Kieran Poynter has published his review of information security at HM Revenue and Customs. Yes, after a seven month wait, it's the official explanation of how it was possible for a junior official to lose discs containing records for 25 million individuals and 7.25 million families in the post. ORG is very pleased to see the review making sensible recommendations that should be followed not only by HMRC but by all government institutions. Information security should be seen as a priority. This report is clear in stating that in HMRC it was not.
The fact that information has value may be blindingly obvious to most of those who read our blog, but it is not so obvious to officials working in government. Poynter recommends that HMRC should hold the minimum amount of data required to perform its functions - a recommendation echoed by the Home Affairs Select Committee in their recent report A Surveillance Society?. Unfortunately, unless this Government can get over its addiction to large, centralised databases, data minimisation will be a distant dream.
The report also recommends that the transfers of digital data involving physical media should be phased out completely and computers (and in the short term, any removable media) should be encrypted. From the report it is clear that HMRC employees were unsure about who owned and was responsible for data. Insufficient security education and awareness is highlighted as an unsurprising explanation for the poor information security. And because HMRC did not understand how data moved through the organisation it was hard to effectively identify and manage its information security risks. Or, put a different way, if you do not know what you have got, where it is and who is doing what with it, it is impossible to guarantee that someone is not doing something they shouldn't be.
The data loss incident arose following a sequence of communications failures between junior HMRC officials and between them and the National Audit Office ("NAO"). The loss was entirely avoidable and the fact that it could happen points to serious institutional deficiencies at HMRC.
The two major institutional deficiencies from which many of the more detailed issues flow were:
- Information security simply wasn't a management priority as it should have been, and
- HMRC had an organisational design which was unnecessarily complex and crucially, did not clearly focus on management accountability
So now to an important question: will it happen again?
HMRC has significantly reduced the risk of further data loss since the incident. However, when there are so many islands of information and so many data transfers going on, and while simple guidance is not available to staff, further data loss nonetheless remains a distinct possibility and more needs to be done. Investment will be required to continue the reduction of risk to an acceptably low level, although the review process is identifying data transfer practices which can simply be stopped at no significant cost.
Not the most reassuring answer. The good news is that a low level employee has not had all the blame placed on his head. The culture inside HMRC of getting things done quickly and cheaply at the expense of information security is singled out throughout the report.
... the more junior staff involved in the incident clearly voiced their concerns about handing over the data to the NAO, but were overruled by their immediate superiors - at least in part to save the cost of producing a bespoke set of data.
Richard Thomas, Information Commissioner, said:
I will be taking formal enforcement action against HMRC and MOD following the serious data breaches that have occurred.
The reports that have been published today show deplorable failures at both HMRC and MOD. Whilst these breaches have been highly publicised and involve big numbers, sadly they are not isolated cases. It is deeply worrying that many other incidents have been reported, some involving even more sensitive data. It is of fundamental importance that lessons are learned from these breaches. Information security and other aspects of data protection must be taken a great deal more seriously by those in charge of organisations. No chief executive can now say that data protection doesn’t matter.
It is beyond doubt that both Departments have breached Data Protection requirements and we intend to use the powers currently available to us to serve formal Enforcement Notices on them. To comply with the terms of the Enforcement Notices we will require HMRC and the MOD to use their best endeavours to implement all the recommendations outlined in the reports. We will also be monitoring the situation closely. We will require progress reports to be published after 12, 24 and 36 months documenting in detail how the recommendations have been, or are being, implemented to improve Data Protection compliance. Failure to comply with an Enforcement Notice is a criminal offence. ‘I welcome the seriousness of the requirements and guidance for central government in the Cabinet Secretary’s Data Handling Report; this material should help chief executives across the whole of the public, private and third sectors achieve better compliance with the Data Protection Act and keep people’s personal details more secure.
A separate report by the Independent Police Complaints Commission said that "investigation found no visible management of data security at any level".