Wednesday 21 November 2007

HMRC: Who asked for the data and why?

I have now found out the answer to one of my burning questions in relation to the HMRC data breach. Which was, Why on earth would HMRC have any requirement to send the entire database outside their organisation?

The lost HMRC CDs were destined for The National Audit Office (NAO), a body which scrutinises public spending on behalf of Parliament.
“The role of the National Audit Office (NAO) is to audit the financial statements of all government departments and agencies, and many other public bodies. We also report to Parliament on the value for money with which these bodies have spent public money. As well as providing accountability to Parliament, we aim to bring about real improvements in the delivery of public services.”

As part of the preparations for the 2007/08 audit of the HMRC by the NAO, the NAO instead of requesting the usual sample of data to audit, requested a full copy of client benefit data. No doubt because the funding and costs of child benefits has been a political hot potato in recent months.

However the NAO requested HMRC filter the information before sending it, removing details of parents, addresses and bank information. At this stage I was able to find out whether NAO requested the data to be shipped on CDs unencrypted or not, but nether-the-less HMRC are still 100% responsible for sending the data in that fashion, and thus fully responsible for the breach.

But I can't help but wonder if someone within government instructed NAO to carry out a comprehensive audit of the HMRC. HMRC's own rules on data protection were bypassed, proper channels were not used, it's no excuse but could government pressure been a factor?

Timeline of events
2 October 2007: The NAO formally asks HMRC for files on child benefit claimants.

18 October: HMRC tells the NAO that the CDs have been sent

24 October: The NAO informs HMRC that the discs have not arrived. The NAO asks for a second set to be sent – it needs them urgently to ensure an audit of HMRC’s accounts is not delayed.

25 October: The NAO confirms receipt of the second set of discs. It staff point out that the first set has still not arrived.

5 November: HMRC confirms that the first set of CDs is still missing.

8 November: The NAO begins a search for the missing CDs and the loss of the data is raised formally as a security incident. It is only at this point that HMRC’s senior management is informed – but not the Chancellor of the Exchequer Alistair Darling who is responsible for HMRC.

10 November: HMRC with the cooperation of the NAO begins a search for the CDs at the offices of the audit office at Victoria. The NAO has no record of having received the first set of CDs. Only now is Alistair Darling, the Chancellor, informed.

11 November: HMRC and the police search the NAO’s offices. Nothing is found.

20 November: Alistair Darling makes a statement to the House of Commons on the missing discs and Paul Gray, the chairman of HMRC resigns.

21 November: HMRC issues an apology.

No comments: