KEY POINTS
- Junior staff raised more queries about security than their bosses
- Staff did not know the data security procedures that were in place
- Management structure of HMRC was unsuitable for its role
- HMRC should move to electronic communication and single taxpayer records
Kieran Poynter's review of the circumstances surrounding the loss of the two data discs containing the whole Child Benefit database gives a comprehensive explanation of what happened and detailed recommendations for stopping such data losses in future.
However, it goes far wider than that, and probably wider than its terms of reference might at first suggest. Among other things, it calls for a complete change in HMRC's management structure, and a radically different approach to both data and communication at a fundamental level.
Characters and scenery
It is worth spending some time on the detailed analysis of what happened, because that is what highlights the wider problems.
The forensic analysis includes detailed extracts from e-mails and has a cast of 21 HMRC employees and five NAO employees. In the report, the HMRC employees are labelled EmployeeA to EmployeeU, and the NAO employees Employee1 to Employee5.
I find that hard to follow, so in the summary below I have given the HMRC employees that I refer to names beginning with the same letters (EmployeeD is Doris, for example), and the NAO employees are referred to by job title.
I have given the short version of the Civil Service grade for many of the HMRC employees. In ascending order, these are O, HO, SO, and Grade 7.
To help judge seniority, the non-London pay scale for grade O in June 2007 started at £19,587, HO at £24,513, SO at £31,835 and Grade 7 at £42,586. Grade 7 is also the level that an entrant on the graduate development programme would expect to reach after four years' training.
You also need to know that there are three main business units involved here.
Benefits & Credits (B&C) are the people who actually process and pay child benefit (and also tax credits). Information Management Systems (IMS) are responsible for managing the computer system, although the data processing itself is outsourced to a third party supplier, EDS.
Then there is a Claimant Compliance unit (CC), whose job is to investigate and prevent fraudulent Child Benefit claims. The final government department involved is the National Audit Office (NAO), which scrutinises the way that public money is spent.
Every six months, CC get a complete snapshot of the data on child benefit system, on two data discs, provided by IMS. CC then load the data onto a stand-alone computer in a secure room in their Washington, Tyne & Wear, offices. They use it for their own compliance work.
March 2007 discs
In order to understand the loss of the discs in October 2007, it is necessary to go back a full year. In October 2006 the NAO decided they were going to audit the Child Benefit Office in six months' time, and the job of organising this was given to Lead Auditor.
The main point of contact for Lead Auditor within HMRC was Doris, an SO in B&C. Despite the protocol being that there should be one person responsible for data transfer requests, in fact other people in HMRC were also involved; particularly Fred, an HO in IMS.
Lead Auditor explained to Doris that he wanted to do his own sample of the database, and would therefore need details of all the cases for the year. E-mails show that Doris' main concern was the cost of providing this; several thousand pounds if ordered by IMS (presumably for the work that EDS do as outsourcer).
However, Doris realised that IMS would already have this information on the discs provided for CC, and they could therefore reuse this data.
While Doris copied in Ahmed, a senior civil servant three grades above her, on an early e-mail about using the compliance scan, there was no question at this point of the data going off-site.
Fred raised concerns about the NAO having this information, but Doris (in his words) gave him a 'hand slapping' in an e-mail which said that
'NAO are entitled to go where ever (sic) and have access to anything — without exception.' This email was also copied to Ahmed, amongst others.
Fred subsequently authorised the production of a small sample of twelve cases, but continued to raise concerns about how the data would be handled by the NAO.
Lead Auditor, on reviewing the sample, asked if the address, bank and parent details could be removed — but only, it seems, because of the size of the files. Doris again complained that this would cost money, and Lead Auditor took this as meaning that 'you are getting it all or you are getting nothing'.
During the audit work in March 2007 Lead Auditor asked to borrow the discs, and did so. It is not at all clear who, if anyone, actually gave authorisation for the discs to leave the site; the only e-mails were between junior staff who seemed to think that authorisation had already been given.
Doris, however, said in interview that she didn't think there was any problem with the discs leaving the site, although the junior staff e-mails show that they were concerned. These discs were returned safely a month later.
October 2007 discs
The result of the March events was that a precedent had been set. When the Child Benefit Office was audited again, in October 2007, Doris told Lead Auditor that another SO in B&C, Charan, would be the main point of contact in this audit.
However, the data that was to be used was on the discs held by Claimant Compliance, and by this time they knew the Lead Auditor and what he needed.
So Eduardo, a Grade 7 in CC, e-mailed Lead Auditor telling him when the next scan of the data would be available, and telling him to contact Jack, a lowly grade O in IMS, to sort out the details.
