Reports in full: HMRC and MoD data breaches

Independent Police Complaints Commission (IPCC) report

The IPCC was looking into events leading up to the loss of data and considering whether any criminal conduct or disciplinary offences had been committed by HM Revenue & Customs (HMRC) staff.

The report's findings were:

• Processes for data handling at HMRC's offices in Washington in Tyne and Wear were "woefully inadequate".
• Individual members of staff were not to blame for losing the missing Child Benefit data CDs.
• There were failures in institutional practices and procedures concerning the handling of data.
• It identified an absence of a coherent strategy for mass data handling and "less than effective" practices and procedures.
• A complete lack of any meaningful computer systems, a lack of understanding of the importance of data handling and a 'muddle through' ethos.
• Staff prioritised getting the data to the National Audit Office over the appropriate security measures.
• Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately.
• Staff lacked understanding of how to protect data at the highest level.
• An HMRC internal review of data procedures at the time of the event, which could have prevented the data loss, was given a low priority.
• No attempt was made to check on whether the data transfer in October had been authorised or the password or encryption protection of the data during transfer.
• It says that many reforms have taken place at HMRC and are continuing as improvements are rolled out across the department.
• It referred its findings to the information commissioner.
• Reluctance by HMRC staff to trim down the full amount of data contributed to the loss.
• It found no visible management of data security at any level.
• There was a lack of appreciation of data protection principles in the act.

Recommendations:

• HMRC should review the security controls and protocols associated with generating large volumes of data, and the subsequent handling of that data.
• HMRC should develop a data security strategy, training strategy and communication strategy for all HMRC staff to raise awareness and understanding of data protection and data security.
• HMRC should take steps to ensure it complies with the requirements of the Data Protection Act at all times.
• HMRC should report any breaches of security promptly, something that did not occur in this case.