INDEPENDENT POLICE
COMPLAINTS COMMISSION News Release issued by The Government News
Network on 25 June 2008
The Independent
Police Complaints Commission has found that the processes for data
handling were woefully inadequate at HM Revenue and Customs'
Child Benefit Office in Washington. But individual members of
staff were not to blame for losing the missing Child Benefit data CDs.
The IPCC's investigation uncovered failures in institutional
practices and procedures concerning the handling of data. It
revealed the absence of a coherent strategy for mass data handling
and, generally speaking, practices and procedures were less than effective.
The IPCC found that there was: a complete lack of any meaningful
systems; a lack of understanding of the importance of data
handling; and a 'muddle through' ethos.
Staff found themselves working on a day-to-day basis without
adequate support, training or guidance about how to handle
sensitive personal data appropriately. While an ongoing review of
data procedures was being conducted within HMRC at the time of
these events, it had not been finalised. Had this internal review
received a higher priority, this incident may have been avoided.
The Commission is therefore referring the findings of the missing
Child Benefit CDs to the Information Commissioner.
The IPCC is also publishing its report in full today.
IPCC Commissioner Gary Garland, who oversaw the investigation,
said: "The failings identified by our investigation are
significant. Because of this, and the high level of public concern
about this incident, I have provided the Information Commissioner,
Richard Thomas, with a copy of this report. It raises concerns
that he is properly placed to address.
"Once the data loss was discovered, it is correct to say
that steps were taken immediately to tighten security. A full
review of practice and procedure has been carried out. Many
reforms have taken place and are continuing as improvements are
rolled out across the department. We hope that the momentum will
be maintained."
When it became clear that two CDs containing sensitive data had
gone missing from the Child Benefit Office in Washington, Tyne and
Wear in October/November 2007, it gave rise to serious public
concern. The transit of the CDs to the National Audit Office (NAO)
was clearly compromised by ineffective practices and procedures,
which meant that an event like this was certain to happen - the
only question being when.
Three separate investigations were set up each dealing with
differing aspects of the incident. The Metropolitan Police Service
were conducting a search aiming to recover the CDs. The IPCC were
looking into the series of events leading up to the loss of data
and considering whether any criminal conduct or disciplinary
offences had been committed by HMRC staff. The Poynter review was
looking at institutional management structures that might
significantly improve HMRC's data handling performance.
Collaboration between the three teams worked well.
The investigation revealed the absence of a coherent strategy for
mass data handling and, generally speaking, practices and
procedures were less than effective. The IPCC found that there
was: a complete lack of any meaningful systems; a lack of
understanding of the importance of data handling; and a
'muddle through' ethos. Corporate data handling was
clearly woefully inadequate.
Sequence of events
The inquiry focused on events that took place between December
2006 and March 2007 and between September and October 2007
relating to two separate audits, carried out by the NAO, of the
£10 billions expenditure on Child Benefit.
The NAO needed to check the levels of accuracy of payments of
Child Benefit. The NAO asked for the relevant data but without
names, addresses nor bank account details. HMRC had already
scanned the data and wanted to make use of existing data in order
to avoid overburdening the business by asking for additional data
scans, without the details included, as they might incur a large cost.
In March 2007 one employee queried supplying all of the data but
was told NAO were entitled to go wherever and have access to
anything without exception. The CDs were sent to the NAO and
returned safely in April 2007.
In September 2007 the NAO wanted to undertake a repeat of the
audit. The NAO asked HMRC to ensure that the CDs were delivered as
safely as possible due to their content. On 18 October the CDs
were sent from Washington through the internal tax post system, in
an envelope addressed to the NAO in London. The package was not
tracked or sent recorded delivery. The CDs never arrived and
copies were made and re-sent.
On 8 November a security breach report was raised by an HMRC
employee. On 15 November HMRC informed the Metropolitan Police of
the loss of the CDs. The following day HMRC formally referred the
incident to the IPCC. The Metropolitan Police formally began their
investigation to find the missing CDs on 18 November.
Conclusions
The highly sensitive nature of the data held on the two CDs was,
surprisingly, appreciated by only a very few members of HMRC
staff. Even though those who had concerns did voice them, no
attempt was made to clarify the position relating to authority
levels and physical protection of the data during transfer.
Even the staff who had direct responsibility for handling the
data as part of their duties did not demonstrate a clear
understanding or knowledge of how to protect the data at the
highest possible level. There was a lack of appreciation of the
data protection principles contained in the Act.
The reluctance by HMRC staff to reduce the data to a more
manageable size as the NAO first requested, seems to have
contributed to the chain of events and failures that followed. If
these details had been removed the volume of data required for the
audit would have been reduced to a more manageable size.
It is not clear what, if any, authority was given for the two CDs
to be given to the NAO. It seems that the sense of urgency around
providing the data may have led HMRC staff to prioritise the
delivery of the CDs over the need for appropriate security
measures to protect them from risk.
The main contributory factors in the decision about how the CDs
should be delivered to the NAO were: a lack of day-to-day
awareness and understanding of data security principles within
HMRC at Washington; a lack of training; and a lack of knowledge of
policies and procedures associated with data security. These
factors led to a decision being taken on the basis of the urgency
with which the data were needed by the NAO.
A practical, pragmatic approach was taken to completing the task
required. This meant that there was no focus on prioritising data
security. Data controller responsibilities were not clearly
demonstrated in the workplace. The investigation found no visible
management of data security at any level.
Recommendations
The report does not seek to make detailed recommendations, nor
does it comment on the developments needed to ensure that
HMRC's systems and practices meet the challenges involved in
modern-day data handling. It would not serve any useful purpose to
repeat matters that are dealt with in the Poynter Report.
1. HMRC should review and develop a strategic working
relationship with the NAO in respect of any audit of its resource
accounts. HMRC should implement a strategy of communicating the
detail and requirements of an audit to HMRC staff in order to
facilitate audit work.
2. HMRC should review the security controls and protocols
associated with generating large volumes of data, and the
subsequent handling of that data in whatever format both
internally and on disclosure outside the organisation.
3. HMRC should develop a data security strategy, training
strategy and communication strategy for all HMRC staff to raise
awareness and understanding of data protection and data security,
and in line with the principles of the Data Protection Act.
4. HMRC should review and develop its role and responsibilities
as data controller within the meaning of the Act in order to
demonstrate a management commitment to information security
throughout the organisation.
5. Consideration should be given to sharing this investigation
report with the Information Commissioner, who is responsible for
data protection issues under the Act.
6. Where breaches of security are discovered, HMRC should report
these promptly so that any remedial or recovery action can be
taken. This did not occur in this particular case.
'HMRC, Washington - IPCC independent investigation report
into loss of data relating to Child Benefit' can be read on
the IPCC web site at http://www.ipcc.gov.uk/final_hmrc_report_25062008.pdf
or is available from IPCC, 90 High Holborn, London WC1V 6BH.
Notes for editors:
The report is published in full but the names of individuals have
been redacted.
The IPCC has been responsible for handling serious complaints
against and referrals of incidents from HMRC since April 2006. The
inquiry was carried out by investigators from the IPCC's
Wakefield office, which serves Yorkshire, Humberside and the
North-east of England.