Lead Auditor, quite correctly, copied in Charan on the reply, saying that he would be in touch with Jack. That was the last e-mail on the subject that Charan received; he was not copied in on subsequent exchanges. In interview, Charan said that when he had seen the e-mail he thought 'good, Eduardo has sorted this one — job done'.
In due course, Lead Auditor rang Jack and asked for a copy of the discs. Jack challenged whether the NAO needed the full details and was told that they did, for continuity with the previous audit in March.
Jack asked for an e-mail, which duly arrived, requesting that the discs be sent to Another Auditor at the NAO's offices in Buckingham Gate.
After some failures in producing copies of the discs, Jack eventually sent the originals which had been used to load the data onto the standalone computer, because they were zipped with Winzip and had a (fairly simple) password encryption.
He put them into a Jiffy bag inside a yellow 'Tax Post' envelope, addressed to the NAO in Buckingham Gate on 18 October 2007. Tax Post is a TNT-outsourced delivery service for HMRC internal mail, but with no tracking.
The NAO address was not one of the addresses served by Tax Post, although TNT said it was an address which it had on record, and the discs should therefore have arrived.
However they did not, or at least they were never found there. Lead Auditor rang Charan on 23 October (because Jack was away at a meeting) and was, according to Charan, 'angry (very direct and short)'.
At this point, all anyone seemed to be worrying about was that the loss of the discs meant that they could not complete the audit. A duplicate set of discs was couriered over on 25 October 2007.
While Poynter says that it was clear the loss of the discs had prompted concern among 'a number of the parties involved', it took until 8 November for a security incident to be raised.
As he says, 'one can only speculate about what might have happened if the failure of the discs to arrive as expected on 19 October had been raised immediately with senior officials'.
Data security
It is a feature of the report that, whilst senior staff seem to have not picked up on the hints in their cc e-mails (for which they are largely exonerated by the report), and Doris was honestly, though wrongly, convinced that whatever NAO wanted NAO should have, some of the junior staff did raise questions and objections.
This included the most unfortunate character of all in the drama, Jack. Although he was the person who actually posted off the discs, he also raised even more objections than I have had space to list above.
The problem for all of them was that they were not aware of any procedures laid down for data security and transfer, and therefore were trying to make some up as they went along.
However, there were procedures laid down for just these situations, although they were not as clear as they could have been. Had Jack known where to find them, he might well have taken the issue higher before posting off the discs, and a lot of trouble might have been averted.
Since then, HMRC have radically overhauled their data security, and the upheaval of the past nine months will be so searingly etched on the mind of any current employee that it will be a long time before the corporate memory of it fades.
Rather like an airport in the immediate aftermath of a hijack, HMRC is currently probably one of the safest places in government for data.
Wider elements
So it is some of the wider elements of the Poynter review that I find more interesting. The first is that HMRC had 'an unsuitable organisation design with muddled accountabilities'.
The management structure for the merged HMRC was a 'so-called “constructive friction” matrix type', which shredded accountability. According to Poynter, what it needs is an old-fashioned hierarchical structure, so that everyone knows who is responsible and who they can escalate problems and queries to.
The combination of the data loss and the Capability Review conducted by the Cabinet Office has already led to changes, with four main lines of business, a corporate centre handling such functions as HR and IT, and a severe shake-up of the personnel on the ExCom managing board. Poynter recommends that they continue this process, and that they bring in outside expertise in particular to the corporate centre.
Next, Poynter notes that the information about 'customers' is held in silos, and that the transaction data are not separated from the customer records.
If I substitute, as I'm sure most of you would, the word 'taxpayer' for 'customer', he recommends that HMRC move towards a single taxpayer record model, which separates a taxpayer's details from the transactions that have happened with him or her.
Even more radically, he says that instead of HMRC maintaining the taxpayer records, the taxpayers should be asked to do it themselves — being given access to the records to say that they have moved house, moved job, changed bank etc. and to enter their new details. There are obvious security risks here, but Poynter argues that the result will be higher quality data.
Finally, he sees this as just part of a move away from HMRC communicating by paper to communicating electronically. Poynter recommends that this starts by HMRC communicating with agents by e-mail, but that it should move on to e-mailing individual taxpayers in due course.
More paper records should be digitised instead of being archived, and physical media should no longer be used to transfer data within the department, the one exception being backup tapes.
New direction
This is a radical and far-reaching set of proposals from what looked like a much more limited, though highly damaging, incident. Alarm bells will no doubt be ringing in some readers' ears — won't the access to customer records give even more opportunity for fraud?
What about the fraudulent e-mails already being circulated inviting people to apply for their 'tax refund' — won't problems like that only increase?
But the direction in which Kieran Poynter is pushing HMRC is at least a genuinely modern and twenty-first century one.