HM Revenue and Customs

Part of Oral Answers to Questions — Foreign and Commonwealth Office – in the House of Commons at 3:31 pm on 20 November 2007.

Alert me about debates like this

Photo of Alistair Darling Alistair Darling The Chancellor of the Exchequer 3:31, 20 November 2007

With permission, Mr. Speaker, I should like to make a statement on the breach of procedures which led to personal data relating to child benefit from Her Majesty's Revenue and Customs going missing.

I shall set out the nature of the data and the circumstances relating to how they went missing. However, it might be helpful to the House if I set out the background first. The National Audit Office, which is independent of Government but answerable to Parliament, has a right to ask for and access data from HMRC in discharging its compliance responsibilities.

In March, it appears that a junior official in HMRC provided the National Audit Office with a full copy of HMRC's data in relation to the payment of child benefit. In doing so, the strict rules governing HMRC standing procedures were clearly not followed. Those procedures relate to the security of and access to data as well as their transit to ensure that they are properly protected. That information should not have been handed over by HMRC in the way that it was. However, I understand that in this case the NAO subsequently returned all the information that it received in March to HMRC after auditing it.

It now appears that, following a further request from the NAO in October for information from the child benefit database, again at a junior level and again contrary to all HMRC standing procedures, two password-protected discs containing a full copy of HMRC's entire data in relation to the payment of child benefit were sent to the NAO, by HMRC's internal post system operated by the courier TNT. The package was not recorded or registered. It appears that the data have failed to reach the addressee in the NAO.

I also have to tell the House that, on finding that the package had not arrived at the NAO, a further copy of those data was sent, this time by registered post, which did arrive at the NAO. However, again HMRC should never have let that happen. Although it is believed that the data were sent from HMRC to the NAO on 18 October, the fact that they did not arrive was not reported to HMRC's senior management until 8 November, nearly three weeks later.

I was informed on Saturday 10 November and immediately instructed that comprehensive searches by customs officers be carried out on all premises where the missing data might be found. Those searches are continuing. I asked for an immediate investigation, which was initiated that weekend. I also insisted on immediate steps to prevent this from happening again. Action has been taken.

On Monday 12 November, HMRC informed me that evidence might have been found of the route taken by the data and that they were likely to be found. However, by Wednesday 14 November it was clear to me that the HMRC searches had failed to find them. I therefore instructed the chairman of HMRC to call in the Metropolitan police to conduct a full investigation, in order to find the missing package. That investigation is still under way. Our priority was and is to find the data. Searches have been and continue to be carried out, including of HMRC and National Audit Office premises, and staff are being interviewed. So far, however, the missing data have not been found.

The police tell me that they have no reason to believe that these data have found their way into the wrong hands. The police are not aware of any evidence that they are being used for fraudulent purposes or criminal activity.

I will tell the House what is missing as a result of this extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines. In terms of protecting confidential data, Her Majesty's Revenue and Customs is operationally independent of Ministers. It is established by statute and run by its chairman, Paul Gray, and a board of commissioners who are responsible for its operations but answerable to Parliament through me. Last week Paul Gray told me on his own initiative that given the seriousness of the operational failing he should resign. He has now confirmed that intention, and I am grateful to him for his contribution to the work of government, in HM Treasury, the Department for Work and Pensions and then HMRC.

The missing information contains details of all child benefit recipients: records for 25 million individuals and 7.25 million families. Those records include the recipient and their children's names, addresses and dates of birth, child benefit numbers, national insurance numbers and, where relevant, bank or building society account details. I regard this as an extremely serious failure by HMRC in its responsibilities to the public.

In making this statement today, I have had to balance the imperative of informing the House and the public at the earliest opportunity with ensuring that when I did so the appropriate safeguards were in place to protect the public, including in relation to bank accounts. Indeed, the banks were adamant that they wanted as much time as possible to prepare for this announcement. I discussed the issue with the Information Commissioner on Thursday, who agreed that appropriate remedial action needed to be taken before a public statement was made. This action has now been taken. I have also sought the advice of both the Financial Services Authority and the Serious Organised Crime Agency, and other Departments have also been made aware of the issue.

