Home

Newsroom & speeches

Economic data & tools

Consultation & legislation

Independent reviews

Enterprise & productivity

Financial services

International issues

Public private partnerships

Public spending & reporting

Tax work & welfare

UK economy

Budget

Pre-Budget Report

Spending Review

About us

Careers

Other HMT sites

Terms & conditions

20 November 2007

Statement to the House of Commons by Chancellor of the Exchequer, Alistair Darling, MP, on HMRC

Check against delivery

With your permission Mr Speaker I should like to make a statement on the breach of procedures which led to missing personal data relating to child benefit from Her Majesty's Revenue and Customs.

I shall set out the nature of the data and circumstances relating to how it went missing. However, it might be helpful to the House to set out the background before I do that.

The National Audit Office - which is independent of Government, but answerable to Parliament - has a right to ask for and access data from HMRC in discharging its compliance responsibilities.

In March of this year it appears that a junior official within HMRC provided the National Audit Office with a full copy of HMRC's data in relation to the payment of child benefit.

In doing so it is clear that the strict rules governing HMRC standing procedures were not followed. These procedures relate to the security and access to data as well as its transit to ensure that data is properly protected. This information should not have been handed over by HMRC in the way that it was. However, I understand that in this case the NAO subsequently returned all the information it received in March to HMRC after auditing it.

It now appears that following a further request from the NAO in October for information from the Child Benefit database, and again at a junior level and again contrary to all HMRC standing procedures, two password protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit was sent to the NAO, by HMRC's post system operated by the courier TNT. The package was not recorded or registered.

Mr Speaker, it appears the data has failed to reach the addressee in the NAO.

Mr Speaker, I also have to tell the House that on finding that the package had not arrived at the NAO, a further copy of this data was sent, this time by registered post, and which did arrive at the NAO. However, again HMRC should never have let this happen.

Although it is believed the data was sent from HMRC to the NAO on 18 October, the fact it did not arrive it was not reported to HMRC's senior management until 8 November, nearly 3 weeks later.

I was informed on Saturday 10 November and immediately instructed that comprehensive searches be carried out of all premises where the missing data might be found. These searches are continuing.

I asked for an immediate investigation. This was initiated that weekend.

And I also insisted on immediate steps to prevent this from happening again. Action has been taken.

On Monday 12 November HMRC informed me that evidence might have had been found of the route taken by the data and that the data was likely to be found.

However, by Wednesday 14 November it was clear to me that the HMRC searches had failed to find them. I therefore instructed the Chairman of HMRC to call in the Metropolitan Police to conduct a full investigation in order to find the missing package.

back to top

Mr Speaker, that investigation is still underway. Our priority was and is to find this data. Searches have been and continue to be carried out, including of HMRC and NAO premises. Staff are being interviewed. But so far the missing data has not been found.

The police tell me that they have no reason to believe that this data has found its way into the wrong hands. The police are not aware of any evidence that it has been used for fraudulent purposes or criminal activity.

Let me tell the House what is missing as a result of this extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines.

Mr Speaker, in terms of protecting confidential data Her Majesty's Revenue and Customs is operationally independent of Ministers. It is established by statute. It is run by its Chairman, Paul Gray, and a Board of Commissioners who are responsible for its operations, but answerable to Parliament through me.

Last week Paul Gray told me on his own initiative that, given the seriousness of the operational failing, he felt he should resign. He has now confirmed that intention. I am very grateful to Paul Gray for his contribution to the work of government in HM Treasury, DWP and HMRC.

The missing information contains details of all child benefit recipients: records for 25 million individuals and 7.25 million families. These records include the recipient and their children's names, addresses and dates of birth, it includes Child Benefit numbers, National Insurance Numbers, and, where relevant, bank or building society account details.

Mr Speaker, I regard this as an extremely serious failure by HMRC in their responsibility to the public.

In making this statement today, I have had to balance the imperative of informing the House and the public at the earliest opportunity, whilst at the same time ensuring that when I did so the appropriate safeguards were in place to protect the public, including in relation to bank accounts.

Indeed the banks were adamant that they wanted as much time as possible to prepare for this announcement.

I discussed this with the Information Commissioner on Thursday who agreed that appropriate remedial action needed to be taken before a public statement was made. That action has now been taken.

I have also sought the advice of the Financial Services Authority and Serious Organised Crime Agency. Other government departments have been made aware.

Mr Speaker, let me set out what we have done.

First, the UK Payments Association, the British Banking Association and Building Societies Association have been informed. Through them HMRC informed individual banks and other financial institutions including building societies and post offices of affect accounts.

Second, individual institutions are flagging these accounts which enables them to continually monitor for irregular activity. They tell me that so far they have found no evidence of such activity.

Third, they are also tracking back and analysing transactions on affected accounts back to 18 October. They have again so far found no evidence of unusual activity.

They will continue to monitor these accounts so if there is any suspicious activity, action can be immediately taken.

And fourth, if someone the innocent victim of fraud as a result of this incident, people can be assured they have protection under the Banking Code so they will not suffer any financial loss as a result.

The UK Payments Association have confirmed they are confident that every action has been taken by the banking industry to minimise the risk of any fraud.

They have also confirmed the missing data is not enough in itself for someone to access a person's bank account for fraudulent purposes - as additional security information and passwords are always required. But we have to recognise the increased risk caused by this missing data.

So people will want to monitor their accounts and guard against any unusual activity.

The advice of banks is there is no need for customers to ask for a new account or to contact their bank or building society.

But they should do what they should be doing anyway:
they should check their statement and keep a close eye on their account for any unusual activity;
if they see anything in their statement that concerns them, and if so they should contact their bank or building society immediately;
and they should also not give out personal or account details requested unexpectedly by phone or email.

And I reiterate the banks have made it clear that individuals will not have to pay out for any loss in the event that they are innocent victims of fraudulent activity.

I can also assure the House that their Child Benefit payments will continue to be paid as before.

There are already clear HMRC standing procedures which appear to have been broken. HMRC has initiated changes to security processes and procedures so they will now only take place, with written authorisation from a senior HMRC manager and with the appropriate protection for the transfer.

back to top

Mr Speaker the police investigation continues, though there is also likely to be an inquiry into the missing data by the Independent Police Complaints Commission (IPCC), which has a responsibility for monitoring HMRC.

I have kept the Information Commissioner informed. It is highly likely that there have been breaches in the Data Protection Act. That is something the Commissioner will investigate.

The Government takes the protection of personal data, in whatever form, extremely seriously and has therefore put in place and is strengthening the rights and safeguards on use and handling such data.

The Data Protection Act set out the framework enforced by the Information Commissioner and the Courts. Departments have specific controls on information sharing and duties of confidentiality that that are being enhanced by amending the Data Protection Act to guard against misuse and provide further information to citizens about the information Government holds.

Last month, the Prime Minister asked the Information Commissioner and Professor Mark Walport, Director of the Wellcome Trust, to carry out a review of the framework in the UK to ensure the security of personal data. This review will look at Government Departments and other organisations.

I can also tell the House that the Comptroller and Auditor General, Sir John Bourn, has said the NAO will also review its own procedures for requesting data to confirm that these remain in line with best practice and will apply any lessons arising.

In addition, the House will be aware of other data security breaches by the HMRC, including at the end of September the loss of records of around 15,000 people in transit by HMRC's external courier and in the same month, a laptop and other material containing personal details relating to HMRC customers was also lost.

I have therefore asked Kieran Poynter, the Chair of Price Waterhouse Coopers to investigate HMRC's security processes and procedures for data handling. I have asked for an interim report next month and full report in the Spring.

This review will be conducted in consultation with the Independent Police Complaints Commission (IPCC) and a full report will be made available to the Information Commissioner.

I express my gratitude to the Metropolitan Police for their investigation, the Information Commissioner for his advice and the banks for their cooperation in working with the Government in taking steps to protect the public.

Mr Speaker, the House will understand that because the investigation is continuing I am not yet in a position to give the House a full account of what has happened here. But I will continue to keep the House informed.

This is an extremely serious matter. HMRC has a responsibility towards the general public who entrust it with highly sensitive personal information. It has failed to meet the high standards that should be expected of it.

Mr Speaker, I recognise that millions of people across the country will be concerned about what has happened.

I deeply regret this and apologise for the anxiety that will undoubtedly be caused.

Let me reiterate:
There is no evidence this data has reached the wrong hands
There is no evidence of fraud or criminal activity
Banks and building societies are putting in place safeguards to protect people's accounts
Banks and building societies will continue to monitor their accounts
No-one will suffer any loss if they are an innocent victim of fraud

And I will, of course, keep the House updated of any further developments.

back to top