Systematic failures and "woefully inadequate" processes for handling data at HM Revenue and Customs (HMRC) led to the loss of personal details of 25 million people, according to two scathing reports published Wednesday.
Fragmented and complex IT systems made it difficult for the organisation to identify and manage its information security risks, the Poynter report stated.
The report - which highlighted serious structural failings at HMRC offices and said the loss was "entirely avoidable" - was the result of a review into HMRC's security procedures by PricewaterhouseCoopers chairman, Kieran Poynter, in consultation with the Independent Police Complaints Commission (IPCC).
Another report by the IPCC also dealt HMRC a heavy blow, stating information security "simply wasn't a management priority". The IPCC report looked into the series of events that lead up to the loss of data to consider whether any criminal conduct or disciplinary offenses had been committed by HMRC staff.
While IPCC found no evidence of criminal misconduct, it said corporate data handling was "clearly woefully inadequate."
The investigation found "the absence of a coherent strategy for mass data handling" and a whole department that demonstrates a "muddle through ethos". HMRC staff often found themselves working "without adequate support, training or guidance about how to handle sensitive personal data appropriately," the report continued.
After the loss of the two child benefit discs last autumn, HMRC has pledged £155 million over three years to improve data security. The Poynter report made a number of recommendations for HMRC to overhaul its IT systems and its processes so as to reduce the "islands of information", reduce the need for data transfer and improve data integrity.
"To merely augment controls around HMRC's existing processes will not sufficiently reduce information security risk, especially given the fragmented nature of HMRC's IT estate," the report stated.
Information commissioner Richard Thomas said formal enforcement action had been taken against the HMRC following the data breaches. He added it is "beyond doubt" that the department breached Data Protection requirements.
In a letter to the financial secretary to the Treasury, Dave Hartnett, HMRC acting chairman welcomed the reports' findings. Hartnett said that since the child benefit data loss incident, HMRC has introduced a number of data security measures. "As we have discussed, since the incident HMRC has significantly strengthened data security, including removing the ability of all staff to save data to portable media such as CDs and memory sticks and reintroducing this only where there is a compelling business case to do so."
"We have introduced tight restrictions on the bulk transfer of sensitive information and are conforming to new cross government rules on encryption. We are also reviewing all bulk data transfers and have stopped those which are not business critical. And we are working with our stakeholders to further improve the security of bulk data transfers that do still need to be made."
The Poynter report listed urgent actions for HMRC to take, which includes:
- A reminder to all staff from the Chairman of HMRC of the importance of data security with some specific guidance;
- The appointment of a senior official to the new post of Director of Data Security;
- The appointment of Data Guardians in each area of HMRC;
- The imposition of a complete ban on the transfer of bulk data onto removable media without adequate security protection such as encryption;
- The disabling of the download function on all personal and laptop computers in use across HMRC, to prevent their use to download data onto removable media;
- The utilisation of secure couriers and appropriate tamper proof packaging in the transport of bulk data stored on removable media.