HMRC staff who worked with sensitive data carried
out duties with a ‘muddle through’ ethos, a report into the missing
child benefit discs from the independent police complaints
commission (IPCC) has found.
HMRC staff were working on a day-to-day basis
without adequate support, training or guidance about how to handle
sensitive personal data, the IPCC has concluded.
The IPCC has referred the case to the Information
Commissioner.
HMRC needs to develop a data security strategy and
train staff to understand how to comply with the Data Protection
Act, the IPCC concluded
HMRC should appoint a data controller to
demonstrate a management commitment to information security
throughout the organisation, it said.
"Many reforms have taken place [at HMRC] and are
continuing as improvements are rolled out across the department. We
hope that the momentum will be maintained," said IPCC Commissioner
Gary Garland, who oversaw the investigation.
HMRC informed the Metropolitan Police of the loss
of the CD on 15 November and referred the incident to the IPCC the
following day.The Metropolitan Police began its investigation to
find the missing CDs on 18 November.
Read more:
Cultural failures led to HMRC data loss, says
report>>
Alistair Darling highlights HMRC data-handling
failures>>
Government should provide guidance on data breaches, say
experts>>