Reports in full: HMRC and MoD data breaches

The Poynter Review

The Poynter Review looked at changes to institutional management structures necessary to significantly improve HM Revenue & Custom's (HMRC) data handling performance in light of the data losses.

The inquiry focused on two National Audit Office (NAO) audits that took place between December 2006 and March 2007 and between September and October 2007 relating to two separate audits of the department's £10bn expenditure on child benefit.

It was during the second audit, on 18 October, that the two CDs containing the personal details of 25 million people claiming child benefits went missing.

The report's findings were:

• More than 30 officials from four HMRC departments and a number of NAO staff played some part in the data loss.
• Events were a result of "an unfortunate catalogue of interlocking factors" and not malice, disregard for policy or procedure.
• Institutional deficiencies not individual staff members were to blame.
• The fragmentation of the 650 computer systems was identified as one of the fundamental problems afflicting the HMRC. It found that systems such as Paye, National Insurance, Child Benefit and Tax Credits are operating as separate systems, each with their own individual customer record. The constant need to bring information together from these systems increases the security risk. Problems of this nature arose out of the merger of the Inland Revenue (IR) and Her Majesty's Customs and Excise (HMCE).
• Large amounts of data are transferred around HMRC without regard to risk and security. Instances included several thousand records being sent by unencrypted email and transfers of large amount of data on discs to other departments such as the Department for Work and Pensions.
• Security risk was not a priority - with holes in risk assessment capabilities, poor command structure and lack of security staff.
• Information security policies were too complicated for staff to navigate. The biggest gaps were in guidance on encryption and setting an audit trail for data transfers.
• Widespread lack of awareness and training for staff on information security and no clear data guardian at the time of the loss.
• HMRC continues to operate processes that hark back to a paper-based rather than digital world.
• Morale is low in HMRC and management needs to focus on engaging with staff.
• The October loss saw two serious breaches of policy, relating to the lack of authorisation for disclosure of the full data and its being sent via untraceable internal mail.
• No appropriate authorisation sought or obtained for the release of the data in October.

Recommendations:

The report has made 45 recommendations, 26 of which it says the HMRC is making progress on, and 13 of which have been implemented.
It recommends:

• HMRC holds the minimum necessary data for the minimum period.
• HMRC moves to having single customer records across all systems.
• HMRC begins to communicate with customers via email instead of paper.
• HMRC phases out data transfers using physical media.
• All computers and, in the short term, portable media should be encrypted.
• All incoming post should be scanned and distributed digitally.

Changes:

HMRC says it has made widespread changes on the back of the report including:

• Removing the ability of all staff to save data to portable media such as CDs and memory sticks.
• Stopping all bulk data transfers that are not "business critical".
• Restrictions on the bulk transfer of sensitive information, conforming to new cross government rules on the encryption of personal data.
• Issuing every staff member with new data security rules written in "plain English".
• Mandatory data security training for all staff.
• Appointing Data Guardians across the department.
• A new management structure that gives much clearer lines of accountabilities.
• It also wants to work towards a single customer record, phasing out physical data transfers and working to eliminate paper records.