Previous Section Back to Table of Contents Lords Hansard Home Page



25 Jun 2008 : Column 1440

Let no one believe that the Prime Minister just appointed an outside expert and left him to it. That is not the Prime Minister’s style. He would have known in detail what was being done to the organisation and approved of it. He might not have understood its disastrous consequences, but he must have known about it. Through a strategic job move, the Prime Minister may cleverly have escaped paying the price for the systemic failure that he helped to create and, certainly as Chancellor, oversaw. In another era, he would not have escaped. Ministers have resigned for much less in previous regimes.

The report makes distressing reading. The HMRC officials involved were spun as being junior officials but, in fact, they are the grades that form the backbone of the Civil Service. The report finds that they did not know, understand or follow laid-down procedures and did not prioritise data security. They were not trained and the policies were opaque.

Have any of the staff involved in the data loss been disciplined or dismissed? I note that several immunities were for some reason granted to some unspecified individuals. I am not asking for personal details; I am merely asking for the overall picture. If the report is right that those individuals were muddling through in an environment where doing the right thing happened more by luck than judgment, it might then be right that no action should be taken against the individuals.

The chairman of HMRC resigned last November, but he left on feather-bedded terms, so his departure does not really count. However, if no one else in HMRC has taken the blame and the Prime Minister has not accepted responsibility, absolutely no one is carrying the can. It simply cannot be right that the slate is wiped clean by this report.

We are being invited to accept that a contrite and reformed HRMC will not make the same mistakes again, but is the statutory framework robust enough? The Government fought off our amendments to the 2005 Act that created HMRC. Will they now undertake to review the statutory framework?

The problem is not confined to HMRC. Since the previous government Statement, we have had many more data losses, including secret terrorism papers left on a train. Even a Cabinet Minister cared so little for the rules that she took a laptop containing classified information to her constituency. The Government have forfeited the trust of the public in relation to data security.

Will the Government now call a halt to the identity card project? It should not proceed until there is complete assurance about citizens’ data. The national children’s database, which will contain sensitive information about some of the most vulnerable in our society, carries exactly the same dangers. So, too, does the NHS spine. If it eventually works, and if the Government compulsorily upload patient data from GPs, they will at a stroke expose the most intimate details about individuals to major security risks. All these projects should be put on hold until the public can be confident that they can be operated securely.

The Statement referred to something published today by the Cabinet Secretary on cross-government work to improve data handling. I checked the Cabinet Office

25 Jun 2008 : Column 1441

website at lunchtime but could find no trace of this document. Since I have been unable to find out what the document says, will the Minister say whether that, too, contains further embarrassing confirmations that government departments cannot be trusted with citizens’ data?

I have one final question for the Minister. Appendix A of the report, which describes Mr Poynter’s terms of reference, states:

This extraordinary exclusion was not made plain when the terms of reference for the report were published last year and has not, I believe, been made plain in any other way. Can the Minister say why the Poynter review was constrained in this way? More important, who is looking at whether HMRC has misused data that it holds? Losing the data of 2.5 million people was bad enough, but the misuse of data belonging to a single individual would be even more reprehensible. Can the Minister assure us that this stone will not be left unturned?

3.50 pm

Lord Newby: My Lords, I, too, thank the Minister for repeating the Statement and for bringing the Poynter review to the House. The report is the most extraordinarily damning indictment of the management of HMRC that one could wish to read. I will repeat just the three principal criticisms. The Statement says that,

and there was,

in all the cases that were looked at. The incident that spurred this inquiry was simply an accident waiting to happen. It is not just a question of technical management issues. It goes to the whole ethos of the way in which this huge department works and its attitudes towards individuals’ personal data.

When we were considering the Bill that merged the two departments, we received an extraordinary letter from the late Lord Callaghan. He described how, as a young boy, he joined the Inland Revenue. On his first day, he appeared before a large man, with a large beard, who made him swear an oath that he would secure, to the best of his abilities, all personal data that came into his possession. He was made to swear that it would not get into the public domain or into anyone’s hands, as indeed it should not. Yet one of the many damning statements in this document is that there is no mandatory induction briefing on data management for people entering HMRC; at least I assume that that is the case, as the report urges that such mandatory briefings should be given.

There has been a long period during which data protection and data management have slipped down the agenda in the two departments. This may have been exacerbated by their merger but I do not think

25 Jun 2008 : Column 1442

that it was caused by it. We cannot simply blame the staff; Ministers must also take some of the blame. I cannot see anything in the report to suggest, for example, that Ministers experienced or expressed any concern, at any point, about attitudes towards data security and the methods of storing data and communicating them within HMRC.

If what Mr Poynter calls the “transformation”—it is a wonderful word in respect of these matters—takes place, he claims that the following benefits will ensue: improved efficiency; improved tax yield; better customer service; and a higher level of staff satisfaction. If this is the case, as seems plausible, why did no Minister or senior member of staff at HMRC seem to have any awareness of these pretty substantial and obvious benefits of managing data differently? If they were aware of them, why did they not do anything about them?

On the point made by the noble Baroness, Lady Noakes, has anybody taken personal responsibility for any of this mess whatever? Has anybody resigned or been disciplined? Or was the malaise so widespread that everybody—Ministers and civil servants—was equally to blame?

An interesting side issue discussed in the report is the way in which HMRC communicates to taxpayers. The report deals with the problem that HMRC has not really come to grips with the digital age. It points out that the volume of paper issued by HMRC is almost unbelievably large. It says, for example, that each business gets on average 68 mailings per year—as a small businessman, I can assure noble Lords that it certainly feels like that. Nearly all these mailings could easily be dealt with in an e-mail rather than on paper. The fact that HMRC is still thinking in terms of paper for communicating with individual taxpayers and businesses shows a cast of mind that has not moved on to take account of modern circumstances.

The report says, in respect of this, that legislation may be needed to allow HMRC to specify how customers exchange data with it. Although the Government have apparently accepted all the recommendations, for some reason this is not a recommendation; it does not appear in the table at the end of the report. Can the Minister say whether the Government agree that there would be benefits if HMRC started communicating with taxpayers in a modern way? Do they think that legislation as Mr Poynter suggested might be needed to enable them to specify that it does that? If so, can they give us an indication of when such legislation might be forthcoming?

This report deals entirely with HMRC, as does the Minister’s Statement. When we discussed this previously, in the immediate aftermath of the data loss, there was much discussion of what was happening elsewhere in government. From the report and the Statement, we are completely unclear on how far the lessons that Mr Poynter has drawn have been accepted across government, as opposed to just within HMRC, and what is being done about them. As the noble Baroness said, recent examples suggest that the attitude towards data in HMRC, which has clearly been most careless, extends across government and certainly to Ministers and their private offices. What actions will flow to try

25 Jun 2008 : Column 1443

to ensure that the slack ethos around data, which is clearly evidenced across government, not just in HMRC, will now be tackled?

Finally, to end where the noble Baroness ended, will the Government now accept that the country has no faith in them to introduce large-scale new systems that involve individual citizens having data kept and transferred electronically by a Government whose track record in this area is so absolutely woeful?

3.57 pm

Lord McKenzie of Luton: My Lords, I thank noble Lords for their contributions. I shall try to deal with each of the questions raised. The noble Baroness asked why it took so long for the report to be finalised. I think that she acknowledged that it was delivered within the timeframe within which it was promised. It seems important, given the issues at stake here, that we had a thorough report rather than a rushed report that did not deal fully with all the issues. We make no apologies for that.

I guess that we had the inevitable political point-scoring about why Ministers have not taken responsibility for all of this, a matter that the noble Lord, Lord Newby, touched on as well. It is because HMRC is operationally independent of Ministers. It is established by statute and run by a chairman and commissioners, who are responsible for its operations but answerable to Parliament through the Chancellor of the Exchequer. Moreover, somebody did resign over it—the previous chairman, Paul Gray, the man at the top of the organisation.

