This snapshot, taken on
14/08/2008
, shows web content acquired for preservation by The National Archives. External links, forms and search may not work in archived websites and contact details are likely to be out of date.
 
 
The UK Government Web Archive does not use cookies but some may be left in your browser from archived websites.

25 June 2008

Statement by the Chancellor of the Exchequer, The Rt Hon Alistair Darling, MP on the Poynter Review, 25 June 2008

Check Against Delivery

1. With your permission Mr Speaker I would like to make a statement on the final report by Kieran Poynter, Chairman of PricewaterhouseCoopers, into the loss of child benefit records at HM Revenue and Customs last year.

2. I should also tell the House that the Independent Police Complaints Commission, which conducted its own investigation into the loss, is publishing its report today. The IPCC found no evidence of misconduct or criminality by any member of staff at HMRC.

3. The Cabinet Secretary has also published today his wider cross-Government work to improve data handling.

4. The Poynter and IPCC reports are available in the Vote Office and the Library of the House.

5. I am grateful, both to Kieran Poynter and his team and the IPCC for their extensive work. Both have provided a very full and detailed account of what happened.

6. Mr Speaker, improving information security is a challenge that every organisation is facing.

7. In recent years we have seen problems in both the public and private sectors as organisations struggle to keep pace with the development of technology in data storage and transfer.

8. The public is entitled to expect government departments to ensure their personal details are kept safe and it is therefore essential that we do everything we can to minimise the chances of this sort of loss happening again.

9. I deliberately gave Mr Poynter wide-ranging terms of reference not just because of the seriousness of this loss but also because as I said in my statement on 20 November, I was concerned about previous losses of data by HMRC.

10. In my statements to the House on 20 November and 17 December, I set out the circumstances surrounding the events that led to the loss of the child benefit data, and the immediate action taken.

11. My priorities then were to locate the missing discs, and to ensure that adequate safeguards were in place to monitor bank and building society accounts of those who could have been affected.

12. Despite extensive searches by HMRC and the police the discs have not been found, but I can tell the House that I am advised that there is no evidence of any fraudulent activity as a result of the loss.

13. HMRC took a series of immediate steps at that time, including a complete ban on the transfer of bulk data without adequate security protection, measures to prevent the downloading of data without the necessary safeguards and the immediate disabling of the ability to download data from all desktop and laptop computers within the organisation.

14. Mr Speaker, Kieran Poynter's report is in two parts. The first deals with the circumstances giving rise to the loss. The second part deals with his wider findings and recommendations.

15. He examined in detail the circumstances surrounding the earlier transfer of data in March 2007, which I referred to in my statements to the House.

16. He found that in March, because the HMRC staff involved then were unaware of the relevant guidance, which in itself lacked clarity, they did not escalate the request to the appropriate level of seniority before releasing data to the NAO.

back to top

17. As a result, no senior HMRC official was asked to permit the NAO to take the data off-site to conduct its analysis and no such official knew that this was envisaged.

18. Mr Speaker, Mr Poynter has concluded that these events in March last year then created a precedent which allowed a similar transfer to take place in October without the appropriate level of authorisation or adequate consideration of the security risks of releasing such a large amount of personal information.

19. He says that senior managers were unaware that the data had been moved from HMRC premises in March and October until the loss of data was subsequently reported to them.

20. He concludes that the data loss incident arose following a sequence of communications failures between junior HMRC officials and between them and the National Audit Office.

21. However, he finds that the loss was entirely avoidable and the fact that it could have happened points to serious institutional deficiencies at HMRC.

22. Firstly, information security simply was not the management priority it should have been.

23. And secondly, management structures and governance were unnecessarily complex and did not establish clear lines of accountability.

24. Moreover, he points to a lack of clarity in communications and the failure to involve senior HMRC staff as being contributing factors in both cases.

25. Mr Poynter makes clear in his report that both these failings have now been addressed.

26. He acknowledges the progress the department has made since last November. HMRC is a complex organisation, operating from some 900 sites and sending out over 300 million items of mail a year.

27. Against this background Mr Poynter sets out the action that has been taken to make information security a priority. This includes the appointment of a Chief Risk Officer, new, clearer security guidance and a wide-ranging programme of training to raise awareness of security issues amongst staff.

28. And he also sets out the action that has been taken to simplify management structures and governance. He acknowledges the new organisational structure as a positive step forward.

29. Mr Poynter's team has worked closely with HMRC and in particular those teams that process large volumes of personal data or provide corporate services, such as IT. By providing detailed recommendations to the organisation as its work progressed, rather than leaving them to the final report, the review team has been able to support HMRC and help it make good progress in implementing its recommendations.

30. However, Mr Poynter states that "a great deal of work will be required to bring HMRC up to and to sustain the world class standard for information security to which it now properly aspires."

31. In all he makes 45 recommendations, all of which have been accepted. HMRC has made good progress on 39 of the recommendations including 13, which have been fully implemented. Work is continuing on the remaining recommendations.

back to top

32. Mr Poynter also makes a number of recommendations in relation to the way in which HMRC operates and the fragmentation and complexity of its IT systems. The organisation is already addressing these issues and will be spending £155m improving data security over the next three years.

33. The 45 recommendations - when fully implemented - will reduce the risk of a serious breach in the future and make sure that HMRC achieves the highest standards of information security.

34. Mr Speaker, Kieran Poynter states that the decision to merge the Inland Revenue and HM Customs and Excise was the right one.

35. But he says that the management structure subsequently adopted was not suitable - exactly the same failing identified in the Capability Review, carried out by an independent panel, overseen by the Cabinet Secretary and published last December.

36. In acknowledging the significant changes the organisation has undergone Mr Poynter judges that "these changes individually and collectively represent good decisions which have created the platform from which to build a high quality, efficient administration."

37. In order to build from this platform the management needs to continue to address the issues highlighted by Mr Poynter in his wider review and the Capability Review.

38. In particular HMRC's security procedures must be improved to ensure information security is a management priority and importantly, the management must raise staff morale.

39. Mr Poynter acknowledges the new organisational structure put in place earlier this year as a crucial step and makes recommendations to develop it further.

40. Mr Poynter concludes that his findings represent an opportunity to modernise work practices and systems which will make the organisation more efficient as well as rebuilding its reputation for data security.

41. I am grateful to Dave Hartnett - the acting Chairman - who has overseen these improvements and led the organisation through a difficult time.

42. Yesterday, Mike Clasper, who has considerable business experience, was appointed as the new Chairman of HMRC. He and Dave Hartnett have made it clear that the implementation of the Poynter recommendations and crucially, the importance of information security will be priorities.

43. The Information Commissioner, who has been kept informed since the outset, has indicated that this review has investigated all the facts and issues with which he needs to be concerned and he fully supports all of Kieran Poynter's recommendations.

44. The Information Commissioner proposes to serve the appropriate enforcement notice on HMRC under the Data Protection Act.

45. Mr Speaker, it is quite clear that the loss was entirely avoidable and again I apologise unreservedly to everyone who has been affected.

46. HMRC employs tens of thousands of people who work hard and are dedicated to providing an excellent service to the public.

47. The staff are entitled to expect clarity as to how they discharge their duties.

48. The public are entitled to expect that their privacy is respected and that security of highly personal information is the highest priority.

49. It is essential that we now implement his recommendations.

50. And I commend this statement to the House.

back to top
Poynter review index