Previous Section Index Home Page

20 Nov 2007 : Column 1101

HM Revenue and Customs

3.31 pm

The Chancellor of the Exchequer (Mr. Alistair Darling): With permission, Mr. Speaker, I should like to make a statement on the breach of procedures which led to personal data relating to child benefit from Her Majesty’s Revenue and Customs going missing.

I shall set out the nature of the data and the circumstances relating to how they went missing. However, it might be helpful to the House if I set out the background first. The National Audit Office, which is independent of Government but answerable to Parliament, has a right to ask for and access data from HMRC in discharging its compliance responsibilities.

In March, it appears that a junior official in HMRC provided the National Audit Office with a full copy of HMRC’s data in relation to the payment of child benefit. In doing so, the strict rules governing HMRC standing procedures were clearly not followed. Those procedures relate to the security of and access to data as well as their transit to ensure that they are properly protected. That information should not have been handed over by HMRC in the way that it was. However, I understand that in this case the NAO subsequently returned all the information that it received in March to HMRC after auditing it.

It now appears that, following a further request from the NAO in October for information from the child benefit database, again at a junior level and again contrary to all HMRC standing procedures, two password-protected discs containing a full copy of HMRC’s entire data in relation to the payment of child benefit were sent to the NAO, by HMRC’s internal post system operated by the courier TNT. The package was not recorded or registered. It appears that the data have failed to reach the addressee in the NAO.

I also have to tell the House that, on finding that the package had not arrived at the NAO, a further copy of those data was sent, this time by registered post, which did arrive at the NAO. However, again HMRC should never have let that happen. Although it is believed that the data were sent from HMRC to the NAO on 18 October, the fact that they did not arrive was not reported to HMRC’s senior management until 8 November, nearly three weeks later.

I was informed on Saturday 10 November and immediately instructed that comprehensive searches by customs officers be carried out on all premises where the missing data might be found. Those searches are continuing. I asked for an immediate investigation, which was initiated that weekend. I also insisted on immediate steps to prevent this from happening again. Action has been taken.

On Monday 12 November, HMRC informed me that evidence might have been found of the route taken by the data and that they were likely to be found. However, by Wednesday 14 November it was clear to me that the HMRC searches had failed to find them. I therefore instructed the chairman of HMRC to call in the Metropolitan police to conduct a full investigation, in order to find the missing package. That investigation is still under way. Our priority was and is to find the
20 Nov 2007 : Column 1102
data. Searches have been and continue to be carried out, including of HMRC and National Audit Office premises, and staff are being interviewed. So far, however, the missing data have not been found.

The police tell me that they have no reason to believe that these data have found their way into the wrong hands. The police are not aware of any evidence that they are being used for fraudulent purposes or criminal activity.

I will tell the House what is missing as a result of this extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines. In terms of protecting confidential data, Her Majesty’s Revenue and Customs is operationally independent of Ministers. It is established by statute and run by its chairman, Paul Gray, and a board of commissioners who are responsible for its operations but answerable to Parliament through me. Last week Paul Gray told me on his own initiative that given the seriousness of the operational failing he should resign. He has now confirmed that intention, and I am grateful to him for his contribution to the work of government, in HM Treasury, the Department for Work and Pensions and then HMRC.

The missing information contains details of all child benefit recipients: records for 25 million individuals and 7.25 million families. Those records include the recipient and their children’s names, addresses and dates of birth, child benefit numbers, national insurance numbers and, where relevant, bank or building society account details. I regard this as an extremely serious failure by HMRC in its responsibilities to the public.

In making this statement today, I have had to balance the imperative of informing the House and the public at the earliest opportunity with ensuring that when I did so the appropriate safeguards were in place to protect the public, including in relation to bank accounts. Indeed, the banks were adamant that they wanted as much time as possible to prepare for this announcement. I discussed the issue with the Information Commissioner on Thursday, who agreed that appropriate remedial action needed to be taken before a public statement was made. This action has now been taken. I have also sought the advice of both the Financial Services Authority and the Serious Organised Crime Agency, and other Departments have also been made aware of the issue.

Let me set out what we have done. First, the UK Payments Association, the British Bankers Association and the Building Societies Association have been informed, and through them HMRC informed individual banks and other financial institutions, including building societies and post offices, of affected accounts. Secondly, individual institutions are flagging those accounts, which enables them continually to monitor for irregular activity. They tell me that so far they have found no evidence of such activity. Thirdly, individual institutions are also tracking back and analysing transactions on affected accounts to 18 October. Again, they have so far found no evidence of unusual activity. They will continue to monitor those accounts, so that if there is any suspicious activity, action can immediately be taken. Fourthly, if someone is an innocent victim of fraud as a result of this incident, people can be assured that they have protection under the banking code, so that they will not suffer any financial loss as a result.

