1) Letter from Dave Hartnett, Acting Chairman of HM Revenue and Customs to Jane Kennedy, Financial Secretary to the Treasury.
2) Chancellor’s statement to the House of Commons
3) Summary of report of the Independent Police Complaints Commission
HM Revenue & Customs has responded to the Poynter report on the loss of two CDs which contained details on 25 million people.
The comment is from HMRC’s Acting Chairman Dave Hartnett. His letter (below) was sent today (25 June 2008) to Jane Kennedy, Financial Secretary to the Treasury.
Dear Financial Secretary
Today’s publication of the Kieran Poynter and IPCC reports into the loss of the Child Benefit data was an important milestone for HMRC. This loss was the most serious incident in the department’s history and damaged HMRC’s reputation for handling our customers’ data.
While the IPCC found no evidence whatsoever of misconduct or criminality by any member of HMRC, the two reports make it clear that the data loss was avoidable and a result of serious failings within HMRC. In short, it should never have happened.
Immediately following the data loss, both HMRC and the police carried out extensive searches in an attempt to locate the missing data. While the data has not been found I can confirm that there is no evidence of any fraudulent activity as a result of the loss.
I am grateful to both Kieran Poynter and the IPCC for their thorough reports. HMRC is absolutely committed to delivering all of their recommendations and to ensuring data security remains an explicit priority in the future.
As we have discussed, since the incident HMRC has significantly strengthened data security, including removing the ability of all staff to save data to portable media such as CDs and memory sticks and re-introducing this only where there is a compelling business case to do so.
We have also introduced tight restrictions on the bulk transfer of sensitive information and are conforming to new cross-government rules on encryption. We are also reviewing all bulk data transfers and have stopped those which are not business critical. And we are working with our stakeholders to further improve the security of bulk data transfers that do still need to be made.
The progress made by HMRC since the data loss occurred is acknowledged by Mr Poynter. He notes that of his 45 recommendations, which are designed to ensure HMRC achieves the highest standards of data security, HMRC has made good progress on 39, including 13 which have been implemented. He also notes that the issues that led directly to the data loss have now been addressed.
However, despite the good progress, Mr Poynter makes clear that a great deal of further work will be required “to bring HMRC up to and sustain the world class standard for information security to which it now properly aspires.” I agree with his assessment and am determined that HMRC continues to prioritise the implementation of these recommendations.
Mr Poynter’s report identifies three areas for urgent action. Firstly, he highlighted a weakness in specific information security policies and criticised existing policies as too complicated and difficult for staff to navigate. We have addressed this through enhanced security policies, including issuing every staff member with new data security rules written in plain English and ensuring they are briefed on these by line managers across the Department.
The second issue identified by Mr Poynter is inadequate awareness, communication and training on data security. Improvements on this front have included delivering mandatory 2½ hour face to face data security training for all staff as well as an ongoing programme of engagement with staff, awareness raising and regular training updates. This will help ensure that the data security rules become embedded in HMRC staff culture.
The third issue identified by Mr Poynter is a lack of clarity around the governance and accountability for data guardianship. We have addressed this by appointing Data Guardians across the department to act as experts and champions of data security in their business areas. These people play a lead role in individual business areas in setting, monitoring and enforcing data security.
In addition, as you are aware, we have introduced a new management structure that gives Executive Directors much clearer accountabilities for lines of business (Personal Tax, Business Tax, Benefits & Credits, and Enforcement & Compliance).
Alongside this immediate work HMRC will be exploring Kieran Poynter’s long term vision for data security in HMRC, which includes a single customer record, phasing out physical data transfers and working to eliminate paper records. This vision is consistent with HMRC’s strategic direction and existing projects such as Modernising PAYE Processes for Customers (MPPC3) will take us part of the way there. For the longer term it will require investment to bring greater coherence to our IT infrastructure and make the business changes necessary.
I also welcome the Information Commissioner’s support for implementation of the recommendations of the Poynter review.
HMRC is focussed on continuing to deliver substantial improvements to the way we manage and secure data. Mike Clasper, who has been appointed as the new Chairman of HMRC, has expressed his commitment to taking this substantial programme of work forward and will work to ensure HMRC is setting a very high standard in information security
Statement by the Chancellor of the Exchequer, Alistair Darling, on the Poynter Review, 25 June 2008:
1. With your permission Mr Speaker I would like to make a statement on the final report by Kieran Poynter, Chairman of PricewaterhouseCoopers, into the loss of child benefit records at HM Revenue and Customs last year.
