HMRC data release procedures
A systemic failure in data security management
An un-edited transcript of acting HMRC chairman Dave Hartnett’s evidence shows an organisation hidebound by procedures with no guiding principles informing general security behaviour.
In March the National Audit Office (NAO) requested full Child Benefit database information but filtered to remove unwanted personal identity information. The filtering was rejected on cost grounds and the full database sent to the NAO on CDs. In October the NAO repeated its request and the two CDs, holding 25 million personal identity information records were lost.
It is known that a junior official had full access to the database involved and was able to burn the contents in unencrypted fashion to CDs and send them though unregistered inter-office transfer by TNT.
There are five key questions:-
1. First, why should a junior official have full access to the database and why did the system allow unencrypted copying to CD?
2. How much would it have cost to filter the database files?
3. Why did HMRC processes allow this?
4. Why didn’t senior HMRC staff, knowing about this, stop it?
5. Has there been a systemic failure in HMRC?
Why should a junior official have full access to the database and why did the system allow unencrypted copying to CD?
Q356: I suppose one of the puzzles to anyone who knows anything about the systems is that it was actually technically possible to do this. … it should not have been possible for one individual member of staff to produce a file of this kind and despatch it; there should have been a built in bar in your system which required some sort of intervention to achieve that outcome. That has been a puzzle to me from the start. Can you throw any light on that?
Mr Hartnett: … it is a puzzle to me as well … The data that was in Waterview Park (where the CDS were burned) in the North East was drawn off from the child benefit computer system. That is in a different building … It was brought to Waterview Park and loaded up on to a secure, stand-alone desk-top computer in a secure environment… how on earth was it possible ever to draw down a full copy? At the moment I know it clearly was possible, but---
Q357: That is an issue of system design.
Mr Hartnett: Exactly; absolutely.
Q358: And also management disciplines imposed on that system design at the time someone conceded with the security requirements that should have been in place.
Mr Hartnett: Yes.
Q359: So it is not just some funny software engineer who did not quite do their job?
Mr Hartnett: No, it is a design issue.