Let me set out what we have done. First, the UK Payments Association, the British Bankers Association and the Building Societies Association have been informed, and through them HMRC informed individual banks and other financial institutions, including building societies and post offices, of affected accounts. Secondly, individual institutions are flagging those accounts, which enables them continually to monitor for irregular activity. They tell me that so far they have found no evidence of such activity. Thirdly, individual institutions are also tracking back and analysing transactions on affected accounts to 18 October. Again, they have so far found no evidence of unusual activity. They will continue to monitor those accounts, so that if there is any suspicious activity, action can immediately be taken. Fourthly, if someone is an innocent victim of fraud as a result of this incident, people can be assured that they have protection under the banking code, so that they will not suffer any financial loss as a result.

The UK Payments Association has confirmed that it is confident that every action has been taken by the banking industry to minimise the risk of any fraud. It has also confirmed that the missing data are not enough in themselves for someone to access a person's bank account for fraudulent purposes, as additional security information and passwords are always required. However, we have to recognise the increased risk caused by these missing data. People will therefore want to monitor their accounts and guard against any unusual activity. The advice of banks is that there is no need for customers to ask for a new account or to contact their bank or building society. However, they should do what they should be doing in any event: checking their bank statements to keep a close eye on their account for any unusual activity; contacting their bank or building society immediately if they see anything in their statement that concerns them; and not giving out personal or account details requested unexpectedly by phone or e-mail. I reiterate that the banks have made it clear that individuals will not have to pay out for any loss in the event that they become the innocent victims of fraudulent activity. I can tell the House that child benefit payments will continue to be paid as before.

There are already clear HMRC standing procedures, which appear to have been broken. HMRC has initiated changes to security processes and procedures, so they will now take place only with written authorisation from a senior manager and with appropriate protection for any transfer.

The police investigation continues, although there is also likely to be an inquiry into the missing data by the Independent Police Complaints Commission, which has responsibility for monitoring Her Majesty's Revenue and Customs. I have kept the Information Commissioner informed. It is highly likely that there have been breaches of the Data Protection Act, which the commissioner will investigate.

The Government take the protection of personal data, in whatever form, extremely seriously and have therefore put in place and are strengthening rights and safeguards on the use and handling of such data. The Data Protection Act sets out the framework enforced by the Information Commissioner and the courts. Departments have specific controls on information sharing and duties of confidentiality that are being enhanced by amending the Data Protection Act to guard against misuse and provide further information to citizens about the information that the Government hold.

Last month the Prime Minister asked the Information Commissioner, Professor Mark Walport, director of the Wellcome Trust, to carry out a review of the framework in the United Kingdom to ensure the security of personal data. That review will look at Government Departments and other organisations. I can also tell the House that the Comptroller and Auditor General, Sir John Bourn, has said that the National Audit Office will also review its own procedures for requesting data to confirm that they remain in line with best practice, and will apply any lessons arising.

In addition, the House will be aware of other data security breaches by HMRC—including, at the end of September, the loss of records of around 15,000 people in transit by HMRC's external courier and, in the same month, the loss of a laptop and other material containing personal details relating to HMRC customers. I have therefore asked Kieran Poynter, chair of PricewaterhouseCoopers, to investigate HMRC's security processes and procedures for data handling. I have asked for an interim report next month and a full report in the spring. That review will be conducted in consultation with the Independent Police Complaints Commission and a full report will be made available to the Information Commissioner.

I express my gratitude to the Metropolitan police for its investigation, to the Information Commissioner for his advice and to the banks for their co-operation in working with the Government in taking steps to protect the public. The House will understand that because the investigation is continuing I am not yet in a position to give a full account of what has happened but I will continue to keep the House informed.

This is an extremely serious matter. HMRC has a responsibility towards the general public, who entrust it with highly sensitive personal information. It has failed to meet the high standards that should be expected of it. I recognise that millions of people across the country will be very concerned about what has happened. I deeply regret that and apologise for the anxiety that will undoubtedly be caused.

But let me reiterate: there is no evidence that these data have reached the wrong hands and no evidence of fraud or criminal activity; banks and building societies are putting in place safeguards to protect people's accounts; banks and building societies will continue to monitor those accounts; and no one will suffer any loss if they are innocent victims of fraud. I will, of course, keep the House updated of any further developments. I commend the statement to the House.