HMRC data not filtered due to cost

Summary:Sensitive details were not stripped by HMRC from the data on two missing CDs due to cost, an email exchange published by NAO reveals

Emails released by the National Audit Office reveal HM Revenue & Customs did not strip out bank account and other sensitive details contained on the two CDs that have gone missing because of the extra cost it could have incurred.

The National Audit Office (NAO) has released the details of an email exchange between the junior manager at HMRC responsible for sending the CDs containing 25 million child-benefit records and the NAO, with a senior HMRC manager copied in on the emails — although both sides agree the senior manager was not responsible for making the decision to send the data in this way.

The first email exchange relates to the NAO's request for national insurance numbers from the child-benefit database for the 2006/07 audit.

At 08.20am on 13 March, 2007, the junior HMRC official sent an email to the NAO attaching a data scan and sample of the data extracted from the child-benefit database by IT services company EDS.

Later that day at 14.41pm, the NAO official sent an email reply asking for the data to be filtered. The email said: "I do not need address, bank or parent details in the download — are these removable to make the file smaller?"

The HMRC official responded at 15.23pm, writing: "Your original request was for a 100 percent scan of the data, and fortunately a scan was complete earlier this year, and we have shared this with you at no additional cost to the department. I must stress we must make use of data we hold and not overburden the business by asking them to run additional data scans/filters that may incur a cost to the department."

That data was sent without being filtered, in 100 zipped files on two CDs, but did arrive safely at the NAO. Then, in October, the NAO made another request for the same child-benefit data for the 2007/08 audit.

An email on 2 October, 2007 from the NAO to the HMRC official said: "Please could you ensure the CDs are delivered as safely as possible due to their content."

Those CDs were sent on 18 October by HMRC to the NAO but never arrived and are still missing.

The emails will heap more pressure on the chancellor of the exchequer, Alistair Darling, who failed to mention the details of this email exchange in his statement to MPs on Tuesday, despite it being included in the briefing paper to him from the NAO.

HMRC declined to comment while the police investigation is ongoing.

The full email exchange can be viewed on the NAO website.

Topics: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.