Ministers ‘not to blame’ for security breach
The personal details of up to 25 million people have been lost in the post, the chancellor confirmed today.
Alistair Darling told MPs this afternoon the records of 25 million individuals and 7.5 million families – including names, addresses, date of birth, child benefit numbers, national insurance numbers and bank and building societies – have gone missing en route to the National Audit Office (NAO).
The chairman of HM Revenue and Customs (HMRC), Paul Gray, has already resigned over what has been described as a major breach of security and privacy.
Mr Darling insisted ministers did not need to be held accountable over the security breach, arguing responsibility for data protection resides with HMRC.
HMRC and Mr Darling maintains there is no evidence the information has fallen into the wrong hands but admit they have no idea where the discs containing the data are – despite extensive searches by HMRC and the Metropolitan police.
In his statement to MPs Mr Darling confirmed that not only had data been lost in the post but also should never have been sent to the NAO in the first place.
The chancellor said the decision to dispatch the data, which was stored on two computer discs, was taken at a junior level.
Procedures have since been tightened to ensure all sensitive information can only be sent with the written authorisation of a senior manager.
The NAO lodged a request for information from HMRC’s child benefit database in October.
Mr Darling confirmed a full copy of HMRC’s entire data on child benefit cases was dispatched on two password protected discs, in violation of HMRC’s standing procedures. These were handled by the courier TNT and not sent by recorded or registered post.
This data did not arrive at the NAO, prompting the same junior official to dispatch a second copy of the data, this time by registered post.
“However, again HMRC should never have let this happen,” Mr Darling said.
The discs were dispatched to NAO on October 18th but HMRC’s senior management was not informed until November 8th, nearly three weeks later.
The chancellor was informed of the breach on November 10th and ordered comprehensive searches for the discs. By November 14th, Mr Darling had ordered the Metropolitan police to carry out comprehensive searches.
Although the data has not been found, Mr Darling maintained no households are at risk.
Banks and building societies have been alerted to the affected accounts and say no unusual activity has been identified.
The Conservatives nevertheless accused the government of breaching its duty of protection to 25 million people.
Shadow chancellor George Osborne said the “catastrophic mistake” would leave half the country very anxious about their security and the whole country wonder how the breach was allowed to happen.
The government’s failure to maintain data security undermined the government’s case for ID cards, he added.
In a second challenging day for the chancellor, Mr Osborne challenged Mr Darling to “get a grip and deliver a basic level of competence”.
Acting Liberal Democrat leader Vince Cable said the Treasury had replaced the Home Office as the government department that is unfit for purpose.
He asked why HMRC was still reliant on “museum pieces,” raising questions over whether the department’s IT system must be replaced.
Mr Gray confirmed his resignation today in a letter to HMRC staff.
The FDA union, which represents professional civil servants, said Mr Gray’s decision to resign was proof of his “high level of personal integrity”.
The FDA said a “serious operational error” had taken placed and accepted Mr Gray’s judgment that accountability rests with him.
An independent investigation will be conducted by the Independent Police Complaints Commission.