HMRC and MoD face action over data blunders

Two government departments face enforcement action from the UK data protection watchdog for between them losing more than 25 million people's details.

The Information Commissioner's Office (ICO) is taking enforcement action against HM Revenue and Customs (HMRC) and the Ministry of Defence (MoD) for breaching the Data Protection Act.

HMRC data blunder: Timeline of events

Just how did the catastrophe happen? Click here for a detailed breakdown…

The HMRC faces action following damning reports by the Independent Police Complaints Commission (IPCC) and by chairman of PriceWaterhouseCoopers Kieran Poynter into HMRC losing two data discs containing 25 million people's details.

The IPCC found that there was a complete lack of any meaningful systems, a lack of understanding of the importance of data handling and a "muddle through" ethos at the HMRC at the time of the loss last November.

The Poynter report found "two major institutional deficiencies", namely that "information security simply wasn't a management priority as it should have been" and that "HMRC had an organisational design which was unnecessarily complex and crucially, did not clearly focus on management accountability".

The Poynter report said: "The data loss incident arose following a sequence of communications failures between junior HMRC officials and between them and the National Audit Office (NAO). The loss was entirely avoidable."

The MoD's loss of 600,000 personnel and new recruit details was also heavily criticised in a report by Sir Edmund Burton, who blamed poor management by the Army Recruiting and Training Division and its contractor EDS. The report said laptops had been used in breach of MoD encryption policy and pointed out ongoing data protection breaches within the MoD.

After studying the report, the Chief of the General Staff has ordered an inquiry to investigate whether there are grounds to pursue either disciplinary or administrative action in respect of the management of the contract between the Army and EDS.

The Burton report recommended 51 changes within the MoD and the Poynter report 45 changes within the HMRC, 39 of which he says the department is making progress on.

Following the reports Information Commissioner, Richard Thomas, said in a statement: "The reports that have been published today show deplorable failures at both HMRC and MoD. Information security and other aspects of data protection must be taken a great deal more seriously by those in charge of organisations.

"It is beyond doubt that both Departments have breached Data Protection requirements and we intend to use the powers currently available to us to serve formal Enforcement Notices on them."

Full Disclosure campaign

silicon.com is aiming to make businesses and government take data security more seriously. Read more here.

Both departments face the threat of legal action if they fail to comply with the enforcement notice requirements that they submit progress reports on how they are implementing recommendations after 12, 24 and 36 months.

Speaking in Parliament, Chancellor of the Exchequer Alistair Darling said: "It is quite clear that the loss was entirely avoidable and again I apologise unreservedly to everyone who has been affected."

In response to the Poynter report HMRC acting chairman Dave Hartnett said: "HMRC is absolutely committed to delivering all of their recommendations and to ensuring data security remains an explicit priority in the future. While the IPCC found no evidence whatsoever of misconduct or criminality by any member of HMRC, the two reports make it clear that the data loss was avoidable and a result of serious failings within HMRC. In short, it should never have happened."

Bill Jeffrey, permanent under secretary for the MoD said: "We deeply regret the losses of personal data. We have identified weaknesses within parts of the MOD that led to this situation and I am confident that we are taking the necessary steps to address them."

Cabinet secretary Sir Gus O'Donnell has also published a review of information security in government, putting in place a new framework for the future to improve the rules, culture, accountability and scrutiny of data handling.

The changes announced in the report fall into four groups.

• Core measures: a series of mandatory minimum measures is being put in place across government including encryption and compulsory testing by independent experts of the resilience of systems.
• Cultural change: all civil servants dealing with personal data are to undergo mandatory annual training. The government will also introduce 'privacy impact assessments', recommended by the Information Commissioner.
• Stronger accountability: data security roles within departments are being standardised and enhanced to ensure clear lines of responsibility.
• Increased scrutiny: Departments will report on their performance, the NAO will look at what they say, and the Information Commissioner is already planning his first spot checks.