Massive IT Cock Up at HMRC
The UK’s Social Security system is no stranger to IT disasters. Recent ‘highlights’ include: the long term closure (almost two years to date!) of the online tax credits payment system after widespread fraudulent claims were detected; the scrapping of the Benefits Processing Repayment Programme before launch but after £141 million of expenditure; the admission that the Child Support Agency could not function properly because of inadequate IT systems; which itself… followed earlier admissions that many Child Support applications were simply not being processed because of inadequacies in new systems. We should not forget earlier legendary disasters including the Operational Strategy of the 1980s/early 1990s that was billed as the biggest IT project in the whole of Europe but failed to meet the majority of its objectives despite coming in around three times over budget.
But, today’s news that the personal details of all families in the UK claiming Child Benefit (theoretically all with a child under 16) have gone missing after being placed on two CDs and then biked by a courier, in an unregistered delivery, has to be up there with the best of them. The discs, destined for the National Audit Office, apparently carried the full records of all claimants, meaning whoever finds these discs potentially has access to the name, address, date of birth, National Insurance number and bank details of up to 25 million people. The data is, we are told, password protected, but astonishingly is not encrypted so getting into the records shouldn’t be too difficult. Such basic inadequacies in protecting data really do beggar belief and, while the Chair of HM Revenues & Custom has resigned over the matter, deeper questions surely need to be asked here.
I watched some of the debate that took place in the House of Commons after the Chancellor announced the full details of the incident. The Lib Dem’s Vince Cable rightly asked why on earth data was being transported in this manner and pointed the finger at the prehistoric computer systems that underpin the whole social security sector. The Conservatives are using the event to attack the ID card proposals and they may well be right in suggesting this will shatter public confidence in the government’s ability to run such a national ID system in a way that does not threaten privacy, especially if the HMRC data does fall into criminal hands and this breaks into the media. But, what I found most amazing of all was the intervention of Edward Leigh, the Chair of the Public Accounts Committee, who said he had spoken to the Comptroller General and been told that the NAO had specifically requested that they only be sent the National Insurance numbers of Child Benefit recipients; all other personal details should have been stripped out of the data they were sent. Leigh had also established that after the NAO had informed HRMC that the data had not arrived they sent two more copies of the discs (presumably by the same method!?!?).
In other words, it seems HMRC have been biking insecurely protected personal data of millions of people around the country for no good reason other than they could not be arsed to reformat it, delete the unneeded items or to fill in the extra paper work needed for a registered delivery. As Leigh says, the HMRC appear to have been ‘criminally irresponsible’ here.
There is some good news though. Given the track record of computing projects in the sector, chances are the discs weren’t burned properly and when they are found they will probably have no data on them at all.
