News Analysis

HMRC left the door open to data loss

John-Paul Kamath

The government has promised sweeping changes to the way data is secured across Whitehall in the wake of the missing discs review.

HM Revenue and Customs (HMRC) was considered "woefully inadequate" in its handling of corporate data and its managing of sensitive data was described as a "muddle through" in two independent reviews last week.

Information Commissioner Richard Thomas will serve notices requiring HMRC to carry out technical changes to secure its data following investigations into the loss of discs containing 25-million child benefit details.

HMRC must report its progress on implementing the changes every 12 months for the next three years. "No chief executive can now say that data protection does not matter," says Thomas.

An action plan, published by cabinet secretary Sir Gus O'Donnell, addresses the technical safeguards that need to be in place from now on, and which were found to be lacking in the events leading up to the loss of the discs.

The over-arching policy limits the use of removable media including laptops, removable discs, CDs, USB memory sticks, PDAs and media card formats for storage or access to sensitive data.

Users will be allowed to access only data stored on secured sites or through remote password-protected access.

Remote access will require cryptography conforming to the Federal Information Processing Standard 140. Computers used by staff to dial into government databases must be patched and have up-to-date antivirus protection.

Departments holding personal data on more than 100,000 individuals must hire IT experts to conduct penetration testing on their systems. Government departments will need to keep electronic logs auditing access to data.

IT systems that hold personal data will also have their security accredited after major hardware or software upgrades approximately every five years.

In addition to the IT changes recommended by the Cabinet Secretary, the Independent Police Complaints Commission (IPPC) report recommends that HMRC trains and communicates an understanding of data protection and security to staff.

The government's own report says the success of its information security would depend on fostering a culture of valuing and protecting information.

But the discs remain missing and the government has not held anyone accountable for their loss.

The director of public prosecutions offered staff at the centre of the case immunity from prosecution under the Data Protection Act for any "inadvertent breaches" of security, although no misconduct or criminality was found.

Vince Cable, Liberal Democrat Treasury spokesman, said the inquests into the incident focused on "cultural failure" while failing to hold individuals accountable for failures.

"We now have something new called 'cultural failure', which is an all-pervasive management mess for which everybody is to blame, but no individual is responsible," he says.

Poynter review IT recommendations

● Move to a single customer record for individuals and a single customer record for all parts of the organisation to reduce points of risk

● Introduce powers to allow HMRC to specify secure methods of exchanging data with its customers

● Transfer of digital data involving physical media should be phased out

● In the short term, any removable media should be encrypted so that if they are lost or stolen any data or information on them cannot be accessed

Government action plan on data security

● Departments must have their systems tested by independent IT experts, to expose any security risks

● Departments holding personal data on more than 100,000 individuals must hire IT experts to conduct penetration testing on their systems

● Civil servants who need access to sensitive data outside the office must dial in on a home system or through a remote secure channel, rather than transfer data on a mobile device

● All devices must be encrypted and the use of discs will be phased out

● The government plans to minimise access rights to information and will keep logs of electronically held information

HMRC lost disc timeline

1 March 2007

National Audit Office (NAO) makes first request for details of all new and terminated cases of child benefit claimants - between 600,000 and 800,000 people

12 march 2007

HM Revenue and Customs (HMRC) confirms that the NAO is entitled to the information

2 October 2007

National Audit Office formally asks HMRC for files on child benefit claimants

18 October

HMRC tells the NAO that the CDs have been sent

24 October

NAO informs HMRC that the discs have not arrived. NAO asks for a second set to be sent - it needs them urgently to ensure an audit of HMRC's accounts is not delayed

25 October

NAO confirms receipt of the second set of discs. Staff point out that the first set has still not arrived

5 November

HMRC confirms that the first set of CDs is still missing

8 November

NAO begins a search for the missing CDs and the loss of the data is raised formally as a security incident. Senior management is informed - but not the chancellor of the exchequer Alistair Darling, who is responsible for HMRC





Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy