« Data Protection comes of age | Main | Transforming HMRC in response to its data loss »

14 August 2008

Lessons learned from the HMRC Data loss

Independent report into loss of data related to child benefit by the Independent Police Complaints Commission (IPCC)

Reading the IPCC report into the HMRC data loss is like reading one of Shakespeare's tragedies. 

When you start watching Romeo and Juliet you already know that the couple will end up dead in each other's arms.

When you start reading the IPCC report you already know that on 18 October 2007 an HMRC official (Employee J) in Washington, Tyne and Wear, will place two password protected but non-encrypted disks into a yellow transit envelope adressed to an auditor at the National Audit Office, London.  The disks will contain contain the names, addresses and bank account details of 7.5 million child benefit recipients.   He will say the words 'Its gone now' as he places the envelope into an out tray, but the envelope will never reach its destination.

The IPCC report gives you a blow by blow account of the the minor errors of judgement and misunderstandings that led up to the loss.  The deeper fundamental causes of the loss are dealt with in the Poynter Review.  The drama of the IPCC report stems from the contrast between the triviality of the errors of judgement with the enormity of the loss itself, and the genuine anguish that it caused officials.  IPCC found no evidence of deliberate neglect or disregard for the law, or for internal HMRC policy, by officials.

The report illustrates perfectly the point that every time personal data is copied from one system to another it increases the risk of personal data loss.

HMRC had very robust controls in place to limit the circumstances in which HMRC Business Units could obtain copies of data from the main child benefit database.  The child benefit database was based in Long Benton, Tyne and Wear, and operated by a contractor (EDS).  To obtain a data scan from the database a Business Unit  had to fill out a 'URAC' form, specifying what data they wanted copies of and why.  The form had to be costed, approved and signed off by the Information Management Solutions Business Unit (IMS).

But there were no similar controls in place to govern what a Business Unit did with that data once they had obtained it.

Every six months HMRC's Claimant Compliance Business Unit followed the URAC form procedure to order a full scan of the records of every child benefit recipient, which they used to determine a random sample of cases to investigate to check against fraud.  The data-scan was sent to Claimant Compliance on unencrypted disks.  Claimant Compliance then loaded the data from the disks onto a stand alone computer in a secure room.

In the spring of 2007 a National Audit Office auditor asked his contact at HMRC (a junior official anonymised as 'employee D'' in the report) for a scan of all new and completed child benefit cases, so that the external auditors  could come up with their own sample of child benefit cases to inform their audit. 

Employee D worked in the Benefits and Credits Business Unit.  She decided not to go through the formal URAC procedure (which could take weeks or months and incur a cost of several thousand pounds).  Instead she asked Claimant Compliance Business Unit for a copy of their latest routine six monthly scan.

In March 2007 the disks containing a six monthly scan of the entire child benefit database was handed over to the auditor in person, when he visited on-site.  He returned it safely several days later.   In the autumn of 2007 the auditor made a similar request for a similar sample of data.  This time he was not due to visit the site and asked for the disks to be sent to him (the file was to big to be sent by electronic means through the government secure intranet).  The official in IMS (Employee J) who put the disk into the transit envelope was not accustumed to sending physical media in the post.  He mistakenly beleived that the postal system he was using was a tracked courrier system with an audit trail of packages.    The package did not reach the auditor and could not be traced once the loss of data was reported.

Key contributory factors to the data loss included:

  • The option to reduce the data scan so that the auditor only got the data he needed was not taken up.   The data in the Compliance scan was far more detailed than the auditor required.  He didn't need or want the most sensitive data:  bank account details and home addresses.    Providing this data breached the third principle of the Data Protection Act (that data should be relevent and not excessive for the purpose for which it is required), and massively increased the adverse impact of the data loss.  The auditor had asked for the data to be removed.  His contact at HMRC (Employee D) was concerned about the cost and time implications of filtering the data,  and advised the auditor to discuss his needs with officials from HMRC's  Knowledge, Analysis and Intelligence Business Unit  at his forthcoming meeting with them.  The discussion never took place.  During the investigation into the data loss it transpired that software existed on the Compliance Directorate's stand alone computer that that could have filtered out the unwanted data without cost.