The noble Baroness referred to the merged organisation as a “monster”. I remind her that the Poynter report made it clear that the merger was not a contributory factor to this; indeed, with other developments, it was seen as a good platform from which to build an efficient and effective operation. I might also just remind her that in 2000, when the merger took place, the opposition parties—including the noble Baroness herself, I understand—did not oppose the merger.

Baroness Noakes: My Lords, throughout the consideration of the Bill we warned of the dangers that would come from merging these organisations. The danger may have come from a source that we did not imagine, but we knew that the Government were doing a very dangerous thing. I will not accept that we simply agreed with the proposal.

Lord McKenzie of Luton: My Lords, I accept that issues around data security in the legislation were dealt with by opposition parties, but, at the end of the day, the noble Baroness did not oppose the merger of these two organisations.

The noble Baroness asked about the wider capability review around government and the Cabinet Office data-handling review. This has looked across government and the review was published today. I shall ensure that she and the noble Lord, Lord Newby, get a copy. One is available in the Library. The review was commissioned by the Prime Minister and sets out the wide range of actions that have already been put in place to improve data security. It outlines what will be done to strengthen policies further by building on existing momentum. The changes announced fall into four groups: core

25 Jun 2008 : Column 1444

measures around mandatory minimum measures being put in place; a culture change; all civil servants dealing with personal data undergoing mandatory annual training; and stronger accountability and increased scrutiny.

The noble Baroness predictably referred to ID cards. The national identity register will be protected to the same level as some military databases. Only a very small number of officials managing the register will have full access to it. There is a much longer answer to that point, but this report should not be used as an opportunity to seek to undermine ID cards. She asked about the misuse of data. As I understand it, Kieran Poynter chose to exclude data misuse, which was not the cause of the data loss. HMRC has strong safeguards against wrongful use of its data enshrined in law and treats any misuse as gross misconduct. Nevertheless, the safeguards recommended by Mr Poynter will also strengthen this aspect of the department’s procedures.

The noble Lord, Lord Newby, asked about HMRC letters and whether more should not be sent by e-mail. Open internet e-mail is less secure than post sent through the Royal Mail. E-mail is not a secure form of communication and therefore not particularly suitable for sensitive information. He referred to the remarks of Lord Callaghan when he joined the Inland Revenue. Section 3 of the Commissioners for Revenue and Customs Act requires a formal signed declaration from all people joining HMRC. This has been in place from day one of the creation of HMRC on 18 April 2005.

The noble Baroness asked whether major IT projects introduced new security risks. Uploading data to new IT systems can make them more secure. We are discussing the inappropriate downloading or transmission of data.

The Cabinet Office report was put on to the website at 12.30 today and, as I said, is available in the House Library. Ed Miliband issued a Written Statement earlier, which can be made available to noble Lords.

I believe that I have dealt with the points that were raised but I emphasise that this is a serious matter. The report is effective. I emphasise that the Government have accepted all its recommendations and have made good progress in implementing some of them. The noble Baroness asked whether there had been misuse of data and whether individuals are to be prosecuted. The IPCC report made it clear that no criminal activity or misconduct had been identified that would generate disciplinary action.

4.05 pm

Lord Barnett: My Lords, my noble friend is right: it is indeed a serious matter. One of the more moderate points made in the report was that HMRC is a complex organisation. That is putting it mildly. It is equally disturbing to read that it is going to take a lot longer to build a high-quality department.

We are in a different era of data protection management from when our late noble friend Lord Callaghan joined the Inland Revenue. Data protection would have been a problem whether the department had been merged or not. The report said that the merger was right. If it was right, what did we gain from it apart from the appalling management that it has been under? What

25 Jun 2008 : Column 1445

was the benefit? Were there major staff savings? Has the Minister got any figures for staff savings, which would have been a substantial benefit? I am not aware of any. My own experience was a long time ago, when I was responsible for the Revenue and for Customs for five years. In those days, data were at a very different level, and paper was still used. Now the department has merged, and we cannot go back and de-merge it, although I would have preferred the two separate departments. The only thing that they seem to have in common is that they both collect revenue. I cannot for the moment see why and how the merger was decided on. It is not my noble friend’s fault and I am not blaming him, but I would like to know if he has any information that might help us: are we eventually going to get a high-quality merged department and, if so, when?

