Over 600 HMRC staff disciplined for data infractions
HM Revenue & Customs has had to discipline over 600 staff since 2005 over data-protection incidents, according to Treasury financial secretary Jane Kennedy.
Kennedy revealed on Wednesday in a written answer to parliamentary questions that 238 staff were disciplined at HM Revenue & Customs (HMRC) in 2005, dropping to 180 in 2006 and 192 in 2007. The figures were revealed in answer to a written parliamentary question by Conservative MP James Brokenshire.
"HMRC has a strict policy forbidding staff to access customer records, unless they have a legitimate business need," she said. "Breaches of this policy are taken seriously and any breach will result in the commencement of disciplinary proceedings. Each case is treated on its merits but, in many cases, the disciplinary penalty for breach is dismissal."
Kennedy also revealed in answer to written questions from other MPs that, since 2005, HMRC has had 11 data-security incidents that have been serious enough to be reported to the data-protection watchdog. "Since April 2005, HMRC has discussed 11 data-security incidents involving customer information with the Information Commissioner's Office as a matter of good practice and to ensure appropriate lessons are learned from such incidents," said Kennedy.
HMRC has faced widespread criticism over recent high-profile data breaches. In November 2007, the chancellor of the exchequer, Alistair Darling, reported that HMRC had lost 25 million personal details of people claiming child benefits, including bank details. Two CDs containing the details were lost in the post.
Kennedy said that, since 2005, HMRC has introduced "more stringent controls which require that transfers of bulk data on removable media only take place where there is adequate security protection".
In November 2007, Darling blamed the loss of the two HMRC CDs on a junior official. However, Kennedy's answer on Wednesday to a question from Conservative MP Mark Hoban painted a slightly different picture. According to Kennedy, data controllers within HMRC "sit within business units' line-management chain"; the director of each business unit in HMRC is ultimately accountable for the data-security arrangements in that unit; and the chair of HMRC has ultimate responsibility for data security. HMRC chair Paul Gray resigned over the loss of the CDs.