HMRC's fragmented IT structure was a contributory factor to the
department's loss of personal details of
25 million Britons.
This was the finding of an
independent review into
the circumstances that led to the loss of two discs containing
the records of 25 million child benefit claimants.
The news came as the Information Commissioner announced he would
take
enforcement action against HMRC for the breach.
The merger
of Inland Revenue and HM Customs and Excise in 2005 to form
HMRC left the organisation with fragmented IT systems, the review
by Kieran Poynter, chairman and senior partner at
PricewaterhouseCoopers found.
IT systems include supporting services such as PAYE, National
Insurance, Child Benefit and Tax Credits. Each system has to
maintain and secure different sets of customer data.
"Maintaining these separate records is both inefficient and
increases information security risk because of the constant need to
bring this information together."
"Putting better controls around the existing set of processes
and supporting systems will improve information security, but to
reduce information security risk to acceptable levels will require
more fundamental change," the report said.
Although organisations can introduce strategy, people, process
and technology to make sure the fundamentals of information
security are right, they would do little to help the HMRC.
"The best controls in the world can never ultimately eliminate
the information security risk associated with the fragmented state
of HMRC's IT estate and its processes," the report said.
The review found that a lack of security education and awareness
at HMRC made it difficult for employees to work securely.
It recommended that HMRC sets out a detailed road map outlining
what the business and its supporting IT will look like year by
year.
The report coincided with the publication of a
security framework today by cabinet secretary Sir Gus
O'Donnell, which recommended a widescale reform across Whitehall
into the way government departments handle sensitive data.
Other key recommendations of Poynter report:
HMRC should move to a single customer record for individuals and
a single customer record for all parts of the organisation
HMRC should have the powers to be able to specify secure methods
of exchanging data with its customers, starting with businesses and
over time including individuals
The transfer of digital data involving physical media should be
phased out completely
In the short term, any removable media should be encrypted so
that if they are lost or stolen any data or information on them
cannot be accessed