Poynter review slams weak policies at HMRC
A review into the highest-profile Government data loss last year, when two discs containing personal information on 25 million individuals were "lost in the post", has concluded that policies at HM Revenue and Customs were too generic, lacking in detail and had not kept pace with IT developments.
Kieran Poynter, chairman and senior partner at PricewaterhouseCoopers, was appointed in November 2007 to examine the circumstances of the loss. In his report, published in June, Poynter found that, "information security, at the time of the incident, simply wasn't a management priority."
Banner Ad
Gaps around encryption and removable media were particularly highlighted. "The end result is that employees find no actual policy or procedure to which they can refer when the need arises," says Poynter. Operational delivery was routinely prioritised over information security by staff below senior levels.
"Accountability for the ownership and guardianship of data is insufficiently defined within HMRC. This issue is particularly acute when different departments are working together," he found. The particular data transfer under investigation need never have happened in the full, unencrypted form that took place.
The report provides a detailed account of how the data loss occurred and the wider context in which it happens. It also sets out recommendations for change. Poynter notes/ "I am happy to say that HMRC has accepted all of my recommendations (and indeed has already made progress on 39 out of 45 of them, implementing 13 of them) and has endorsed the direction of travel."
| Bookmark with: |