HMRC staff who worked with sensitive data carried out duties with a ‘muddle through’ ethos, a report into the missing child benefit discs from the independent police complaints commission (IPCC) has found.
HMRC staff were working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data, the IPCC has concluded.
The IPCC has referred the case to the Information Commissioner.
HMRC needs to develop a data security strategy and train staff to understand how to comply with the Data Protection Act, the IPCC concluded
HMRC should appoint a data controller to demonstrate a management commitment to information security throughout the organisation, it said.
"Many reforms have taken place [at HMRC] and are continuing as improvements are rolled out across the department. We hope that the momentum will be maintained," said IPCC Commissioner Gary Garland, who oversaw the investigation.
HMRC informed the Metropolitan Police of the loss of the CD on 15 November and referred the incident to the IPCC the following day.The Metropolitan Police began its investigation to find the missing CDs on 18 November.