Concerning the disastrous leakage of 25 million people's identity information at least nine HMRC staff knew of the full (25 million record) data extract and its transfer to the National Audit Office (NAO) in March. This is shown by HMRC and NAO e-mails released today (Nov 22nd) by the NAO

These collected e-mails were prefaced by a pair of lovey-dovey, 'lessons to be learned' mails between HMRC's new boss, Dave Hartnett, and the assistant auditor general at the NAO, Caroline Mawhood. We note that it was the auditor general himself, Sir John Bourn, who told Edward Leigh's Public Accounts Committee that high-level HMRC officials had told the NAO it would be 'burdensome' for the HMRC to strip out the unwanted extra and very sensitive information, and talk of a 'junior HMRC manager.' Bourn is the outgoing NAO head. It is significant that he is not party to the lovey-dovey e-mail exchange between his underling, Mawhood, and Hartnett which demotes his high-level HMRC officials to a junior manager.

The key e-mail

What we reproduce here is the key HMRC-source e-mail released by the NAO. Certain names have been blanked out by government sources and are indicated thus: [blanked]. The other text is an exact copy of the e-mail:-

From: [blanked](Benefits and Credits) [blanked]
Sent: 13 March 2007 15:23
To: [blanked]
Cc: [blanked]@nao.gsi.gov.uk; [blanked](Benefits and Credits); [blanked](Benefits and Credits); [blanked]KAI Analysis)
Subject: FW: URGENT Extract from Compliance Scan
Importance: High
Sensitivity: Confidential

Hi [blanked]

[blanked] has passed this over to me for my views.

Your original request was for 100% scan of the data, and fortunately a scan was complete earlier this year, and we have shared ths with you at no additional cost to the department. I know you are meeting with Compliance and KAI colleagues on Wednesday and all your issues regarding data extracts should be taken up with them. I must stress we must make use of data e hold and not over burden the business by asking them to run additional data scans/filters that may incur a cost to the department.

Trust this is satisfactory for now and look forward to seeing you Thursday

[blanked]

How many people knew?

This e-mail has one addressee, four people CC'd and a sender. One CC person is in the NAO, shown by the address. The other five HMRC people all received an URGENT e-mail of High importance and Confidential sensitivity. It beggars belief that they did not receive it and read it.

In the e-mail thread that accompanies this there are five e-mails dated 13 March 2007, the top one of which we have reproduced above.The sense of them indicates that three other HMRC people knew about the data extract. The first e-mail in his thread is from [blanked](CBO Washington 1) and its text indicates it is from a member of the HMRC Child Benefit Office Mainframe Systems organisation. It is copied to two other addressees whose names have been blanked out at the (CBO Washington 1) e-mail domain and is a note accompanying a sample of the extracted data.

In other words three HMRC staff at the Washington office knew of the data extract. That makes eight HMRC staff who knew of the data extract. Only one of them is directly involved in it at Washington and is presumably the hapless junior official, male and 23 years old who is holed up in an anonymous hotel. The HMRC people in the (Benefits and Credits) are more senior and one of them is an Assistant Director, and another a business manager.

Mawhood-Hartnett commentary

In the lovey-dovey Mawhood-Hartnett exchange Mawhood writes: "We met this morning and agreed that the HMRC Process Owner for Child Benefit was a copy-recipient of an e-mail dated 13 March 2007. The e-mail was sent by a junior HMRC manager ... we have no evidence that the Process Owner for Child Benefit made the decision to release the data."

No, we have not. But what we do have is an e-mail sent to that person, named as Nigel Jordan, previously involved with tax credits in a senior role, in a report, marked urgent, sensitive and of high importance which he would have read. He got the whole e-mail thread and knew that 100 percent of the extracted data was going to the NAO. He knew that no filtering of the scan had been done for cost reasons (estimated at £5,000 in a report). Did he check the transfer method? Did he get the data filtered? No he did not. HMRC provided the data scan in full on 16 March. It was provided on two CDs containing 100 zipped files.

When the NAO Audit Principal officer requested another copy of the data in an e-mail sent on 2 October to @hmrc.gsi.gov.uk', which now makes it nine HMRC people who knew about the data transfer, he or she requested: "Please could you ensure that the CDs are delivered to NAO as safely as possible due to their content."

Blameless NAO

The NAO is blameless here. Nine HMRC people, one at Assistant Director level with the title Process Owner for Child Benefit, another a Business Manager, knew about the data extract and the transfer of CDs to the NAO. None of them checked whether the transfer method was appropriate to the sensitivity of the data. The March transfer worked. The first October transfer using the ordinary TNT bulk mail delivery service did not. A second one, using a TNT registered delivery service did.

Blameworthy high-ups at HMRC

So a junior official at the Child Benefit Office in Washington sent the CDs by unregistered internal mail and is probably going to be sacked.

But:

1. HMRC should not have extracted the whole data set. It should have filtered it.
2. HMRC should not have transferred the information on unencrypted CDs, by registered mail or any other method.
3. HMRC should have carried out its duty of care for this extraordinarily sensitive information and made sure that its transfer was carried out properly.
4. HMRC IT procedures should simply not have allowed the transfer of this unencrypted information to removable media.

These four failings are not the responsibility of the 23-year old in the Tyne & Wear hotel. They are the responsibility of Paul Gray, ex HMRC boss, Stuart Cruikshank, chief financial officer, and Deepak Singh, chief information officer. Gray has departed. Cruikshank and Singh have not. To my mind they should.