Lord McKenzie of Luton: My Lords, on the question of whether the merger was right, as I said earlier, the Kieran Poynter report indicates that, together with other changes, it provides a good platform for building an efficient and effective organisation. I do not have available all the detailed thinking behind that merger, but some of it must be self-evident, as the noble Lord himself identified. The two departments were dealing with the same customers to a certain extent. There are overlapping issues around enforcement that might be dealt with more efficiently. It seems to me an entirely reasonable proposition. The merger was not identified by Kieran Poynter as the cause of this lack of focus on data security, but he clearly indicated that the merged organisation had serious institutional deficiencies that had to be corrected and are being corrected. In terms of savings, there has been a head-count reduction, but the report indicates that the head-count reduction was not a cause of data loss, although it identifies concerns about cost that may have driven some of the behaviours.

Lord Higgins: My Lords, will the noble Lord recognise that the Annunciator could scarcely have been less informative? It is not helpful to have a Statement simply entitled “HM Revenue and Customs”, when it covers an enormous range of subjects. If we are to have sensible reactions to Statements, we should have something a little more specific.

I do not think that any of us who have spoken to officials in the merged department could fail to understand the way in which morale has been adversely affected, when compared with the morale that existed in the two great departments of state with their historic traditions. My noble friend raised the question of who had been held accountable, and the noble Lord said that a senior official resigned. Was it clear at the time that the reason why he resigned was this sad series of events? Do we now have a new doctrine where the Minister concerned is accountable to the House but, if something goes wrong, he remains in office and the officials concerned resign? That seems different from the traditional way in which we have dealt with these matters.

It would seem from subsequent events that part of the problem is that officials and Ministers take home laptops and documents, and they are left around.

25 Jun 2008 : Column 1446

Should there be a complete ban, except in the most rigorously controlled circumstances, on any such work being taken home?

Lord McKenzie of Luton: My Lords, the noble Lord makes a fair point about how the Statement was described. I am not sure who undertakes the description, but it is a fair point.

The noble Lord touched on morale in the services. It is right that merging two big organisations that started off with distinct identities brings particular challenges that have not been met. The Poynter report makes that clear. That is one of the challenges in dealing with the recommendations. That touches on the same point as my noble friend made about the benefits of bringing all those departments together, which include efficiency in sharing back-office functions, effectiveness in joining up the collection of tax revenues and customer focus. We should not forget about the customers in all of this. There must be benefits from treating all customers’ tax affairs in one place.

The noble Lord asked about taking home laptops. This report was not occasioned by that point, but we need to make sure that people who have secure information on laptops and so on do not use them outside a secure area. That issue was picked up in the wider review undertaken by the Cabinet Office. I cannot do more than repeat what I said about responsibility: HMRC is operationally independent; it has a chair and the commissioners; and that is where responsibility properly lies.

Lord Burnett: My Lords, I had conduct of the merger of the two organisations in the other place. It was common ground between the two Opposition parties that we were extremely anxious that the Revenue culture should prevail, certainly on non-criminal matters. The Revenue culture was that security of personal information should have the highest priority. I look forward to hearing from the Minister what practical steps will be taken to restore that culture and ethos, which we all used to respect and have confidence in.

Lord McKenzie of Luton: My Lords, the noble Lord is right in focusing on that point. As the report says, there were serious institutional deficiencies. A key one was that information security was not a management priority. There is the whole range of the report’s recommendations—45 in all—all of which the Government have accepted. That will enable us to address the issues, but that issue is fundamental. The report also makes the point that, even if information security had been a management priority, the management structure then in place would not have been particularly helpful in making sure that that policy was implemented. The whole range of measures that are detailed in the report—some of which are already under way—will enable the information security issue to be re-established, so that trust can be maintained and built in HMRC’s handling of personal and confidential data.


Next Section Back to Table of Contents Lords Hansard Home Page