UK tax head resigns over lost personal data
Paul Gray, Chairman of the UK tax office (HMRC) has resigned after what is probably the UK's biggest data leak so far. On October 18th, a junior officer at HMRC in Newcastle dispatched the entire Child Benefit (CB) database on two CDs to the National Audit Office (NAO) in London via TNT, a commercial courier service. The disks never arrived. It seems that HMRC procedures were not followed, and that the CDs were not even sent via the registered service, which would at least have provided a tracking record. It also appears that although the files were password protected, they were not encrypted. In general, such password protection is trivial to crack.
The CB database includes confidential details of every family in the UK with children under the age of 16, including bank account details and full names and addresses among other sensitive information. Apparently, somewhere between 15 to 28 million data subjects are potentially affected, and the very fact that reports of the numbers differ widely is cause for concern. Nevertheless, this is probably the most significant single data leak the UK has experienced so far. Yet it was not reported to senior HMRC management until the second week of November, and Alistair Darling, the Chancellor, was not informed until November 10th. Darling himself apparently delayed reporting the breach to Parliament because the banking sector had requested grace to implement security precautions. Nevertheless the Government position is still that there is no evidence of misuse of the data.
Amidst speculation that the disks may have been stolen, the Chairman of HMRC, Paul Gray has stood down after over 35 years in various financial arms of Government service. Sir Gus O'Donnell, Secretary to the Cabinet and Head of the Home Civil Service, has gone on record with the comment "Paul has accepted that there have been major administrative failings in his department relating to their legal duties to protect personal information, and that he is accountable for these operations." Indeed this is not the first time HMRC have lost personal data. In September a CD containing details of around 15,000 data subjects with Standard Life pensions was also lost in transit via a commercial courier, so it would appear that lax procedures are endemic. However, Jamie Cowper, Director of European Marketing at PGP Corporation, commented on Gray's resignation "... you have to ask whether this is really going to help solve the operational risk issues that the organisation clearly faces."