HMRC’s extreme reaction to missing CDs

A computer systems manager has written to us about an extreme reaction by HM Revenue and Customs to two CDs which went missing. The CDs contained the names and bank details of more than seven million families that receive child benefit.

The manager says that HMRC has now banned the use of faxes in some circumstances.

HMRC had sent his company the wrong tax code for an employee. If the wrong tax code were applied, the employee would receive no salary. To get a corrected tax code the company would normally phone HMRC and the department would reply with a fax that confirmed the corrected code. But since the two CDs went missing HMRC’s staff cannot fax tax code revisions, according to the computer systems manager. This has left the manager having to break a legal requirement to apply the latest HMRC tax code.

He says:

“We received a new tax code from HMRC for one of our employees. Unfortunately the code was wrong (admitted by HMRC), and resulted in negative net pay. This is impossible. So we can’t operate the new code although we are legally obliged to do so. In similar cases in the past we have telephoned our tax office, who have faxed through a corrected code. Since yesterday [26 November 2007] we are told that as a result of last week’s missing discs fiasco, the tax office is no longer allowed to fax code revisions.

“Instead, [HMRC] will send it by EDI [electronic data interchange] taking “up to five days”. This is for a weekly payroll with a two-day processing window, so that is not a practical option. (Why EDI would take five days is anyone’s guess.) The bottom line is that we cannot comply with a legal requirement, and HMRC have shut down the process we used to have for dealing with this situation.

“The terrible irony is that the correct code, as given to us by telephone, is the one that the employee had before HMRC did anything.”

In a subsequent email to me the computer systems manager says:

“This is not the first time we have had difficulties with HMRC, but I am of the opinion that the problems caused by their mistakes are becoming more frequent.”

I have put the manager’s email to HMRC’s press office and am awaiting a reply. But my query may be in a long queue.

Separately, NHS Connecting for Health, which runs part of the National Programme for the IT [NPfIT] has responded to the missing CDs by warning NHS organisations it will destroy data that doesn’t meet its security requirements. It’s implicit in its warning that insecure data on NHS patients has previously arrived and been accepted.

The NHS Connecting for Health letter refers to data that travels to and from the NHS Strategic Tracing Service [NSTS].

The NHS Strategic Tracing Service is a database of people, places and NHS organisations in England and Wales. It allows NHS staff to access patient information such as name, address, date of birth, GP name and address details, and NHS number.

NHS staff send in limited information on, typically, several thousands of patients. The tracing service then finds the patients’ latest recorded details and returns the information to the NHS staff who requested it.

NHS Connecting for Health says that batch file sizes of up to a million or more records can be processed this way, but typically files relate to only a “few thousand” patients.

CfH says that NHS organisations can submit patient details to be traced on physical media such as CDs or via Public Key Infrastructure-encrypted e-mail.

The warning letter issued by NHS Connecting for Health says:

“Following an issue regarding the accidental loss of roughly 25 million records by a government department (not the NHS) a preliminary review of all data transport methods to and from NHS Strategic Tracing Service has been undertaken.

“Pending further possible recommendations, NSTS Service Management have enforced the following procedural changes with immediate effect.

“It is your organisation’s responsibility to ensure that ALL batch files which are sent to NSTS, on any form of physical media:

– are sent using either Special Delivery or a courier service. Do not send via recorded mail

or standard mail.


– are encrypted using the 256-bit Advanced Encryption Standard (AES-256) algorithm.

“With effect from 9am on Wednesday 21 Nov 2007, if either of these criteria are not met the

media will be destroyed upon receipt.

“This instruction applies to ALL media types, without exception.

“To facilitate the sending of encrypted media/files, all batch trace users will receive a pass

phrase generated by NSTS Service Management, at the start of each new month. If you do not

receive a new pass phrase, please contact the Service Management team, providing your

organisations Data Access Agreement number and NSTS batch user account name. Any

files/media received that are not encrypted using the valid pass phase will be destroyed.”

The letter concludes with an apology, which suggests that enforcing rigorous security over data going to and from and tracing service is a change of practice.

The letter says:

NSTS Service Management would like to apologise for any inconvenience this may cause.

GP Paul Thornton, who has made a study of rules, laws and practices relating to patient confidentiality, says of NHS CfH’s warning that it’s implicit that, previously, some NHS organisations have sent in electronic patient information on disc, by post in an unencrypted format.


Missing child benefit CDs – what went wrong and why it would have carried on regardless

Who gets access to patient data? – Pulse magazine article, September 2007

Ian Brown: Biometrics are not a panacea for data loss

Labour blames the servants again

Don’t worry – every detail of your life will be safe with us

Independent Police Complaints Commission to investigate missing HMRC data discs