Glyn sez, "The Open Rights Group has done a summary of the official explanation of how it was possible for a junior official for Her Majesty's Revenue and Customs to lose discs containing records for 25 million individuals and 7.25 million families in the post. From this report its clear that Information security was not seen as a priority at HMRC.
The data loss incident arose following a sequence of communications failures between junior HMRC officials and between them and the National Audit Office ("NAO"). The loss was entirely avoidable and the fact that it could happen points to serious institutional deficiencies at HMRC.
The two major institutional deficiencies from which many of the more detailed issues flow were:
- Information security simply wasn't a management priority as it should have been, and
- HMRC had an organisational design which was unnecessarily complex and crucially, did not clearly focus on management accountability
HMRC has significantly reduced the risk of further data loss since the incident. However, when there are so many islands of information and so many data transfers going on, and while simple guidance is not available to staff, further data loss nonetheless remains a distinct possibility and more needs to be done. Investment will be required to continue the reduction of risk to an acceptably low level, although the review process is identifying data transfer practices which can simply be stopped at no significant cost.