2. I should also tell the House that the Independent Police Complaints Commission, which conducted its own investigation into the loss, is publishing its report today. The IPCC found no evidence of misconduct or criminality by any member of staff at HMRC.
3. The Cabinet Secretary has also published today his wider cross-Government work to improve data handling.
4. The Poynter and IPCC reports are available in the Vote Office and the Library of the House.
5. I am grateful, both to Kieran Poynter and his team and the IPCC for their extensive work. Both have provided a very full and detailed account of what happened.
6. Mr Speaker, improving information security is a challenge that every organisation is facing.
7. In recent years we have seen problems in both the public and private sectors as organisations struggle to keep pace with the development of technology in data storage and transfer.
8. The public is entitled to expect government departments to ensure their personal details are kept safe and it is therefore essential that we do everything we can to minimise the chances of this sort of loss happening again.
9. I deliberately gave Mr Poynter wide-ranging terms of reference not just because of the seriousness of this loss but also because as I said in my statement on 20 November, I was concerned about previous losses of data by HMRC.
10. In my statements to the House on 20 November and 17 December, I set out the circumstances surrounding the events that led to the loss of the child benefit data, and the immediate action taken.
11. My priorities then were to locate the missing discs, and to ensure that adequate safeguards were in place to monitor bank and building society accounts of those who could have been affected.
12. Despite extensive searches by HMRC and the police the discs have not been found, but I can tell the House that I am advised that there is no evidence of any fraudulent activity as a result of the loss.
13. HMRC took a series of immediate steps at that time, including a complete ban on the transfer of bulk data without adequate security protection, measures to prevent the downloading of data without the necessary safeguards and the immediate disabling of the ability to download data from all desktop and laptop computers within the organisation.
14. Mr Speaker, Kieran Poynter’s report is in two parts. The first deals with the circumstances giving rise to the loss. The second part deals with his wider findings and recommendations.
15. He examined in detail the circumstances surrounding the earlier transfer of data in March 2007, which I referred to in my statements to the House.
16. He found that in March, because the HMRC staff involved then were unaware of the relevant guidance, which in itself lacked clarity, they did not escalate the request to the appropriate level of seniority before releasing data to the NAO.
17. As a result, no senior HMRC official was asked to permit the NAO to take the data off-site to conduct its analysis and no such official knew that this was envisaged.
18. Mr Speaker, Mr Poynter has concluded that these events in March last year then created a precedent which allowed a similar transfer to take place in October without the appropriate level of authorisation or adequate consideration of the security risks of releasing such a large amount of personal information.
19. He says that senior managers were unaware that the data had been moved from HMRC premises in March and October until the loss of data was subsequently reported to them.
20. He concludes that the data loss incident arose following a sequence of communications failures between junior HMRC officials and between them and the National Audit Office.
21. However, he finds that the loss was entirely avoidable and the fact that it could have happened points to serious institutional deficiencies at HMRC.
22. Firstly, information security simply was not the management priority it should have been.
23. And secondly, management structures and governance were unnecessarily complex and did not establish clear lines of accountability.
24. Moreover, he points to a lack of clarity in communications and the failure to involve senior HMRC staff as being contributing factors in both cases.
25. Mr Poynter makes clear in his report that both these failings have now been addressed.
26. He acknowledges the progress the department has made since last November. HMRC is a complex organisation, operating from some 900 sites and sending out over 300 million items of mail a year.
27. Against this background Mr Poynter sets out the action that has been taken to make information security a priority. This includes the appointment of a Chief Risk Officer, new, clearer security guidance and a wide-ranging programme of training to raise awareness of security issues amongst staff.
28. And he also sets out the action that has been taken to simplify management structures and governance. He acknowledges the new organisational structure as a positive step forward.
29. Mr Poynter’s team has worked closely with HMRC and in particular those teams that process large volumes of personal data or provide corporate services, such as IT. By providing detailed recommendations to the organisation as its work progressed, rather than leaving them to the final report, the review team has been able to support HMRC and help it make good progress in implementing its recommendations.
30. However, Mr Poynter states that “a great deal of work will be required to bring HMRC up to and to sustain the world class standard for information security to which it now properly aspires.”
31. In all he makes 45 recommendations, all of which have been accepted. HMRC has made good progress on 39 of the recommendations including 13, which have been fully implemented. Work is continuing on the remaining recommendations.
