HMRC  needed to change in line with changing technology. It is absolutely clear that people need to understand the importance of protecting the information they handle, he said.

Techniques for handling data have changed, making it possible to transfer higher volumes  at the push of a button but government procedures have not changed at the same pace.

"There is a problem that people have not woken up to the fact that processess used when everything was stored on paper are not appropriate," said Darling.

Vince Cable, deputy leader of the Liberal Democrats, said blaming the culture at HMRC for the data loss meant "everybody was to blame but nobody was responsible."

More on Poynter report: Summary of Poynter report and comment by Computer Weekly's Tony Collins >>