Independent Office for Police Conduct (IOPC - formerly IPCC)
Printable version E-mail this to a friend

IPCC publishes report into missing HMRC data cds (FULL VERSION)

IPCC publishes report into missing HMRC data cds (FULL VERSION)

INDEPENDENT POLICE COMPLAINTS COMMISSION News Release issued by The Government News Network on 25 June 2008

The Independent Police Complaints Commission has found that the processes for data handling were woefully inadequate at HM Revenue and Customs' Child Benefit Office in Washington. But individual members of staff were not to blame for losing the missing Child Benefit data CDs.

The IPCC's investigation uncovered failures in institutional practices and procedures concerning the handling of data. It revealed the absence of a coherent strategy for mass data handling and, generally speaking, practices and procedures were less than effective.

The IPCC found that there was: a complete lack of any meaningful systems; a lack of understanding of the importance of data handling; and a 'muddle through' ethos.

Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately. While an ongoing review of data procedures was being conducted within HMRC at the time of these events, it had not been finalised. Had this internal review received a higher priority, this incident may have been avoided.

The Commission is therefore referring the findings of the missing Child Benefit CDs to the Information Commissioner.

The IPCC is also publishing its report in full today.

IPCC Commissioner Gary Garland, who oversaw the investigation, said: "The failings identified by our investigation are significant. Because of this, and the high level of public concern about this incident, I have provided the Information Commissioner, Richard Thomas, with a copy of this report. It raises concerns that he is properly placed to address.

"Once the data loss was discovered, it is correct to say that steps were taken immediately to tighten security. A full review of practice and procedure has been carried out. Many reforms have taken place and are continuing as improvements are rolled out across the department. We hope that the momentum will be maintained."

When it became clear that two CDs containing sensitive data had gone missing from the Child Benefit Office in Washington, Tyne and Wear in October/November 2007, it gave rise to serious public concern. The transit of the CDs to the National Audit Office (NAO) was clearly compromised by ineffective practices and procedures, which meant that an event like this was certain to happen - the only question being when.

Three separate investigations were set up each dealing with differing aspects of the incident. The Metropolitan Police Service were conducting a search aiming to recover the CDs. The IPCC were looking into the series of events leading up to the loss of data and considering whether any criminal conduct or disciplinary offences had been committed by HMRC staff. The Poynter review was looking at institutional management structures that might significantly improve HMRC's data handling performance. Collaboration between the three teams worked well.

The investigation revealed the absence of a coherent strategy for mass data handling and, generally speaking, practices and procedures were less than effective. The IPCC found that there was: a complete lack of any meaningful systems; a lack of understanding of the importance of data handling; and a 'muddle through' ethos. Corporate data handling was clearly woefully inadequate.

Sequence of events

The inquiry focused on events that took place between December 2006 and March 2007 and between September and October 2007 relating to two separate audits, carried out by the NAO, of the £10 billions expenditure on Child Benefit.

The NAO needed to check the levels of accuracy of payments of Child Benefit. The NAO asked for the relevant data but without names, addresses nor bank account details. HMRC had already scanned the data and wanted to make use of existing data in order to avoid overburdening the business by asking for additional data scans, without the details included, as they might incur a large cost.

In March 2007 one employee queried supplying all of the data but was told NAO were entitled to go wherever and have access to anything without exception. The CDs were sent to the NAO and returned safely in April 2007.

In September 2007 the NAO wanted to undertake a repeat of the audit. The NAO asked HMRC to ensure that the CDs were delivered as safely as possible due to their content. On 18 October the CDs were sent from Washington through the internal tax post system, in an envelope addressed to the NAO in London. The package was not tracked or sent recorded delivery. The CDs never arrived and copies were made and re-sent.

On 8 November a security breach report was raised by an HMRC employee. On 15 November HMRC informed the Metropolitan Police of the loss of the CDs. The following day HMRC formally referred the incident to the IPCC. The Metropolitan Police formally began their investigation to find the missing CDs on 18 November.

Conclusions

The highly sensitive nature of the data held on the two CDs was, surprisingly, appreciated by only a very few members of HMRC staff. Even though those who had concerns did voice them, no attempt was made to clarify the position relating to authority levels and physical protection of the data during transfer.

Even the staff who had direct responsibility for handling the data as part of their duties did not demonstrate a clear understanding or knowledge of how to protect the data at the highest possible level. There was a lack of appreciation of the data protection principles contained in the Act.

The reluctance by HMRC staff to reduce the data to a more manageable size as the NAO first requested, seems to have contributed to the chain of events and failures that followed. If these details had been removed the volume of data required for the audit would have been reduced to a more manageable size.

It is not clear what, if any, authority was given for the two CDs to be given to the NAO. It seems that the sense of urgency around providing the data may have led HMRC staff to prioritise the delivery of the CDs over the need for appropriate security measures to protect them from risk.

The main contributory factors in the decision about how the CDs should be delivered to the NAO were: a lack of day-to-day awareness and understanding of data security principles within HMRC at Washington; a lack of training; and a lack of knowledge of policies and procedures associated with data security. These factors led to a decision being taken on the basis of the urgency with which the data were needed by the NAO.

A practical, pragmatic approach was taken to completing the task required. This meant that there was no focus on prioritising data security. Data controller responsibilities were not clearly demonstrated in the workplace. The investigation found no visible management of data security at any level.

Recommendations

The report does not seek to make detailed recommendations, nor does it comment on the developments needed to ensure that HMRC's systems and practices meet the challenges involved in modern-day data handling. It would not serve any useful purpose to repeat matters that are dealt with in the Poynter Report.

1. HMRC should review and develop a strategic working relationship with the NAO in respect of any audit of its resource accounts. HMRC should implement a strategy of communicating the detail and requirements of an audit to HMRC staff in order to facilitate audit work.

2. HMRC should review the security controls and protocols associated with generating large volumes of data, and the subsequent handling of that data in whatever format both internally and on disclosure outside the organisation.

3. HMRC should develop a data security strategy, training strategy and communication strategy for all HMRC staff to raise awareness and understanding of data protection and data security, and in line with the principles of the Data Protection Act.

4. HMRC should review and develop its role and responsibilities as data controller within the meaning of the Act in order to demonstrate a management commitment to information security throughout the organisation.

5. Consideration should be given to sharing this investigation report with the Information Commissioner, who is responsible for data protection issues under the Act.

6. Where breaches of security are discovered, HMRC should report these promptly so that any remedial or recovery action can be taken. This did not occur in this particular case.

'HMRC, Washington - IPCC independent investigation report into loss of data relating to Child Benefit' can be read on the IPCC web site at http://www.ipcc.gov.uk/final_hmrc_report_25062008.pdf or is available from IPCC, 90 High Holborn, London WC1V 6BH.

Notes for editors:

The report is published in full but the names of individuals have been redacted.

The IPCC has been responsible for handling serious complaints against and referrals of incidents from HMRC since April 2006. The inquiry was carried out by investigators from the IPCC's Wakefield office, which serves Yorkshire, Humberside and the North-east of England.

Preventing Unwanted Sensitive Data Acquisition on Government Networks