Following on from the NAO e-mail thread release which showed that nine HMRC people were involved in the 25 million Child Benefit database record release, it is now reported that officials from three HMRC departments took the decision to release the full database.
One of them is the Assistant Director, Nigel Jordan, who is going to be hauled before John Leigh's Public Accounts committee and questioned about what he knows. I wonder if he'll try the Official Secrets Act defence?
He knows about talking to MPs; he done it before when he was involved with Tax Credits at the Revenue.
These are not junior officials and the sending of unencrypted information by inter-office courier services was the usual thing at HMRC. It was a normal aspect of their system.
HMRC routinely transfers information on CD
Six CDs containing sensitive identity information are now missing from HMRC. KPMG also got a full database record extract on CD in March. There were the 15,000 identity records leaked when two HMRC CDs went missing on their way to Standard Life. It is obvious that CD transfer was the usual method for transporting records in their thousands or millions between HMRC offices and other places.
The scape-goating of the official at the CBO Washington office who actually sent out the CDS is disgraceful and is now an obvious and wholly transparent attempt to protect a government department, HMRC, that is institutionally careless with sensitive information.
That is because finance director Stuart Cruikshank and CIO Deepak Singh neither know nor seem to care about computer security and how much HMRC should spend on it. As neither of them is setting a lead on the topic it is hardly surprising that senior officials like Jordan didn't feel impelled to stop the transfer of the full extract by unencrypted CD
They just don't get it. Neither the HMRC director, CFO Cruikshank, CIO Singh, process owner Jordan nor any other responsible person in HMRC appears to have the faintest clue about what a duty of care regarding sensitive information means.
We expect the average politician to be a clueless dunderhead in such matters but the chief information officer of the HMRC itself? Clueless about information security? Who recruited this inadequate person? Why is he still in his post?
Guarding your identity
We're all concerned about identity fraud following the loss of 25 million records by the bungling HMRC. The junior official at the HMRC Washington office is having his identity protected. We now know it's a man, according to reports, who has worked at the HMRC for 23 years and still does. (Apparently he's been offered welfare counselling.) We don't and can't find out more; we have no name to go on.
But give me a name and a place and a careless person and you and I can find out huge amounts of information about them. Take Nigel Jordan, the identified assistant director at HMRC who is the Process Owner for Child Benefit and the copy-recipient of the smoking gun e-mail supposedly proving he did not take the decision to release the information - although he obviously didn't stop it going out either.
Anyway the Daily Telegraph says he is from West Wickham. So a check on the electoral roll for Bromley using TraceSmart reveals his address. His house is called Greystoke - is he now to be known as Tarzan?
A scan of Facebook reveals his entry there in which he says he is an HMRC assistant director and reveals information about his marriage and sexual orientation. A look at LinkedIn reveals an entry for him, ditto a look at Facebook. We know the schools he went to, his taste in music, his address.
What could a determined person find out? Enough to clone his identity no doubt. I think Facebook entries and the like ought to be severely pruned. Privacy is going to become a new virtue. Let's hope the logic of that thought is wholeheartedly endorsed by a new regime at HMRC with a great increase in respect for citizen's privacy.