Previous Section Index Home Page


25 Jun 2008 : Column 287

HMRC

12.32 pm

The Chancellor of the Exchequer (Mr. Alistair Darling): With your permission, Mr. Speaker, I would like to make a statement on the final report by Kieran Poynter, chairman of PricewaterhouseCoopers, into the loss of child benefit records at Her Majesty’s Revenue and Customs last year. I should also tell the House that the Independent Police Complaints Commission, which conducted its own investigation of the loss, is publishing its report today. The IPCC found no evidence of misconduct or criminality by any member of staff at HMRC. The Cabinet Secretary has also published today his wider cross-Government work to improve data handling. Both the Poynter and IPCC reports are available in the Vote Office and will be placed in the Library of the House. I am grateful to Kieran Poynter and his team and to the IPCC for their extensive work. Both have provided a very full and detailed account of what happened.

Improving information security is a challenge that every organisation is facing. In recent years, we have seen problems in both the public and private sectors as organisations struggle to keep pace with the development of technology in data storage and transfer. The public are entitled to expect Government Departments to ensure that their personal details are kept safe and it is therefore essential that we do everything we can to minimise the chances of this sort of loss happening again.

I deliberately gave Mr Poynter wide-ranging terms of reference, not just because of the seriousness of this loss but because, as I said in my statement on 20 November, I was concerned about previous losses of data by HMRC. In my statements to the House on 20 November and 17 December last year, I set out the circumstances surrounding the events that led to the loss of the child benefit data and the immediate action taken. My priorities then were to locate the missing discs and to ensure that adequate safeguards were in place to monitor the bank and building society accounts of those who could have been affected.

Despite extensive searches by Revenue and Customs and the police, the discs have not been found, but I can tell the House that I am advised that there is no evidence of any fraudulent activity as a result of the loss. Revenue and Customs took a series of immediate steps at that time, including a complete ban on the transfer of bulk data without adequate security protection, measures to prevent the downloading of data without the necessary safeguards and the immediate disabling of the ability to download data from all desktop and laptop computers within the organisation.

Kieran Poynter’s report is in two parts. The first part deals with the circumstances giving rise to the loss, and the second part deals with his wider findings and recommendations. He examined in detail the circumstances surrounding the earlier transfer of data in March 2007, to which I referred in my statements in the House. He found that in March, because the Revenue and Customs staff then involved were unaware of the relevant guidance, which in itself lacked clarity, they did not escalate the request to the appropriate level of seniority before releasing data to the National Audit Office. As a result, no senior Revenue and Customs official was asked to permit the NAO to take the data off-site to conduct its analysis, and no such official knew that this was envisaged.


25 Jun 2008 : Column 288

Mr. Poynter has concluded that these events in March last year created a precedent that allowed a similar transfer to take place in October without the appropriate level of authorisation or adequate consideration of the security risks of releasing such a large amount of personal information. He says that senior managers were unaware that the data had been moved from Revenue and Customs premises in March and October until the loss of data was subsequently reported to them. He concludes that the data loss incident arose following a sequence of communications failures between junior HMRC officials and between them and the National Audit Office. However, he finds that the loss was entirely avoidable and that the fact that it could have happened points to serious institutional deficiencies at Her Majesty’s Revenue and Customs. First, information security was not the management priority that it should have been. Secondly, management structures and governance were unnecessarily complex and did not establish clear lines of accountability. Moreover, he points to a lack of clarity in communications and the failure to involve senior HMRC staff as being contributing factors in both cases. Mr. Poynter makes it clear in his report that both those failings have now been addressed. He acknowledges the progress that the department has made since last November.

Revenue and Customs is a complex organisation, operating from some 900 sites and sending out more than 300 million items of mail a year. Against this background, Mr. Poynter sets out the action that has been taken to make information security a priority. That includes the appointment of a chief risk officer; new, clearer security guidance; and a wide-ranging programme of training to raise awareness of security issues among staff. He also sets out the action that has been taken to simplify management structures and governance. He acknowledges the new organisational structure as a positive step forward.

Mr. Poynter’s team has worked closely with Revenue and Customs, particularly the teams that process large volumes of personal data or provide corporate services such as IT. By providing detailed recommendations to the organisation as its work progressed, rather than leaving them to the final report, the review team has been able to support Revenue and Customs and help it to make good progress in implementing its recommendations. However, Mr. Poynter states that

In all, he makes 45 recommendations, all of which have been accepted. Revenue and Customs has made good progress on 39 of the recommendations, including 13 that have been fully implemented, and work is continuing on the remaining recommendations.

Mr. Poynter also makes a number of recommendations on the way in which Revenue and Customs operates and the fragmentation and complexity of its IT systems. The organisation is already addressing these issues and will spend £155 million on improving data security over the next three years. The 45 recommendations, when fully implemented, will reduce the risk of a serious breach in the future and ensure that HMRC achieves the highest standards of information security.