  • It was not clear who was responsible for authorising the sending of the disk to the auditor.  At various points in the e-mail correspondence that preceded the (succesful) transfer of disks to NAO in March 2007 colleagues in  both Compliance Directorate (the directorate who possessed the datascan) and IMS (the directorate who had obtained the datascan for Complaince Directorate)  expressed concerns about the amount of data that was proposed to be sent to the NAO.    But neither directorate knew which of them was responsible for making a decision on whether or not the data is released.  These concerns were never escalated to a responsible officer or senior manager for a decision to be made.  The IPCC's interviews and forensic examination of the e-mail boxes of the official's involved show that no senior manager knew at any stage that this amount of data was due to go off site. The March 2007 transfer passed off without incident, but it set the precedent for a similar but failed transfer in October 2007.

  • The relevant data protection and information security policies were insufficiently visible and insufficiently specific. None of the officials involved in the sending of the data were aware of the content or whereabouts of relevant information security and data protection policies.  Information security policies were stored on the intranet and were difficult to find.  HMRC did have a policy on sharing information with the National Audit Office, and it stated that transfers of data to the NAO should be 'cleared with a senior manager'.  If officials had been aware of this and followed it, this may have prevented the data loss.  However the policy was insufficiantly specific:  it did not identify which senior  manager should authorise the transfer and by what procedure the authorisation should be sought and recorded.

  • The protective marking allocated to the information on the disks meant that the disks were not required to be encrypted. When EDS produced the disks of the data-scan for the Claimant Compliance Directorate the data received the protective marking of 'Restricted'.  It was these disks that would later be sent on to the National Audit Office.  Information in the category 'Restricted' was not required to be encrypted when it is communicated electronically.  This is not a weakness unique to HMRC, it highlights a weakness in the Government's Protective Protective Marking Scheme that guides all Government departments in how to handle sensitive information.  The Marking Scheme had not taken into account the fact that when large amounts of personal data are aggregated in one place the  impact of any loss is magnified.  The Cabinet Office's Data Handling review has adressed this issue by creating a new protective marking specifically for large aggregations of personal data.

The element that gives the report its drama is the e-mail trail that leads up to the data loss.  The report illustrates the disadvantages of e-mail when it comes to making decisions that require the input at different stages of different people.   People appear on the address lines of e-mails, only to drop off those address lines as the plot unfolds.

  • The senior manager with ultimate responsiblity for the NAO audits of Child Benefit was copied into an initial e-mail indicating that a small sample of data would be sent to the auditor at the NAO in March 2007.  He was not copied into any e-mails thereafter as the  data transfer escalates to a full download of all records on the Child Benefit database.
  • The e-mail trail leading immediately preceding the data loss in October 2007 resembled an electronic version of pass the parcel.  The NAO's auditor asked his new main point of contact at HMRC (Employee C), for a copy of a similar data-scan to the one he had used in March.   Employee C passed him on to Employee E in Claimant Compliance Directorate because they held the data-scan.    Employee E referred the auditor by e-mail to Employee J at Information Management Solutions.  Employee E told the IPCC that he made the referral because he felt that IMS were the directorate best placed to provide or refuse authorisation for the disks to be sent.  But Employee J in Information Management Solutions interpreted the e-mail as constituting authorisation from Claimant Compliance for the disks to be sent.  So he obtained the disks and sent them.    No-one had consciously made a decision on whether or not to authorise the sharing of the data or the posting of the disks.  No discussion had taken place, instead an e-mail trail with attendant miss-readings and blind spots had led to a disastrous loss.

The Information Commissioner Richard Thomas, and Mark Walport, state in their Data Handling Review that there was no problem with the HMRC sharing personal data of benefit recipients with the National Audit Office for the purpose of informing their audit.  The problem was the unnecessarily large amount of data shared, and the insecure methods used to share it.  They describe the HMRC loss as  a 'multiple-systemic failure':  failure across a range of fronts including cultural (low priority for data security), technological (insecure data storage and transfer methods) and procedural (lack of appropriate authorisations and failure to use data redaction methods to minimise data shared).

The diverse nature of these failings, and the fact that they were by no means unique to HMRC, has resulted in the wide scope of the Government's response to the loss.  The Cabinet Office's set of minimum measures that Central Government departments must put in place when handling large aggregations of personal data include measures to address issues of culture, responsibility, training and technology.

James Lappin

Posted by JamesLappin on 14 August 2008 at 12:39 in Law and information governance |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c808d53ef00e553dfc2fc8833

Listed below are links to weblogs that reference Lessons learned from the HMRC Data loss:

Comments

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.