32. Mr Poynter also makes a number of recommendations in relation to the way in which HMRC operates and the fragmentation and complexity of its IT systems. The organisation is already addressing these issues and will be spending £155m improving data security over the next three years.
33. The 45 recommendations – when fully implemented – will reduce the risk of a serious breach in the future and make sure that HMRC achieves the highest standards of information security.
34. Mr Speaker, Kieran Poynter states that the decision to merge the Inland Revenue and HM Customs and Excise was the right one.
35. But he says that the management structure subsequently adopted was not suitable – exactly the same failing identified in the Capability Review, carried out by an independent panel, overseen by the Cabinet Secretary and published last December.
36. In acknowledging the significant changes the organisation has undergone Mr Poynter judges that “these changes individually and collectively represent good decisions which have created the platform from which to build a high quality, efficient administration.”
37. In order to build from this platform the management needs to continue to address the issues highlighted by Mr Poynter in his wider review and the Capability Review.
38. In particular HMRC’s security procedures must be improved to ensure information security is a management priority and importantly, the management must raise staff morale.
39. Mr Poynter acknowledges the new organisational structure put in place earlier this year as a crucial step and makes recommendations to develop it further.
40. Mr Poynter concludes that his findings represent an opportunity to modernise work practices and systems which will make the organisation more efficient as well as rebuilding its reputation for data security.
41. I am grateful to Dave Hartnett – the acting Chairman – who has overseen these improvements and led the organisation through a difficult time.
42. Yesterday, Mike Clasper, who has considerable business experience, was appointed as the new Chairman of HMRC. He and Dave Hartnett have made it clear that the implementation of the Poynter recommendations and crucially, the importance of information security will be priorities.
43. The Information Commissioner, who has been kept informed since the outset, has indicated that this review has investigated all the facts and issues with which he needs to be concerned and he fully supports all of Kieran Poynter’s recommendations.
44. The Information Commissioner proposes to serve the appropriate enforcement notice on HMRC under the Data Protection Act.
45. Mr Speaker, it is quite clear that the loss was entirely avoidable and again I apologise unreservedly to everyone who has been affected.
46. HMRC employs tens of thousands of people who work hard and are dedicated to providing an excellent service to the public.
47. The staff are entitled to expect clarity as to how they discharge their duties.
48. The public are entitled to expect that their privacy is respected and that security of highly personal information is the highest priority.
49. It is essential that we now implement his recommendations.
50. And I commend this statement to the House.
A summary of the report into the Child Benefit data loss by the Independent Police Complaints Commission IPCC.
“The Independent Police Complaints Commission has found that the processes for data handling were woefully inadequate at HM Revenue and Customs’ Child Benefit Office in Washington. But individual members of staff were not to blame for losing the missing Child Benefit data CDs.
“The IPCC’s investigation uncovered failures in institutional practices and procedures concerning the handling of data. It revealed the absence of a coherent strategy for mass data handling and, generally speaking, practices and procedures were less than effective.
“The IPCC found that there was: a complete lack of any meaningful systems; a lack of understanding of the importance of data handling; and a ‘muddle through’ ethos.
“Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately. While an ongoing review of data procedures was being conducted within HMRC at the time of these events, it had not been finalised. Had this internal review received a higher priority, this incident may have been avoided.
“The Commission is therefore referring the findings of the missing Child Benefit CDs to the Information Commissioner.
“The IPCC is also publishing its report in full today.
“IPCC Commissioner Gary Garland, who oversaw the investigation, said: ‘The failings identified by our investigation are significant. Because of this, and the high level of public concern about this incident, I have provided the Information Commissioner, Richard Thomas, with a copy of this report. It raises concerns that he is properly placed to address. Once the data loss was discovered, it is correct to say that steps were taken immediately to tighten security. A full review of practice and procedure has been carried out. Many reforms have taken place and are continuing as improvements are rolled out across the department. We hope that the momentum will be maintained.’
“When it became clear that two CDs containing sensitive data had gone missing from the Child Benefit Office in Washington, Tyne and Wear in October/November 2007, it gave rise to serious public concern. The transit of the CDs to the National Audit Office (NAO) was clearly compromised by ineffective practices and procedures, which meant that an event like this was certain to happen – the only question being when.