20 Nov 2007 : Column 1103

The UK Payments Association has confirmed that it is confident that every action has been taken by the banking industry to minimise the risk of any fraud. It has also confirmed that the missing data are not enough in themselves for someone to access a person’s bank account for fraudulent purposes, as additional security information and passwords are always required. However, we have to recognise the increased risk caused by these missing data. People will therefore want to monitor their accounts and guard against any unusual activity. The advice of banks is that there is no need for customers to ask for a new account or to contact their bank or building society. However, they should do what they should be doing in any event: checking their bank statements to keep a close eye on their account for any unusual activity; contacting their bank or building society immediately if they see anything in their statement that concerns them; and not giving out personal or account details requested unexpectedly by phone or e-mail. I reiterate that the banks have made it clear that individuals will not have to pay out for any loss in the event that they become the innocent victims of fraudulent activity. I can tell the House that child benefit payments will continue to be paid as before.

There are already clear HMRC standing procedures, which appear to have been broken. HMRC has initiated changes to security processes and procedures, so they will now take place only with written authorisation from a senior manager and with appropriate protection for any transfer.

The police investigation continues, although there is also likely to be an inquiry into the missing data by the Independent Police Complaints Commission, which has responsibility for monitoring Her Majesty’s Revenue and Customs. I have kept the Information Commissioner informed. It is highly likely that there have been breaches of the Data Protection Act, which the commissioner will investigate.

The Government take the protection of personal data, in whatever form, extremely seriously and have therefore put in place and are strengthening rights and safeguards on the use and handling of such data. The Data Protection Act sets out the framework enforced by the Information Commissioner and the courts. Departments have specific controls on information sharing and duties of confidentiality that are being enhanced by amending the Data Protection Act to guard against misuse and provide further information to citizens about the information that the Government hold.

Last month the Prime Minister asked the Information Commissioner, Professor Mark Walport, director of the Wellcome Trust, to carry out a review of the framework in the United Kingdom to ensure the security of personal data. That review will look at Government Departments and other organisations. I can also tell the House that the Comptroller and Auditor General, Sir John Bourn, has said that the National Audit Office will also review its own procedures for requesting data to confirm that they remain in line with best practice, and will apply any lessons arising.

In addition, the House will be aware of other data security breaches by HMRC—including, at the end of September, the loss of records of around 15,000 people in transit by HMRC’s external courier and, in the same
20 Nov 2007 : Column 1104
month, the loss of a laptop and other material containing personal details relating to HMRC customers. I have therefore asked Kieran Poynter, chair of PricewaterhouseCoopers, to investigate HMRC’s security processes and procedures for data handling. I have asked for an interim report next month and a full report in the spring. That review will be conducted in consultation with the Independent Police Complaints Commission and a full report will be made available to the Information Commissioner.

I express my gratitude to the Metropolitan police for its investigation, to the Information Commissioner for his advice and to the banks for their co-operation in working with the Government in taking steps to protect the public. The House will understand that because the investigation is continuing I am not yet in a position to give a full account of what has happened but I will continue to keep the House informed.

This is an extremely serious matter. HMRC has a responsibility towards the general public, who entrust it with highly sensitive personal information. It has failed to meet the high standards that should be expected of it. I recognise that millions of people across the country will be very concerned about what has happened. I deeply regret that and apologise for the anxiety that will undoubtedly be caused.

But let me reiterate: there is no evidence that these data have reached the wrong hands and no evidence of fraud or criminal activity; banks and building societies are putting in place safeguards to protect people’s accounts; banks and building societies will continue to monitor those accounts; and no one will suffer any loss if they are innocent victims of fraud. I will, of course, keep the House updated of any further developments. I commend the statement to the House.

Mr. George Osborne (Tatton) (Con): The Prime Minister says that the first duty of Government is the protection of the citizen, and today we discover from the Chancellor that the Government are responsible for breaching that duty of protection to 25 million citizens. Let us be clear about the scale of this catastrophic mistake: the names, the addresses and the dates of birth of every child in the country are sitting on two computer discs that are apparently lost in the post; and the bank account details and national insurance numbers of 10 million parents, guardians and carers have gone missing. Half the country will be very anxious about the safety of their family and the security of their bank accounts, and the whole country will be wondering how on earth the Government allowed this to happen.

The Chancellor has to answer the most serious questions. On the question of safety, what contingency plans have been drawn up with the police lest it become clear that millions of personal details have fallen into the wrong hands? On the question of financial security, I understand what the Chancellor said about the precautionary measures taken by the banks this weekend, and I agree with him that people need not contact their banks, but since he has asked millions of people to monitor their accounts, many may well do so. What steps have been taken by the Treasury, the Bank of England and the Financial Services Authority to prepare for any potential financial instability?

If fraud does occur—and of course it is good to hear that there is no evidence of that at present—where will
20 Nov 2007 : Column 1105
the liability for any losses rest? The Chancellor said at the end of his statement that people would not lose out. Does that mean that the responsibility now rests with the Government, and, in effect, is the Chancellor now offering another general guarantee to depositors and people with bank accounts?

On the question of how this extraordinary security breach could ever have happened, what is the point of the House passing laws to protect the privacy of people’s personal information if those laws are not even enforced at the heart of Government? As the Chancellor himself said, this is the third, and by far and away the most serious breach by Her Majesty’s Revenue and Customs this year. In August, a laptop containing the personal details of 400 taxpayers was stolen after being left in a car overnight, and 15,000 people’s details were lost. [Hon. Members: “He said that.”] He did say it, and it is worth reminding ourselves why there has been a catalogue of mistakes at Her Majesty’s Revenue and Customs. When did the Chancellor first become aware that the security protocols in his own Department were absolutely worthless, and what did he do about it?

