Wednesday, 25 June 2008

Data-loss fiasco caused by 'woefully inadequate' system

A CD tray of a desktop computer

(Ben Gurr/The Times)

The government has been dogged by a host of data scandals

Adam Fresco

The loss of 25 million child benefit records, complete with sensitive personal information, was brought about by a “woefully inadequate system” being used by staff who were working on a “muddle through” ethos, a damning report has found.

The 59-page report found that there were “cultural failures” at HM Revenue and Customs (HMRC) and practices at the organisation were “far from what they should have been”.

The Independent Police Complaints Commission inquiry said: “Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately.

“The IPCC uncovered failures in institutional practices and procedures concerning the handling of data. It revealed the absence of a coherent strategy for mass data handling and, generally speaking, practices and procedures were less than effective.”

Gary Garland, the IPCC Commissioner, could not rule out that the personal information, including names, addresses, National Insurance numbers and bank details of child benefit claimants, had fallen into criminal hands.

Despite Scotland Yard sending in their specialist search teams, the discs, which disappeared in October last year while on their way from an HMRC office in the North East to the National Audit Office, have never been recovered.

The report found that an employee at HMRC recalled seeing a colleague place the discs, contained in a large yellow polythene envelope, in the tray at the end of the desks and heard him remark: “That’s it - it’s gone now.”

They had been put into the internal post by a junior official via the courier TNT which operates the HMRC’s post system. The package relating to 7 million families was not recorded or registered.

Six days later, on October 24, the NAO told HMRC it had not received the data. The staff hoped it had been delayed by postal strikes and decided not to tell senior officials.

A second copy of the data was then also sent by HMRC to the NAO, again in breach of procedures. This time the package was sent by registered post and arrived safely.

Senior management at HMRC were not made aware of the loss until November 8 and, two days later, Gordon Brown was told and ordered an immediate investigation.

The information was sent to the NAO as part of an audit they were doing on the £10 billion expenditure on child benefit.

They had carried out a similar review in March and had asked for the relevant data but without names, addresses and bank account details. However, the full files were sent and, when someone queried this, they were told that the NAO were entitled to go wherever they wished and have access to anything without exception.

One employee predicted in an email: “Things do get mislaid and imagine the uproar if the discs containing the customer data went astray and turned up where they shouldn’t - the long knives would be out.”

The findings in today's report are likely to up the pressure on Mr Darling amid criticism of his performance since taking over at the Treasury a year ago.

They could also prove damaging for Gordon Brown - who was in charge of the creation of HMRC was created as the then Chancellor.

The report, by top management consultant Keiran Poynter, is among four into Government data security being published today.

The Cabinet Office is releasing a broader study of how Whitehall data handling procedures can be improved. It is expected to endorse many changes which have already been introduced after a string of Government data security blunders - such as giving the Information Commissioner powers to carry out spot checks on departments and agencies.

The Ministry of Defence also issued a report on how a laptop containing details of 600,000 potential armed forces recruits was lost - which is said to highlight a slack culture among staff.

In the wake of the reports Richard Thomas, the Information Commissioner is to serve enforcement notices on both the Ministry of Defence and HM Revenue and Customs following “deplorable failures” at both departments.

He said he would use his powers to force the two departments to carry out the recommendations of two scathing reports into separate data breaches where discs and laptops with sensitive data were lost.

The Commissioner’s office said it was a criminal offence to fail to comply with such orders and both departments will have to supply annual reports to show the recommendations have been followed. The Commissioner, who will monitor both departments, also warned that the publicised breaches were not isolated cases.

“It is deeply worrying that many other incidents have been reported, some involving even more sensitive data,” said Mr Thomas. “It is of fundamental importance that lessons are learned from these breaches.”

No comments: