| Previous Section | Index | Home Page |
I want to ensure, as I know Mike Clasper and Dave Hartnett, the acting chairman of HMRC, do, that the culture changes and, crucially, that the changes that they have made in management, so that it is now clear
who is accountable for each line of business, mean that we can reduce the risks that were endemic in the management culture that was put in place after the merger of the two institutions, but which was patently not suitable for the tasks that it had to face.
Dr. Vincent Cable (Twickenham) (LD): To date, the semantics of incompetence have been reasonably clear. We have had “systemic failure”, which is the responsibility of Ministers, and “procedural failure”, which is the failure of individual officials. We now have something new called “cultural failure”, which is an all-pervasive management mess for which everybody is to blame, but no individual is responsible. Can the Chancellor therefore go back to the question that the Conservative spokesman fairly asked him at the outset: which individuals now carry responsibility, beyond Mr. Gray, who left voluntarily with a golden goodbye?
Is not the Conservative spokesman right that the responsibility indeed lies with the current Prime Minister, albeit for one specific decision that he made? That was the decision to remove 24,000 staff at the Inland Revenue, the consequence of which is that it is now hopelessly ill equipped to handle the growing complexity of the tax system and tax credits. There has been a breakdown in face-to-face relationships, particularly with small businesses, and the institution is hopelessly understaffed to cope with the complexities of tax avoidance and evasion, which are happening on a large scale in the City and among the rich of this country.
Specifically on data security, what lessons have been learned, when we discover from the Information Commissioner that there have been no fewer than 100 breaches of data security since last November? Is there not a growing diversity of data breach, involving not merely CDs, but memory sticks, laptops and paper files, and a growing variety of places where these things are lost, including on trains, in backs of cars and in bars? As has already been said, the issue is the integrity not simply of the ID system, but of any centralised Government database of the kind that has been accumulated, for example, under the NHS scheme.
What lessons have been learned about basic management efficiencies last November, when the Select Committee on Public Accounts published a report only a month ago saying that the Inland Revenue had lost £2.8 billion of revenue as a result of false reporting by taxpayers, which it is unwilling or unable to follow up? What lessons have been learned about the Inland Revenue’s IT system, when only a few weeks ago the Economic Secretary to the Treasury had to report a programme failure, such that 100,000 poor people were not receiving their payments under the trust scheme?
My final point is this. There are very few private sector companies that are as managerially inefficient as HMRC, but there are some. One of them is BAA, a private monopoly whose reputation for consumer service is legendary in the worst possible way. Is there not an irony in the fact that the failed chief executive of that appalling company is now being appointed as the chairman of HMRC?
Mr. Darling:
The hon. Gentleman raised a number of sensible points, but the last one was not particularly sensible. Mike Clasper actually left BAA when it was
taken over by Ferrovial in 2006, and some of the difficulties that have arisen happened rather more recently than that.
The hon. Gentleman raised a number of points, but I should like to deal first with his one about cost. Rather like the shadow Chancellor, the hon. Gentleman will not have had a chance to read the report, but he might want to look at chapter IX, in which Mr. Poynter says:
“It should be noted...that my team did not find any evidence of cost efficiency in the form of headcount reduction adding to information security risk.”
Mr. Poynter then makes the point that there are a number of people who are surplus to what will be required, but still on the payroll, and they could help with the work. The hon. Gentleman’s first point is therefore rather contradicted by what Kieran Poynter found. The hon. Gentleman would have had a better point if he had raised questions about staff morale, which is clearly a problem. However, Kieran Poynter draws attention to the fact that Dave Hartnett, the acting chairman, has gone to considerable trouble over the past six months to meet staff up and down the country. I believe that management are now focused on the need to ensure that they take staff with them.
The hon. Gentleman then raised a number of other matters. He is right that the Information Commissioner has had reported to him a number—about 150, not 100—of cases since November, but they have been in both the public and private sectors. That brings me back to the first point that I made in my statement, as well as to the general point that Mr. Poynter made, which is that there is a generalised problem, in that people have not woken up to the fact that procedures that might have been appropriate when everything was stored on paper files are inappropriate and not robust enough for when information is stored electronically. To put it bluntly, if someone had asked for the records of 25 million child benefit recipients 20 years ago, they could not have had them transferred. We can now do that at the touch of a button. That is why the culture needs to change.
Similarly, in relation to people taking laptops home, which is commonplace in the public and private sectors—my right hon. Friend the Secretary of State for Defence has issued a written statement today on the problems that the Ministry of Defence experienced last autumn—we need to ensure that people realise the nature of what they are carrying. If they are carrying sensitive material, they have to ask themselves whether it is necessary to do so. If it is, they must ensure adequate safeguards and encryption, to ensure that if something goes wrong, no one can access that information. All those things are highlighted in the Poynter report, including areas where HMRC could be more efficient, which the hon. Gentleman mentioned. He drew attention to the fact that changing the IT systems would not only make the system more secure, but help provide the public with a better service.
Andrew Miller (Ellesmere Port and Neston) (Lab):
Will my right hon. Friend expand a little on what he said about training? There is a cultural problem in many large organisations in both the public and private sectors, whereby people’s understanding of the nature, scale and importance of data today has become weak, as he said. As I understand it, all 90,000 HMRC employees are to undergo a training programme. Will that be a rolling
programme, and will the fact that members of staff have undertaken that training be transparent among them, so that there can be an incentive inside the organisation? If he can demonstrate best practice, will he ensure that it is shared across Departments, so that we can extend the work arising from Poynter’s recommendations to all Departments in this vital area?
Mr. Darling: My hon. Friend identifies a key point, to which Kieran Poynter attaches importance. Poynter makes the point that in his own organisation, PricewaterhouseCoopers, it is necessary for employees to go through training not just initially, but regularly, so that they are kept up to date. That is mandatory—it is part of the requirements—and the same culture and approach need to be applied in Revenue and Customs. Although in this case a great deal of discussion took place at junior level and guidance and procedures were in place, the problem was that management should have ensured that the staff concerned actually knew that they should do some things and not do other things. Ultimately, the management are responsible for that.
The hon. Member for Twickenham (Dr. Cable) asked who runs Revenue and Customs. A board is established to run it; it is detached from Ministers, for the very good reason that Ministers should not be involved in people’s tax affairs. The importance of the issue is recognised by Dave Hartnett, who has done an excellent job over the rather difficult period of the last six months, and Mike Clasper, who will be bringing in a lot of expertise from outside. They will make a big difference. My hon. Friend the Member for Ellesmere Port and Neston (Andrew Miller) is absolutely right about the importance of training, awareness of the rules and awareness of what people are actually handling, which I have mentioned time and again. It is not just a CD, because a small CD may contain the intimate details of a large section of the population. People need to remember that.
Mr. Edward Leigh (Gainsborough) (Con): On 17 December, the Chancellor of the Exchequer told me, as recorded in Hansard at columns 619 and 620, that I was wrong in saying that a senior executive officer had refused the request of the National Audit Office to strip out personal details. Later that afternoon, in the Public Accounts Committee, Dave Hartnett, the acting chairman, confirmed that it was a senior executive officer—a senior officer in those terms—who had made that decision. Today, the Poynter report is published, and chapter IV.20 reads:
“Later on 12 March... EmployeeF forwarded EmployeeD’s email of 11.59am to... an Executive Officer in the IMS... Unit...copied to EmployeeC (a Senior Executive Officer in IMS), and EmployeeK (a Higher Executive officer in IMS).”
In other words, I was right to say on 17 December that this was copied to a senior executive officer. Will the Chancellor put the record straight?
Mr. Darling: No, the hon. Gentleman is not right. Perhaps I could refer him to part 1, chapter IV.5. Since he set so much store on what is said, I had better read it out to the whole House. As a prelude to explaining what happened in March and October, Poynter states:
“The staff grades of those aware of provision of the discs containing the CBCS data to the NAO include ‘Senior Officer’, ‘Manager’, ‘Higher Executive Officer’, and others which to the
uninformed reader may suggest a high level of seniority within HMRC. These are administrative grades and none of those aware of the situation were members of the Senior Civil Service within HMRC.”
As I have said throughout the process, I have set out the facts as I was told them. There is nothing in this report to contradict that at all. For obvious reasons, the hon. Gentleman has close relations with the National Audit Office, but he should also look at the exchanges that took place between the NAO and HMRC. The Poynter report refers to them in the next couple of paragraphs, where it says that a senior director of the NAO wrote to HMRC apologising for the fact that the procedures were not operated as they should have been. I have been at pains not to apportion blame to people where it is not justified. All I am saying to the hon. Gentleman is that there are lessons here to be learned for everyone. As to his first point, I said what I said, I stand by it and the paragraph I have cited rather bears it out.
Alun Michael (Cardiff, South and Penarth) (Lab/Co-op): It is impossible to exaggerate the importance of this statement and I welcome my right hon. Friend’s undertaking to act quickly and comprehensively. I also welcome the IPCC report, which will be of particular interest to the Select Committee on Justice. Does he accept that media comment often swings between two extremes, as does public sentiment? When there is a loss of data, it goes to the “Keep nothing and abandon identity cards” instinctive reaction, but when other events, such as the Soham murders, take place, it swings to the other extreme of “Keep everything and share everything”. Will my right hon. Friend reject both extremes? Does he agree that it is necessary to engender a culture of appropriate sharing of data and professional data management, and to engender such an environment from permanent secretary down to the newest recruit in every Department? Will he put across to permanent secretaries the message that what they need to engender is professionalism, not panic?
Mr. Darling: I agree with my right hon. Friend. It is a fact of life that many organisations hold substantial information on all of us, whether in the Government or the private sector. If we go into a supermarket with a supermarket card, that information is being held, and I understand that it can sometimes give a pretty comprehensive account of people’s lifestyles. We have to ensure that in the public or private sector, but particularly in government, where we have clear responsibility, everyone understands the importance of the information that they hold. They must realise that if the public impart information to the state either voluntarily or because they have to, they expect the highest possible standards in how it is looked after. My right hon. Friend is absolutely right: everyone needs to understand that, from the top to the bottom of every organisation.
Hywel Williams (Caernarfon) (PC): Clearly, centralisation of data processing and storage means that any loss, howsoever caused, is potentially catastrophic. Should not anyone concerned about data security react with dismay at HMRC’s current proposals further to centralise the service with the closure of local offices?
Mr. Darling: I am not aware of anything in the Poynter report to suggest that centralising offices would have any bearing whatever on the problem that arose here.
Mr. Gordon Prentice (Pendle) (Lab): Poynter recommends the appointment of a chief risk officer. How many risk officers are there in HMRC and are there not data protection officers in every civil service department? If so, were they not asleep in their job? As the hon. Member for Twickenham (Dr. Cable) asked, who is actually carrying the can? Has anyone been reprimanded, let alone disciplined?
Mr. Darling: On the last point, my hon. Friend will know that the then chairman of HMRC resigned last November. On chief risk officers, the point is that someone very senior in the organisation needs to be responsible for making sure that risks are addressed. As to the exact number of people responsible, I shall write to my hon. Friend because I do not want to give him a wrong figure. He is basically making the same point as everyone else: in every organisation, people need to be acutely aware of the sensitivity of the information handled and to ensure that it is handled properly and that the safeguards are as strong as they possibly can be.
Tim Farron (Westmorland and Lonsdale) (LD): Does the Chancellor of the Exchequer think that the culture of HMRC offices is improved by threats to close them? Does he accept that plans to close the excellent tax office in Kendal, for example, are demoralising staff and will reduce the ability of HMRC to bring in revenue? Will he commit to call off the planned closures, which would only exacerbate the problems identified in the report?
Mr. Darling: I perfectly well understand that when there is any proposal to reorganise or close offices, it is not a happy time for the staff concerned and the management need to do their best to try to address that. I have to say to the hon. Gentleman, however—I appreciate that he may not want to impart this to his own constituents—that every organisation must from time to time look at how it is organised and see whether it can be more efficient and provide a better service. We can always argue about whether a specific proposal achieves that, but to argue that there should never be any change is not a credible position. As I said to the hon. Member for Caernarfon (Hywel Williams), who represents a different party, there is absolutely nothing in the report to suggest that anything in the current reorganisations has had anything whatever to do with the difficulties mentioned in it.
Peter Bottomley (Worthing, West) (Con): May I say to the Chancellor that he should speak for himself rather than delegates? Will he tell us how many people have been chairmen or acting chairmen of HMRC during its existence? I put it to him that, despite all the problems highlighted by my hon. Friend the shadow Chancellor, there are hundreds of thousands of people in the civil service who are well trained and well led, and who carry out their job with great dedication. For all the attention that we are rightly giving today to the problems illustrated by the report, their work should be honoured, and many of us think that senior executive officers and higher executive officers are rather senior positions.