Kieran Poynter states that the decision to merge the Inland Revenue and HM Customs and Excise was the right one, but he says that the management structure
25 Jun 2008 : Column 289
subsequently adopted was not suitable—exactly the same failing as was identified in the capability review carried out by an independent panel overseen by the Cabinet Secretary and published last December. In acknowledging the significant changes that the organisation has undergone, Mr. Poynter judges that

In order to build from that platform, the management need to continue to address the issues highlighted by Mr. Poynter in his wider review and the capability review. In particular, Revenue and Customs’ security procedures must be improved to ensure that information security is a management priority and, importantly, management must raise staff morale. Mr. Poynter acknowledges the new organisational structure put in place earlier this year as a crucial step and makes recommendations to develop it further. He concludes that his findings represent an opportunity to modernise work practices and systems, which will make the organisation more efficient, as well as rebuild its reputation for data security.

I am grateful to Dave Hartnett, the acting chairman who has overseen these improvements and has led the organisation through a difficult time. Yesterday, Mike Clasper, who has considerable business experience, was appointed as chairman of Her Majesty’s Revenue and Customs, and he and Dave Hartnett have made it clear that the implementation of the Poynter recommendations and, crucially, the importance of information security will be priorities. The Information Commissioner, who has been kept informed since the outset, has indicated that this review has investigated all the facts and issues with which he needs to be concerned, and he fully supports all of Kieran Poynter’s recommendations. The Information Commissioner proposes to serve the appropriate enforcement notice on Her Majesty’s Revenue and Customs under the Data Protection Act 1998.

It is quite clear that the loss was entirely avoidable, and again, I apologise unreservedly to everyone who has been affected. HMRC employs tens of thousands of people who work hard and who are dedicated to providing an excellent service to the public. The staff are entitled to expect clarity about how they discharge their duties. The public are entitled to expect that their privacy is respected and that the security of highly personal information is the highest priority. It is essential that we now implement these recommendations, and I commend this statement to the House.

Mr. George Osborne (Tatton) (Con): Let us remember that the first duty of any Government is to protect the security of its citizens, and that this Government breached that duty when they lost the names and addresses of every child in the country and the bank account details of 10 million parents. We thank Kieran Poynter and the Independent Police Complaints Commission for their work—they certainly do not pull any punches. They offer a truly devastating account of incompetence and systemic failure at the heart of this Government, which is a guide on how not to govern this country.

So the first question we ask today is: who is responsible? Last November, the Chancellor stood at the Dispatch Box and said that the fault lay with what he called “a junior official” who acted


25 Jun 2008 : Column 290

The Prime Minister repeated the charge, and his spokesman said that

How can those statements, one of which was to the House of Commons, possibly be reconciled with today’s reports? Page 7 of the Poynter report says that the review team

As the Chancellor has just conceded, the IPCC says that there is

Both reports clearly say that the data loss was symptomatic of a wider problem and list a catalogue of systemic failures. Has not the ignoble attempt by the Chancellor and the Prime Minister to pile the blame for their administrative failures on a single junior official at HMRC been comprehensively blown out of the water today?

The second question I have for the Chancellor is: who allowed one of the largest Departments in Government to develop a culture, in which, to quote from the reports—I could give many more quotes, but I shall give these— morale is “low”, communication is poor, staff are denied

there is

the management structure adopted is not suitable, there are serious questions of governance and accountability and the whole department displays a “muddle through ethos”?

Who is actually responsible for this? This is not some obscure Government agency on the fringes of Whitehall; it is one of the largest Departments of Government that holds the personal data and intimate financial details of every single citizen in the country. The Chancellor himself admits that the Department he runs has serious institutional deficiencies. So can he tell us—do not worry, no one’s listening—who he thinks is responsible? Could it possibly be the person, who for 10 years—longer than anyone else in modern history—ran this Department? Could it be the person who is now the Prime Minister, who created this new Department and did not put in place adequate management structures, as identified in the report? Will the Chancellor firmly place the blame on the Minister responsible—the man who is now the Prime Minister?

Thirdly and finally, how can we have any confidence that there will be no repeat of this breach of security? The Chancellor talks about the 39 recommendations that are being implemented in his Department, and he says that he accepts them all. Could he tell us about the six that are not currently being implemented, but were recommended in the report, and which he says will be implemented, so we can hold him to account? Does he remember the Prime Minister promising at the time of the data loss seven months ago that every Department and agency would follow proper procedure from then on in protecting personal data? Will he confirm that, since the Prime Minister made that promise, 12 major
25 Jun 2008 : Column 291
breaches of security have occurred across Whitehall, 3 million driving licence details were lost in December, 168,000 confidential NHS records on children were lost at Christmas, a laptop containing the names and passport numbers of 600,000 military recruits was stolen from the boot of a car in January, secret papers on terrorism were left on a train not once, but twice—all capped this month by the revelation that a Cabinet Minister had broken Cabinet rules and left her laptop, which contained sensitive files and should never have been taken out of Whitehall, in a constituency office?

