HMRC data not filtered due to cost

HMRC data not filtered due to cost

Summary: Sensitive details were not stripped by HMRC from the data on two missing CDs due to cost, an email exchange published by NAO reveals

TOPICS: Security

Emails released by the National Audit Office reveal HM Revenue & Customs did not strip out bank account and other sensitive details contained on the two CDs that have gone missing because of the extra cost it could have incurred.

The National Audit Office (NAO) has released the details of an email exchange between the junior manager at HMRC responsible for sending the CDs containing 25 million child-benefit records and the NAO, with a senior HMRC manager copied in on the emails — although both sides agree the senior manager was not responsible for making the decision to send the data in this way.

The first email exchange relates to the NAO's request for national insurance numbers from the child-benefit database for the 2006/07 audit.

At 08.20am on 13 March, 2007, the junior HMRC official sent an email to the NAO attaching a data scan and sample of the data extracted from the child-benefit database by IT services company EDS.

Later that day at 14.41pm, the NAO official sent an email reply asking for the data to be filtered. The email said: "I do not need address, bank or parent details in the download — are these removable to make the file smaller?"

The HMRC official responded at 15.23pm, writing: "Your original request was for a 100 percent scan of the data, and fortunately a scan was complete earlier this year, and we have shared this with you at no additional cost to the department. I must stress we must make use of data we hold and not overburden the business by asking them to run additional data scans/filters that may incur a cost to the department."

That data was sent without being filtered, in 100 zipped files on two CDs, but did arrive safely at the NAO. Then, in October, the NAO made another request for the same child-benefit data for the 2007/08 audit.

An email on 2 October, 2007 from the NAO to the HMRC official said: "Please could you ensure the CDs are delivered as safely as possible due to their content."

Read this


Feature: The top 10 IT disasters of all time

From faulty satellites nearly causing World War III to the Millennium Bug, poorly executed IT has had a lot to answer for over the years...

Read more

Those CDs were sent on 18 October by HMRC to the NAO but never arrived and are still missing.

The emails will heap more pressure on the chancellor of the exchequer, Alistair Darling, who failed to mention the details of this email exchange in his statement to MPs on Tuesday, despite it being included in the briefing paper to him from the NAO.

HMRC declined to comment while the police investigation is ongoing.

The full email exchange can be viewed on the NAO website.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Cracked it in one - outsourcing!

    The giveaway is that the data had "already been extracted by EDS".
    If the service had been inhouse the data would have been generated simply by amending the database parameters but thanks to the joys of outsourcing which saves lots of money, a new run would have needed a new project set up involving estimating, quoting and paying for activities outside the contract.
    No wonder the government is also looking at ways they can justify offshoring the data as well all to save us money. I am glad they have my interests at heart!
    Our local garage recently had a cloning scandal where most af the cards used suddenly popped up in the East. The government are obviously looking at saving us money by cutting out the middle man.