Mr. Darling:
As Poynter says, an uninformed reader might reach that conclusion. He therefore explains the difference between junior and senior civil servants. I do not want to embark on a lecture on grades, because it
would probably not be appropriate, but I will say—this relates to the hon. Gentleman’s more general point, and also to a point that I made in my statement—that more than 80,000 people work for Her Majesty's Revenue and Customs, providing an excellent service and aspiring to do the very best that they can. Those people are entitled to ensure that their employers, their management, give them the guidance and training that they need in order to do their jobs properly.
I do not think that anyone would want to be in the position in which some officials found themselves. Poynter has discovered serious failings, which are being addressed. Constant vigilance is needed to ensure that this sort of thing does not happen again. There are always risks, but those risks need to be managed.
As for the hon. Gentleman’s first point, of course it is my duty to report to the House. I am ultimately responsible for this matter, and I have always accepted that.
Chris Mole (Ipswich) (Lab): My right hon. Friend will want the House to know that other Departments have already taken action. On the day when I visited my local Crown Prosecution Service office, laptops were being taken in and out while they were fitted with encryption software. There as elsewhere—as many Members have pointed out—the question is how to focus the minds of those handling data on the need to treat it with sensitivity. Does my right hon. Friend think that the time has come to impose, across Government, a severe penalty for misuse of or inappropriate access to data, similar to the penalty contained in the Identity Cards Act 2006 to protect the national identity register?
Mr. Darling: As I said in my statement, Sir Gus O’Donnell, the Cabinet Secretary, published his conclusions today following an examination of practice across Government, with new rules and procedures, but disciplinary procedures already exist. A recent case in which material was left on a train by an official in the Treasury has been dealt with through the Department’s normal procedures.
That returns me to a point that I made earlier. Twenty years ago, people did not have laptops to take home. It must be understood that a comparatively small laptop can contain confidential information affecting thousands if not millions of individuals. People must change their whole approach: they must ask “Do I need to take this thing home”—or wherever—“and if I do, what safeguards exist?” If we can change the culture so that security is first and foremost in people’s minds, that will go a long way towards dealing with some of the problems that we face,
Greg Clark (Tunbridge Wells) (Con): The extraordinary thing about the Chancellor’s statement is that not once did he mention the role of Ministers, although the Cabinet Office rules are clear: Ministers are ultimately responsible for the production and enforcement of those rules. How can we have any confidence in the reforms that the Chancellor proposes if he seeks to blame the management culture, but also seeks to avoid any steps that would tackle the culture of mismanagement and carelessness among Ministers?
Mr. Darling:
I am not sure that the hon. Gentleman was present for most of the statement, but if he was, he will know that I made clear who was ultimately responsible for these matters, and also made clear the need to
ensure that management are in place who can run the organisation efficiently and effectively, with security at the very front of their minds. The Poynter recommendations will allow us to do that, and I want to ensure that it happens.
Julia Goldsworthy (Falmouth and Camborne) (LD): The Chancellor has acknowledged the dangers surrounding the ability to hold large numbers of electronic records in one place, but does not data security also relate to paper records? Head count reductions do not merely generate efficiency, but result in the holding of large numbers of records centrally. For example, records on small businesses that are currently held in my local tax office in Redruth are all to be moved to Peterborough, and all opening and sorting of mail will also be centralised. Will that not result in more paper records flying around in the post, not fewer, and should not HMRC be considering the issue as part of its wider data protection considerations?
Mr. Darling: Not necessarily. I agree with the hon. Lady that if records are taken from her constituency to any other location they need to be carried securely, but I disagree with the argument underlying the point made by her and by the hon. Member for Westmorland and Lonsdale (Tim Farron). It cannot possibly be argued that structures can never change. I know it can be uncomfortable when local offices close—we have all had that experience from time to time—but the way in which HMRC is currently organised, with several hundred sites, needs to be examined.
The crucial point is that, whether information is transmitted physically in files or electronically, we must ensure that security is at the forefront of our minds.
Mr. Ben Wallace (Lancaster and Wyre) (Con): According to section 4.2 of the Manual of Protective Security,
| Next Section | Index | Home Page |