Government failed to ensure departments protected sensitive personal data, politicians admit.
The government's biggest mistake in the run up to HMRC's loss of the personal details of 25 million people, was the failure to scrutinise data practices in government departments, politicians admitted this week.
Cabinet Secretary Gus O'Donnell, and Ed Miliband, Cabinet Office minister, said the Cabinet Office sent out reams of data-handling guidance to departments, but failed to ensure government departments were complying with it.
O'Donnell said, "If there is a mistake we made, it was relying too much on guidance and not enough on testing compliance.
"There was an issue that guidance is too complex, or in some cases it was not being followed at the front line. There was no way of testing if guidance was being followed."
Ed Miliband added, "It is not about issuing documents, it is about changing the culture."
They were answering questions from MPs on the Public Accounts Committee, which is holding an enquiry into data handling in government.
Its recommendations included measures to improve data handling by giving the Information Commissioner the power to make spot checks on departments' data policies.
Departments - including HMRC, whose loss of two discs with 25 million personal details focused attention on the issue of data security - must train all their staff in the importance of keeping data secure. "Staff should treat personal data in the same way they treat cash," O'Donnell said.
Miliband did not agree there should be criminal penalties for civil servants who knowingly allow data to be compromised. He said, "It does not strike me as a way to achieve the ends that we want. It is easy to say, let us throw some civil servants in jail, but I do not think it will achieve very much."
O'Donnell said much of HMRC's £155m investment in data security will be spent on measures improving IT, such as encrypting all mobile devices.