As the Shadow Chancellor, whilst commenting on the Poytner Report into the loss of Child Benefit data, said this afternoon the loss of data by HMRC is symptomatic of nothing less than
"incompetence and systemic failure at the heart of this government"
They were "a guide to how not to govern this country",
Alistair Darling called for a
"change of culture" across Whitehall so that "security is first and foremost in people's minds"
following a string of further data breaches, including officials losing lap top computers.
Darling also tried to say that private organisations were no better than HMRC this is refuted by a single line in the report which says
HMRC has completed an assessment of where it stands today vis-à-vis ISO27002(International Standard for Security Framework) and has concluded that it lags well behind the majority of large private sector organisations...
As usual this government tries to lie its way out of trouble that it has caused. Initially Mr Darling told us, when he briefed MPs on the loss in November,
a "junior official" had been responsible for posting the information "contrary to all HMRC standing procedures"
Then again Alistair Darling is not the root cause of the problem, we only have to look at who was responsible for HMRC for 10 long years, yes of course that man of courage Gordon Brown, who left Alistair Darling on his own to give this apology and statement.
The Poynter report on the Child Benefit data loss by HMRC has no less than 45 recommendations all of which have been accepted. This points to complete management breakdown and a total lack of responsibility in the department.
Let's look at some of the factors
- Some DSSM and IDG policies lacked sufficient detail and strength to guide staff.
- Inadequacy of removable media and encryption policies.
- Better implementation and enforcement of policy is required.
- Policy could be made more accessible and better communicated.
- Appropriate authorisation.
- Method of data transfer.
- Prioritisation of operational delivery over information security.
- Lack of policy awareness.
- Lack of training.
- Accountability for the ownership and guardianship of data.
- Lack of clarity surrounding authority requirements.
- Relations with the NAO.
Now that's a fair list and leads us to easily conclude that this was a disaster waiting for an opportunity. In fact as the report says, even after the loss of the 2 discs, staff still sent out essentially the same data with no protection.
The wider review makes it very clear what the problems are:
- Information security, at the time of the incident, simply wasn’t a management priority;
- Even had it been a priority, HMRC’s organisational design and the governance and accountabilities underpinning it would have made it extremely difficult for it to be felt as such;
- Even with a more suitable organisational structure, the fragmentation and complexity that has accompanied the changes that HMRC has had to absorb makes information security difficult to control;
- HMRC’s information security policies were inadequate and those that they had were unduly complex and not adequately translated into guidance or training for the junior officials who needed them;
- HMRC continues to operate processes that hark back to a paper-based, rather than a digital, world; and
- Morale is low in HMRC and management needs to continue to focus on engaging with staff as the department embarks on a period of further change.
In other words Information Security just wasn't part of the work ethic. This in an establishment that is handling secure data each and every day. Poynter says in his report
As regrettable as the Child Benefit data loss incident was, one positive may yet flow from it. It may provide the burning platform for these transformations, recognising it as an imperative rather than a luxury.
This is key to understanding why the whole sorry situation occurred. The whole HMRC system is so fragmented and so full of holes that the transfer of data between agencies and within its own systems is unbelievably complex. Only by transforming this system can it ever be truly secure. Until then the whole process needs to be tightly controlled to ensure a somewhat acceptable degree of security. Some facts that bring this to life. HMRC
- Operates some 650 different systems;
- Has a further 4500 Business Developed Applications (mostly Microsoft Excel & Access), of which 550 have been classified as business critical by Business Units;
- operates from some 900 sites/offices;
- Sends out some 300 million items of mail a year.
It is no small wonder then, that when the Director of Data Security imposed a ban on non-encrypted bulk data transfers following the data loss incident, several data transfers were uncovered that senior management in HMRC was not aware were happening, including at least three regular downloads of the entire child benefit database – the same information that was reported lost in November 2007. These were regularly downloaded onto non-encrypted media and put into internal mail.
The report also highlights some of the more inefficient waysand outmoded ways HMRC handles data such as
Although the volumes have declined a little, HMRC continues to rely heavily on paper-based communications. Last year, for instance, HMRC sent out around 300 million letters and mailings to its customers, an average of 8 per household and 68 per business. The media it uses for data transfer is similarly archaic. For example, the Magnetic Media Handling operation in Longbenton, Newcastle, accepts all media (reel to reel tape, cartridges, floppy discs, CDs etc.) on which employers submit their end of year returns and could be designated a museum if the criteria were variety of media no longer generally used (media, incidentally often associated with systems incapable of creating encrypted data). Whilst part of the reason for HMRC continuing to accept such media is in response to customer demand, I strongly believe that HMRC should be stronger about which media it will and won’t accept – particularly when this can drive whether or not data can be encrypted.
As well as the media and the channels that HMRC employs, its modus operandi similarly harks backs to a pre-digital era. For instance, HMRC never seems to start from the base of the information it has. Good examples are the self-assessment process for employees where the majority of people copy their information from the P60 and P11d given them by their employer – information that HMRC already has – and Tax Credits where the application form starts from scratch although HMRC nearly always has details on that customer. Both of these examples contribute to information security risk by requiring unnecessary exchanges of data and by creating islands of information that require additional exchanges to keep them synchronised.
So not only ancient ways of taking in data but also requiring data that they already have more than once which cannot lead to anything but problems.
The recommendations of the report are nothing less than a damning indictment of the HMRC. They are long and cover
Strategy, 14 recommendations.
People, 7 recommendations.
Process, 21 yes 21 recommendations.
New Direction, 3 recommendations.
All of these recommendations have been accepted. It will take time to implement them all. Until then the security of HMRC data, our data can only be suspect.
Statement: CHX 250608