If we add it all up, we find that the Government have lost 37 million items of personal data in the past year alone. With such a record, how can they even consider proceeding with plans for a compulsory ID card for every citizen of the country? Will the Chancellor at least live up to his previous view on ID cards and confirm that they have been abandoned today?

After a year in office—it is the Chancellor’s anniversary, too—briefed against by Downing street, tipped for the sack by his colleagues, the Chancellor’s only achievement is to be regarded as more incompetent than the man planning to sack him. Last autumn, he blamed a junior official for his fate. Today, the review that he establishes blames the culture of the Department that he runs and that the Prime Minister created. Does not that give us a damning insight into the Government’s culture? They are cavalier with their citizens’ privacy, casual with the public’s security and wholly incompetent in handling even the basic functions of the state.

Mr. Darling: I appreciate that the hon. Member for Tatton (Mr. Osborne) probably has not had time to read the report from cover to cover, but if he looks at the back, he will realise that it sets out the 45 recommendations and shows those that have been implemented, those that are under way and those that need further consideration.

On the hon. Gentleman’s comments about the junior official, it was he who tried to suggest that it was all the fault of one individual in an article—I believe in The Sunday Telegraph—after I made my main statement in November. I set out the facts as I had been told them. I stand by what I said at that time, as I made clear subsequently, and nothing in the report contradicts those facts. Indeed, if the hon. Gentleman cares to read the report, he will see that it makes it clear that the discussions about whether to release the information in March and again in November took place among junior staff and the matter was not elevated to the senior civil service as it should have been.

The report also states—here the hon. Gentleman has a better point—that the management should have ensured that the staff knew the rules. The Poynter report makes it clear that, as I said in November, there were rules in place to prevent such disclosure, but the staff were not properly made aware of them. The failure was that the management did not have clear lines of accountability—the complex system of management installed after the merger was not suitable, as Poynter states. The review finds substantial failings on the part of the senior management in not ensuring that their junior staff understood the procedures. In particular, it finds that, first, when the request came in to transfer so much information, it
25 Jun 2008 : Column 292
should have been cleared by a member of the senior civil service, and secondly that it was possible to have transferred the data far more securely because secure methods were available. Thirdly, the amount of information could have been reduced to the minimum required by the National Audit Office; in other words, not all the details needed to be transferred.

The hon. Gentleman is right—I agree with him and the report’s conclusions—that there were serious failings in HMRC’s operation. I asked Kieran Poynter to examine what was going on because I was worried that the incident was not the only one that I had to tackle. In my then short time as Chancellor, I had already come across two other serious incidents. I asked Kieran Poynter to investigate because it was clear to me that other matters needed to be examined, as the report reveals today.

The hon. Gentleman then asked what measures had been taken. I have set out, as has the Poynter report, a number of the measures that have been taken, but he is quite right about another matter. Across government—indeed not just in the public sector, but in the private sector—people have failed to come to terms with the implications of the fact that vast amounts of information are now stored electronically and can be transferred at the touch of a button. The security systems and precautionary measures that should be in place were not in place in that case; indeed, there are many other organisations where I suspect they are not in place either. People must understand that we live in a changed world. We need to change the way in which we operate, both in Her Majesty’s Revenue and Customs and elsewhere. I am determined to ensure that that happens.

John McFall (West Dunbartonshire) (Lab/Co-op): I welcome the Poynter statement, which confirms the earlier, tentative conclusions of the Select Committee on Treasury that what happened was entirely avoidable and that communication between junior HMRC staff and senior managers was non-existent. Can the Chancellor assure us that HMRC is not a dysfunctional Department, as was suggested in some earlier Committee hearings? Indeed, that is an issue that we will take up with the new chief executive, Mike Clasper, whose appointment I welcome. Can the Chancellor also put the public’s mind at rest by confirming that information security will now be a priority not only for HMRC, but across all Departments?

Mr. Darling: On that point, no one who is responsible for running any organisation—Revenue and Customs or any other organisation that holds highly sensitive information—should be in any doubt that individual security must be their No. 1 priority. I am glad that my right hon. Friend welcomes the appointment of Mike Clasper, who has considerable business experience. He is determined to ensure under his chairmanship the security of people’s personal information. The hon. Member for Tatton (Mr. Osborne) was quite right: every one of us deals with HMRC at some stage of our lives, if not throughout our lives. It is essential that people understand that the information that they handle is highly personal and highly sensitive, and must be treated with the care that that entails.


Next Section Index Home Page