The Cabinet Secretary published his wider cross-Government work to improve data handling on Wednesday.

The Independent Police Complaints Commission found that the processes for data handling were “woefully inadequate” at HM Revenue and Customs' Child Benefit Office in Washington.

It said that individual members of staff were not to blame, however, for losing the missing Child Benefit data CDs.

Complete lack of any meaningful systems 

The IPCC's investigation uncovered failures in institutional practices and procedures concerning the handling of data.

It revealed the absence of a coherent strategy for mass data handling and, generally speaking, practices and procedures were less than effective.

The IPCC found that there was a complete lack of any meaningful systems, a lack of understanding of the importance of data handling and a ‘muddle through’ ethos.

Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately.

While an ongoing review of data procedures was being conducted within HMRC at the time of these events, it had not been finalised. Had this internal review received a higher priority, this incident may have been avoided.

The Commission is therefore referring the findings of the missing Child Benefit CDs to the Information Commissioner.

Formal enforcement 

Richard Thomas, Information Commissioner, said that he would be taking formal enforcement action against HMRC and the Ministry of Defence (MoD) following two separate serious data breaches.

“The reports that have been published today show deplorable failures at both HMRC and MoD. Whilst these breaches have been highly publicised and involve big numbers, sadly they are not isolated cases,” he added.

Thomas called it “deeply worrying” that many other incidents have been reported, some involving even more sensitive data. He said that it was of fundamental importance that lessons were learned from these breaches.

“Information security and other aspects of data protection must be taken a great deal more seriously by those in charge of organisations. No chief executive can now say that data protection doesn’t matter,” Thomas warned.

IPCC Commissioner Gary Garland, who oversaw the investigation, said that once the data loss was discovered, steps were taken immediately to tighten security.

“A full review of practice and procedure has been carried out. Many reforms have taken place and are continuing as improvements are rolled out across the department. We hope that the momentum will be maintained," he added.

Ineffective practices and procedures 

When it became clear that two CDs containing sensitive data had gone missing from the Child Benefit Office in Washington, Tyne and Wear in October/November 2007, it gave rise to serious public concern.

The IPCC concluded that the transit of the CDs to the National Audit Office (NAO) was clearly compromised by ineffective practices and procedures, which meant that an event like this was certain to happen – the only question being when.

Three separate investigations were set up, each dealing with differing aspects of the incident.

The Metropolitan Police Service were conducting a search aiming to recover the CDs. The IPCC were looking into the series of events leading up to the loss of data and considering whether any criminal conduct or disciplinary offences had been committed by HMRC staff.

A separate review by PricewaterhouseCoopers chairman Kieran Poynter found “serious institutional deficiencies” at HMRC, but also concluded that individuals were not to blame.

Poynter concluded that "a great deal of work will be required to bring HMRC up to and to sustain the world class standard for information security to which it now properly aspires".

Levels of accuracy of payments

The Poynter review was looking at institutional management structures that might significantly improve HMRC’s data handling performance.

The inquiry focused on events that took place between December 2006 and March 2007 and between September and October 2007 relating to two separate audits, carried out by the NAO, of the £10 billions expenditure on Child Benefit.

The National Audit Office (NAO) needed to check the levels of accuracy of payments of Child Benefit. The NAO asked for the relevant data but without names, addresses nor bank account details.

HMRC had already scanned the data and wanted to make use of existing data in order to avoid overburdening the business by asking for additional data scans, without the details included, as they might incur a large cost.

In March 2007 one employee queried supplying all of the data but was told NAO were entitled to go wherever and have access to anything without exception. The CDs were sent to the NAO and returned safely in April 2007.

In September 2007 the NAO wanted to undertake a repeat of the audit. The NAO asked HMRC to ensure that the CDs were delivered as safely as possible due to their content.

>>>>> article continues >>>>>