HMRC slammed over child benefit fiasco

The Independent Police Complaints Commission (IPCC) has delivered a damning verdict on the loss of 25 million child benefit records at HM Revenue & Customs, citing widespread "culture failures".

The 59-page report found that staff were working on a "muddle through" ethos and that processes at the department were "far from what they should have been" in the run up to the loss of two CDs in October 2007.

"Staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data," the IPCC inquiry said.

"The IPCC uncovered failures in institutional practices and procedures concerning the handling of data, and the absence of a coherent strategy for mass data handling. Generally speaking, practices and procedures were less than effective."

The report was delivered in tandem with the final version of the Poynter review, headed up by PricewaterhouseCoopers chairman Kieran Poynter.

The Poynter review was equally scathing about the incident, accusing HMRC of "serious institutional deficiencies" and having "no visible management of data security at any level".

IT security vendors have been quick to join in the latest round of government bashing over data breaches.

Brian Spector, general manager at Workshare, suggested that the findings of both reports confirmed that government measures to protect sensitive information were wholly unsatisfactory.

"The government has today pledged to address the issue of data leakage through the use of training and a change in management structure," he said.

"But unless security policies are enforced through the use of proven technology it will face an uphill struggle in convincing the general public that it can be trusted with their confidential data."

Meanwhile, antivirus vendor McAfee pointed to the dangers of human error faced by all organisations.

A recent survey by the company showed that 98 per cent of UK office workers do not see the protection of corporate electronic data as their responsibility.

"Technology can always provide a back up, but employees need to be educated about why they should be careful with data, and usage policies are needed to enforce good data protection practices," said McAfee security analyst Greg Day.