“Three separate investigations were set up each dealing with differing aspects of the incident. The Metropolitan Police Service were conducting a search aiming to recover the CDs. The IPCC were looking into the series of events leading up to the loss of data and considering whether any criminal conduct or disciplinary offences had been committed by HMRC staff. The Poynter review was looking at institutional management structures that might significantly improve HMRC’s data handling performance. Collaboration between the three teams worked well.
“The investigation revealed the absence of a coherent strategy for mass data handling and, generally speaking, practices and procedures were less than effective. The IPCC found that there was: a complete lack of any meaningful systems; a lack of understanding of the importance of data handling; and a ‘muddle through’ ethos.
“Corporate data handling was clearly woefully inadequate.
Sequence of events
“The inquiry focused on events that took place between December 2006 and March 2007 and between September and October 2007 relating to two separate audits, carried out by the NAO, of the £10 billions expenditure on Child Benefit .
“The NAO needed to check the levels of accuracy of payments of Child Benefit. The NAO asked for the relevant data but without names, addresses nor bank account details. HMRC had already scanned the data and wanted to make use of existing data in order to avoid overburdening the business by asking for additional data scans, without the details included, as they might incur a large cost.
“In March 2007 one employee queried supplying all of the data but was told NAO were entitled to go wherever and have access to anything without exception. The CDs were sent to the NAO and returned safely in April 2007.
“In September 2007 the NAO wanted to undertake a repeat of the audit. The NAO asked HMRC to ensure that the CDs were delivered as safely as possible due to their content. On 18 October the CDs were sent from Washington through the internal tax post system, in an envelope addressed to the NAO in London. The package was not tracked or sent recorded delivery. The CDs never arrived and copies were made and re-sent.
“On 8 November a security breach report was raised by an HMRC employee. On 15 November HMRC informed the Metropolitan Police of the loss of the CDs. The following day HMRC formally referred the incident to the IPCC. The Metropolitan Police formally began their investigation to find the missing CDs on 18 November.
“The highly sensitive nature of the data held on the two CDs was, surprisingly, appreciated by only a very few members of HMRC staff. Even though those who had concerns did voice them, no attempt was made to clarify the position relating to authority levels and physical protection of the data during transfer.
“Even the staff who had direct responsibility for handling the data as part of their duties did not demonstrate a clear understanding or knowledge of how to protect the data at the highest possible level. There was a lack of appreciation of the data protection principles contained in the Act.
“The reluctance by HMRC staff to reduce the data to a more manageable size as the NAO first requested, seems to have contributed to the chain of events and failures that followed. If these details had been removed the volume of data required for the audit would have been reduced to a more manageable size.
“It is not clear what, if any, authority was given for the two CDs to be given to the NAO. It seems that the sense of urgency around providing the data may have led HMRC staff to prioritise the delivery of the CDs over the need for appropriate security measures to protect them from risk.
“The main contributory factors in the decision about how the CDs should be delivered to the NAO were: a lack of day-to-day awareness and understanding of data security principles within HMRC at Washington; a lack of training; and a lack of knowledge of policies and procedures associated with data security. These factors led to a decision being taken on the basis of the urgency with which the data were needed by the NAO.
“A practical, pragmatic approach was taken to completing the task required. This meant that there was no focus on prioritising data security. Data controller responsibilities were not clearly demonstrated in the workplace. The investigation found no visible management of data security at any level.
“The report does not seek to make detailed recommendations, nor does it comment on the developments needed to ensure that HMRC’s systems and practices meet the challenges involved in modern-day data handling. It would not serve any useful purpose to repeat matters that are dealt with in the Poynter Report.
1. HMRC should review and develop a strategic working relationship with the NAO in respect of any audit of its resource accounts. HMRC should implement a strategy of communicating the detail and requirements of an audit to HMRC staff in order to facilitate audit work.
2. HMRC should review the security controls and protocols associated with generating large volumes of data, and the subsequent handling of that data in whatever format both internally and on disclosure outside the organisation.
3. HMRC should develop a data security strategy, training strategy and communication strategy for all HMRC staff to raise awareness and understanding of data protection and data security, and in line with the principles of the Data Protection Act.
4. HMRC should review and develop its role and responsibilities as data controller within the meaning of the Act in order to demonstrate a management commitment to information security throughout the organisation.
5. Consideration should be given to sharing this investigation report with the Information Commissioner, who is responsible for data protection issues under the Act.
6. Where breaches of security are discovered, HMRC should report these promptly so that any remedial or recovery action can be taken. This did not occur in this particular case.