• Welcome to the LegalBeagles Consumer and Legal Forum.
    Please Register to get the most out of the forum. Registration is free and only needs a username and email address.
    REGISTER
    Please do not post your full name, reference numbers or any identifiable details on the forum.

Government lays plans to avoid future data security blunders

Collapse
Loading...
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Government lays plans to avoid future data security blunders

    The loss last year of 25 million records by HM Revenue and Customs (HMRC) was the result of "woefully inadequate" processes for data handling, not individual employees, according to an investigation. The Government has responded with new data security plans.

    Three reports were published today relating to last November's news that two discs containing details of 25 million child benefit recipients had gone missing after being sent from HMRC to the National Audit Office (NAO). A fourth report, also published today, dealt with the theft in January of a Royal Navy recruiter’s laptop which contained unencrypted records on more than 600,000 people.

    The Poynter report

    Kieran Poynter, Chairman of PricewaterhouseCoopers, was commissioned by HM Treasury to investigate the circumstances that caused the incident. He has recommended systematic, organisational and management structures to improve HMRC's data handling performance.

    Poynter's report found that the loss was "entirely avoidable" and said the incident showed "serious institutional deficiencies at HMRC."

    Since the incident, a Chief Risk Officer has been appointed and clear security guidance has been published. Poynter makes 45 recommendations in his report. Chancellor Alistair Darling said in the House of Commons today that all of these recommendations have been accepted.

    "HMRC has made good progress on 39 of the recommendations including 13 which have been fully implemented," he said. "Work is continuing on the remaining recommendations."

    The IPCC report

    Secondly, the Independent Police Complaints Commission (IPCC), acting on its own initiative, investigated the events leading up to the loss of data to consider whether any criminal conduct or disciplinary offences had been committed by HMRC staff. The IPCC has concluded that individual members of staff were not to blame.

    The IPCC report found a complete lack of any meaningful systems; a lack of understanding of the importance of data handling; and a 'muddle through' ethos.

    "Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately," according to an IPCC statement. "While an ongoing review of data procedures was being conducted within HMRC at the time of these events, it had not been finalised. Had this internal review received a higher priority, this incident may have been avoided."

    "The IPCC's investigation uncovered failures in institutional practices and procedures concerning the handling of data. It revealed the absence of a coherent strategy for mass data handling and, generally speaking, practices and procedures were less than effective," it said.

    Sir Gus O'Donnell's report

    Thirdly, Cabinet Secretary Sir Gus O'Donnell has published a review of information security in Government. His report, commissioned by the Prime Minister, explains a new framework for the future to improve the rules, culture, accountability and scrutiny of data handling.

    Sir Gus's report calls for mandatory minimum measures across government, including encryption and compulsory testing by independent experts of the resilience of systems.

    All civil servants dealing with personal data will be required to undergo mandatory annual training and the Government will be introducing Privacy Impact Assessments.

    Data security roles within departments are being standardised and enhanced to ensure clear lines of responsibility, according to the report. Departments will report on their performance under the scrutiny of the National Audit Office. The Information Commissioner will perform spot checks.

    Sir Gus said that since November, the Civil Service has responded "with urgency and vigour to improve data security."

    "However, I am under no illusion that more still needs to be done to restore public faith in the Government's ability to handle personal information safely," he said. "Although no organisation, public or private, can ever guarantee that it will never make a mistake, I believe the measures we are announcing today will ensure that the public can be assured we are taking the necessary measures to keep people's data secure."

    Action already taken to improve security includes the Cabinet Office issuing new, stricter guidelines on the handling of sensitive personal data, 90,000 employees at HMRC being given additional security training and the encryption of 20,000 laptops at the MOD.

    Sir Edmund Burton's report


    The fourth report, on the stolen laptop, was published by the Ministry of Defence. In it, Sir Edmund Burton, chairman of the Information Assurance Advisory Council, which supports the Cabinet Office, made 51 recommendations to prevent similar losses in future.

    The MOD said today that it has accepted all of Sir Edmund's recommendations and has prepared an action plan to implement them.

    The Information Commissioner's response

    Information Commissioner Richard Thomas said today that enforcement notices will be served under the Data Protection Act.

    "I will be taking formal enforcement action against HMRC and MOD following the serious data breaches that have occurred," he said in a statement. "The reports that have been published today show deplorable failures at both HMRC and MOD."

    "It is beyond doubt that both Departments have breached Data Protection requirements and we intend to use the powers currently available to us to serve formal Enforcement Notices on them."

    To comply with the terms of the Enforcement Notices HMRC and the MOD will be required to use their best endeavours to implement all the recommendations outlined in the reports, said Thomas.

    The Commissioner said his office will require progress reports to be published after 12, 24 and 36 months documenting in detail how the recommendations have been, or are being, implemented to improve data protection compliance.

    Failure to comply with an Enforcement Notice is a criminal offence.

    How it happened
    Sequence of events leading to the loss of data (the IPCC's account)

    The IPCC inquiry focused on events that took place between December 2006 and March 2007 and between September and October 2007 relating to two separate audits, carried out by the NAO, of the £10 billion expenditure on Child Benefit.

    The NAO needed to check the levels of accuracy of payments of Child Benefit. The NAO asked for the relevant data but without names, addresses or bank account details. HMRC had already scanned the data and wanted to make use of existing data in order to avoid overburdening the business by asking for additional data scans, without the details included, as they might incur a large cost.

    In March 2007 one employee queried supplying all of the data but was told NAO were entitled to go wherever and have access to anything without exception. The CDs were sent to the NAO and returned safely in April 2007.

    In September 2007 the NAO wanted to undertake a repeat of the audit. The NAO asked HMRC to ensure that the CDs were delivered as safely as possible due to their content. On 18th October the CDs were sent from Washington, Tyne & Weir through the internal tax post system, in an envelope addressed to the NAO in London. The package was not tracked or sent recorded delivery. The CDs never arrived and copies were made and re-sent.

    On 8th November a security breach report was raised by an HMRC employee. On 15th November HMRC informed the Metropolitan Police of the loss of the CDs. The following day HMRC formally referred the incident to the IPCC. The Metropolitan Police formally began their investigation to find the missing CDs on 18th November.

View our Terms and Conditions

LegalBeagles Group uses cookies to enhance your browsing experience and to create a secure and effective website. By using this website, you are consenting to such use.To find out more and learn how to manage cookies please read our Cookie and Privacy Policy.

If you would like to opt in, or out, of receiving news and marketing from LegalBeagles Group Ltd you can amend your settings at any time here.


If you would like to cancel your registration please Contact Us. We will delete your user details on request, however, any previously posted user content will remain on the site with your username removed and 'Guest' inserted.
Working...
X