Wednesday, June 25, 2008

Recommendations from Child Benefit CD data loss

Recommendations from the IPCC investigation of the Child Benefit data loss are as follows, I have tried to highlight what they really mean. In one word CLUELESS.

The report does not seek to make detailed recommendations, nor does it comment on the developments needed to ensure that HMRC's systems and practices meet the challenges involved in modern-day data handling. HMRC did not have a clue what they were doing and had no idea how to deal with computer based data.

    1. HMRC should review and develop a strategic working relationship with the NAO in respect of any audit of its resource accounts. HMRC should implement a strategy of communicating the detail and requirements of an audit to HMRC staff in order to facilitate audit work. Bothe agencies are clueless on how to work together. HMRC should work with the NAO to sort out how they communicate and stop losing data and providing data not required
    2. HMRC should review the security controls and protocols associated with generating large volumes of data, and the subsequent handling of that data in whatever format both internally and on disclosure outside the organisation. Clueless. HMRC have no security in place and need to work out how they are going to secure their data.
    3. HMRC should develop a data security strategy, training strategy and communication strategy for all HMRC staff to raise awareness and understanding of data protection and data security, and in line with the principles of the Data Protection Act. HMRC have no strategy for data security or training for people in data security.
    4. HMRC should review and develop its role and responsibilities as data controller within the meaning of the Act in order to demonstrate a management commitment to information security throughout the organisation. Clueless. HMRC should read the Data Protection act and conform with it. Senior Management need to realise that they have to do some work to justify their salaries.
    5. Consideration should be given to sharing this investigation report with the Information Commissioner, who is responsible for data protection issues under the Act. Clueless. HMRC should be prosecuted as a business under the Data Protection act and if this was a normal business would be heavily fined and hung out to dry. Resignations of senior IS staff etc would be expected.
    6. Where breaches of security are discovered, HMRC should report these promptly so that any remedial or recovery action can be taken. This did not occur in this particular case. Clueless. HMRC did not have a clue what they were up to.
If HMRC were a run of the mill business they would now be under severe pressure. The whole management of their IS department is to blame. Where was the proper audit of this system.

This is the sort of organistation which is or will be responsible to
  • Look after your health records (aka The Spine)
  • Look after your DNA
  • Look after ID cards

I wouldn't trust them with a single bit. They are clueless and hopeless. This is beyond parody that an enterprise entrusted with our vital data have no apparent strategy for the handling and securing of data. Both management and employees are at fault here. The management for not providing the correct structure for the proper running of the business and employees for not ceaseless complaining about this lack of structure.

Alistair Darling has called this a "Cultural" problem. I call it criminal irresponsibility. Now guess who was responsible for the merging of the two departments and was in charge of them for over 10 years. Yes, of course, it was our Jonah, Gordon Brown. He is the man ultimately responsible for this problem, however he will have retired to his Bunker again to sulk whilst leaving his underlings to face the music. A true man of Courage.

IPCC publishes report into missing HMRC data CDs (full version)

No comments: