HMRC has identified people as key to the success of its information security programme after a data breach in 2007 when it lost the personal details of 25 million people.
Jeff Brooker, head of security and business continuity at HMRC, told the first annual Human Factors in Information Security Conference in London that getting the basics right had involved every one of the taxman's 85,000 employees.
The initial phase of the programme put security at the heart of HMRC's business strategy and in the performance objectives of every employee.
HMRC's data security programme has 12 golden rules, which cover improving security consciousness and behaviour in data handling, a data security rulebook, data security workshops, and a dedicated security zone on the HMRC intranet.
"The security zone provides employees with all they need to know about security on their computer, how to protect themselves and their information, and how to ensure a secure work environment," said Brooker.
The site also provides security tips, frequently asked questions and news, and enables employees to test themselves on security and report any security incidents or problems they see.
Much of the initial phase has been about making information easy to understand and easy to do, said Brooker. "We have used a variety of communication channels to get full coverage of employees to enable a culture change, including the internal magazine, posters, the rulebooks, training sessions and the intranet."
Other important changes included encouraging senior management to champion security and appointing data guardians in all 45 of HMRC's business units.
"We are making progress, with 97% of staff saying they are aware of security policy, more than 29,000 staff using the intranet, and 35% saying they refer to the rulebooks regularly," said Brooker.
But, he sees it as only the beginning. "Road safety surveys have proven that 46% of people will follow the rules if they are easy enough to follow," said Brooker. Raising compliance above that 46% was the challenge that lay ahead, he said.
"Like all organisations, we have to think about how people operate and then devise ways to change that behaviour [to improve overall data security]," said Brooker.