We know that it was about 21 days before the breach in security was brought to the Chancellor’s attention—incidentally, two days after it was brought to the attention of senior management in Her Majesty’s Revenue and Customs. Why did the Chancellor then wait for four days before contacting the police? Does he remember just who has been running the Inland Revenue for the last 10 years? The Prime Minister. Can he tell us when he told the Prime Minister about this fiasco?

Finally, there is the issue of how we stop this from ever happening again. I welcome the inquiries that are under way, but can the Chancellor confirm that the police are investigating not just the individual responsible for sending the discs, but those above that individual who are responsible for ensuring that the law is properly enforced in Her Majesty’s Revenue and Customs? Does he agree that today must mark the final blow to the Government’s ambition to create a national ID card? They simply cannot be trusted with people’s personal information.

Since he came to office less than six months ago, the Chancellor has lurched from one crisis to another. Now his Department has compromised the security and safety of every family in the land. This autumn, the Prime Minister said he had shown that the Government could be competent, and now needed to set out his vision. There are 25 million people whose personal details have been lost by this Government. Never mind the lack of vision; just get a grip, and deliver a basic level of competence.

Mr. Darling: I think the whole House will agree that the way in which this was handled was inexcusable. HM Revenue and Customs has well laid down and established procedures which were breached, and which there is no excuse whatsoever for breaching. As I told the House, it is a matter of extreme regret that so many people will be caused anxiety as a result of what happened.

There are two points. First, the police investigation is continuing, and as we ascertain more about what happened, we will be able to learn lessons for the
20 Nov 2007 : Column 1106
future. Secondly, the hon. Gentleman asked what was being done in the meantime. Senior management have instructed that no information is to be downloaded from computers in this way without the authority of a very senior member of the Revenue and Customs, and that in the event that it proves necessary to make that information available to other people, the procedures will be tightened up.

It is obvious to me from the information that I have that in the event of the NAO’s wishing to audit a large amount of information of this kind, procedures will provide for the NAO to go to where the information was stored rather than its being transmitted. The senior management have tightened up on those procedures so that this does not happen again, but we will obviously want to learn from the conclusions of the inquiry that I have asked Kieran Poynter to carry out.

The hon. Gentleman asked some specific questions. First, as I have said, the banks have put in place all the precautions they think they can reasonably put in place to guard against any unusual activity. I repeat that neither the police nor the banks have any evidence to suggest that the information has fallen into the wrong hands or that it is being used for fraudulent or other criminal purposes. The hon. Gentleman asks what would happen if a particular set of circumstances were to arise. I hope that he realises that for obvious reasons the police do not particularly want me to speculate on what they might do in the event that they suspect a crime is taking place, but I can assure the House that the Metropolitan police is very aware of the risks and is addressing them.

The hon. Gentleman also asked specific questions about when I was told and what I did. As I said in my statement, I was told about this on the morning of 10 November and I instructed that there should be an immediate, thorough search by experienced, trained customs officers of every place where the discs might be found. That took place. I also asked that HMRC undertake a thorough investigation of what should happen. However, despite being told on Monday that there was every chance that we would be able to recover the disks—which would, of course, have been the preferable course of action—it was clear to me that that was not going to happen, which is why I asked the Metropolitan police to be called in.

There was one thing I was very conscious of, and it was why I took advice from the Information Commissioner: that before I made a public statement the House would expect me to do everything I reasonably could with the banks to put in place measures to protect the public. I am sorry if the hon. Gentleman disagrees with my judgment on that, but I think I had a duty to give the banks time to put in place the necessary protections, especially when I was advised that that was the right thing to do by the Information Commissioner and especially when I was told by the banks that they wanted as much notice as possible before this became public knowledge. The hon. Gentleman asked when I told the Prime Minister. Within about half an hour of my being told, I spoke to the Prime Minister. The two of us discussed what we ought to do, and I have kept him informed ever since.

The last point that the hon. Gentleman makes way in relation to identity cards. The key thing about identity cards is, of course, that they will mean that information
20 Nov 2007 : Column 1107
is protected by personal biometric information. The problem at present is that, because we do not have that protection, information is much more vulnerable than it should be.

In conclusion, as I have informed the House, this is a deeply regrettable incident that should never have happened, but I am now doing everything I possibly can to safeguard the public interest because that is the right thing to do.

Dr. Vincent Cable (Twickenham) (LD): I think I should thank the Chancellor for both his frankness and his apology, but is it not now the case that the Treasury has replaced the Home Office as the Department that is unfit for purpose, and also that he inherited from his predecessor systems of management that are totally dysfunctional?

On the specifics, how many unencrypted CDs are being posted around Government every year? Since this is the second case within the past few weeks of a CD being lost in the post—the other in relation to insurance data—what is the status of the comment made in respect of the loss of a CD in September by HMRC that it had

Next Section Index Home Page