Moving on from the 2007 data loss by HMRC

• Article 23 of 33
• SC Magazine, October 2010
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages

Thanks to Her Majesty's Revenue and Customs (HMRC), the final months of 2007 were a wake-up call for more or less everybody in information assurance (IA), but particularly those in the public sector. The HMRC's headline-making loss of 25 million people's personal information was a worst-case scenario that many UK security officers were glad hadn't happened to them. Since then, government departments – and HMRC – have tightened up information security, but questions remain: how are they doing it, are the chances of such an event happening again truly a thing of the past – and is there anything that the private sector can learn from what has been done?

The HMRC's big data loss wasn't the first that year. In October, a laptop containing 400 customers' names and addresses was stolen from the car of an HMRC employee. With such a relatively small number of customers involved, few people were concerned. It was something that could happen to more or less any organisation, wasn't it? In fact, HMRC was praised for coming clean.

By November, however, the scale of HMRC's IA problem became clearer as it admitted it had lost pension records for 15,000 people, which were put on a CD and sent, possibly unencrypted, by courier to Standard Life's Edinburgh HQ.

HMRC had little time to apologise, let alone examine what had gone wrong, before an incident that had happened in October finally hit the headlines in November. It made all other data losses in the UK pale into insignificance: 25 million names, addresses and bank account details went astray after courier company TNT lost the CDs – unrecorded and unregistered – containing the information. Even worse, HMRC compounded the offence by again sending two unencrypted disks with 25 million names later in October, although this time the package was registered and arrived safely.

The Government's response was to get Kieran Poynter, then chairman of PricewaterhouseCoopers, to investigate the loss and to recommend ways of changing data-handling procedures to prevent similar losses occurring. No fewer than five reports into data security and assurance – including Poynter's – were published in the following years: Poynter's in June, 2008; the Independent Police Complaints Commission (IPCC) 2010 report into the HMRC incident; cabinet secretary Gus O'Donnell's 2008 report into government information security; Information Assurance Advisory Council chairman Sir Edmund Burton's 2008 report into the loss of the MoD laptop; and ex-Information Commissioner Richard Thomas and Wellcome Trust director Mark Walport's 2009 report for the Ministry of Justice on data sharing and data protection.

Poynter concluded that the loss was “entirely avoidable” and said the incident showed “serious institutional deficiencies at HMRC”, while the IPCC report said “staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately. While an ongoing review of data procedures was being conducted within HMRC at the time of these events, it had not been finalised. Had this internal review received a higher priority, this incident may have been avoided.”

HMRC clearly wasn't alone in worrying about how it was dealing with information assurance. The Cabinet Office had been pushing for greater priority for IA for a number of years. It had created internally a Central Sponsor for Information Assurance (CSIA) in 2003 to direct information assurance across government, guided by a National Strategy for Information Assurance (NSIA), which was updated in 2007. There were good information assurance standards, IA1 and IA2, dating back to 2005, that were more or less identical to ISO 27001.

However, there was little impetus to follow these standards. There were also problems with their implementation. Peter McAllister, who leads the ‘Close in Government' cyber security practice at HP's Vistorm, was one of the people who helped revise the NSIA with the Cabinet Office and GCHQ's IA agency, CESG. He says people within the civil service had been pushing for greater awareness of data security among different departments and agencies, but had been unable to get the necessary backing for it to be taken seriously.

James Nunn-Price, associate partner and public sector security lead at consultancy Deloitte, says the problem was “you needed a doctorate to understand” IA1 and IA2. The result was that very few people on the ground understood what was needed and even those in charge of security had problems. McAllister adds that the “security manual was classified and some who needed to access it couldn't”. The guidelines had also been very “tick box”, he added, with users having to state whether they had complied with a procedure or not, without any real understanding.

However, says McAllister, the HMRC incident “helped people who wanted to move things along”. What Poynter and the other reviews instigated was a more centralised approach to government security. O'Donnell's report introduced mandatory minimum security measures across government when handling personal data, including encryption and compulsory testing by independent experts of the resilience of systems. Among requirements O'Donnell laid down are: mandatory annual training of civil servants dealing with personal data; standardisation of data security roles within departments, to ensure clear lines of responsibility; departments to report on their performance under the scrutiny of the National Audit Office; and the right of the Information Commissioner to perform spot checks.

Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | All 6 Pages