Transforming HMRC in response to its data loss

Review of information security at HM Revenue and Customs by Kieran Poynter

The Poynter Review is no ordinary information management consultancy report.  But then HMRC's loss  in October 2007 of disks containing the addresses and bank account details of 7.5 million child benefit recipients was no ordinary data loss.

• The review cost a staggering £3.6 million.  It encompassed a full investigation of the circumstances leading up to the loss in October 2007;  a detailed assessment of 15 HMRC business units against criteria derived from the Information Security Standard ISO 27002; and the review of an audit that HMRC carried out of its information outputs across the organisation.

• The consultant, Kieran Poynter is Chairman and Senior Partner of Price Waterhouse Cooper.

• The findings go further than purely information security: they set out a new strategic direction for HMRC.

• As soon as it was published the Information Commissioner slapped an enforcement order onto the HMRC for breach of the Data Protection act.  The order requires HMRC to periodically report back on how they are proceding in implementing the report's recommendations (effectively making the findings mandatory)

The findings of the Poynter review set out to do two things: to change the organisational design of HMRC, and to change the culture of HRMC, both in order to improve information security

Changing the organisational design of HMRC

Poynter states that:

• The main vulnerability to personal data loss occurs when data transfers from one system or process to another.

• The great many different types of taxation and benefit that HMRC administers each have seperate systems for capturing, maintaining and using personal data about the individual citizen/business.  This increases risk of personal data loss.  It necessitates the maintenance and control of large number of different systems which hold significant aggregations of personal data; and it multiplyies the instances where data moves from one system or process to another.

• In the short term HMRC should try to increase its level of information security control over these different systems, but the fragmented nature of the existing organisation design will always leave HMRC with a higher than desirable level of vulnerability to data loss.

• HMRC should start moving on a long term direction of travel towards keeping one central record for each individual citizen and each business.  Each seperate process for the administration of a particular form of taxation or benefit would then draw from that central record, and update that central personal data as and when they worked with that individual.

• This model would change HMRC's relationship with individual citizens and businesses.  Individual citizens and businesses would be able to update their own tax and benefit record.   

• Individual citizens and businesses would benefit by no longer having to give the same information to different parts of HMRC on different forms.

• HMRC staff time could be concentrated on cases where citizens needed their help in completing information (hard to reach groups) and on improving the tax yield by reducing miss-payment and fraud.

Making information security a management priority

We information professionals have long complained that senior managers do not take good information governance seriously enough.

The HMRC data loss was so large and so traumatic that Poynter has had carte blanche to map out what world class information governance would look like for HMRC.  These are the features that emerge from Poynter's recommendations:

• Set information Security as a corporate objective. Keeping personal data about taxpayers and benefit recipients accurate and secure should be seen as a central role of HMRC as the UK's tax administrators.  It should be written in the list of HMRC's departmental objectives, and translated down into specific objectives for each line of business.

• Articulate an information security strategy.  The strategy should identify critical risks; key responsibilities; how information security will be integrated into the working of HMRC; and what HMRC's approach will be for ensuring compliance.

• Identify key responsibilities at a senior level. The Chief Finance Officer should also be designated the Senior Information Risk Office (SIRO). This is in line with the Cabinet Office's recommendation that all Central Government departments should nominate a SIRO at board level.  Reporting to the Chief Finance Officer should be a Chief Risk Officer, who should head up three teams:  a risk management team, an information security team and a  physical security team.  The information security team should be headed up by a Chief Information Security Officer reporting into the Chief Risk Officer.

• Ensure that managers have access to good quality information security advice.  Prior to the data loss HMRC recruited internally for information security roles. Poynter recommends that the HMRC should recruit strong professional expertise for its central team of information security experts.  It should also embed an information security expert in each of its four Lines of businesses. The central team should take responsiblity for co-ordinating and monitoring information security across HMRC, and keeping up to speed with the implications of new technologies, new ways of working and new threats.   

• Ensure that HMRC has professional capability in risk management. Poynter identified a lack of professional risk management expertise in HMRC prior to the data loss.  This resulted in a bottom up approach to risk management where business units identified and managed their own risks.  There was insufficient consideration of risk at board level.  Poynter recommends the appointment of risk management professionals to support the new Chief Risk Officer and to provide corporate risk management support for the different Lines of Business.

• Establish clear local accountabilities for information security.  Within each Line of business, the line management of each business unit should be fully responsible for, and accountable, for information security.  Each unit should appoint a Data Guardian to advise line management on information security issues and to work on ensuring that colleagues are have the knowledge, skills and motivation to apply information security measure in their work.  Data Guardians should report to the Line of Business's Information Security Professional.

• Ensure senior manager are held acountable for information security in their area.  Poynter recommends that the Chief Executive and his advisors should have regular performance review meetings with each individual Line of Business Directors-General, and that information security should be one of the items on the agenda for these meetings.  The Chief Information Security Officer and Chief Risk Officer should provide advice for the Chief Executive at these meetings.

• Tailor policy, procedures and advice to staff in each area.  A key role of the information expert in each Line of Business is to translate corporate information policy and procedures into specific advice tailored to the needs of their Line of Business.   In the short term very clear and very specific guidance should be given to staff working in areas identified as a high information security risk.

• Build information security into management and leadership training.  HMRC can not entirely eliminate information risk.  Information security is not HMRC's only priority. Determining what level of information risk to accept for any particular process requires the business knowledge of managers as much as it needs specialist knowledge of information security experts.  Poynter wants the HMRC to define its own leadership development programme for its senior managers and to include in that a module on information security.  Poynter also wants information security to be built into HMRC's Process Programme (PaceSetter)  The central plank of Pacesetter is a methodology called LEAN, which enables managers  to analyse their area's business processes and to identify how they can be made more efficient and effective.   Poynter wants the LEAN methodology to be enhanced to equip managers with the ability to identify the information risks of their current processes and of any changes they propose to these processes. He also wants those processes that have already been changed by the 'LEAN' methodology to be re-examined to check that their re-design hasn't added an unacceptable level of information risk.

• Ensure that staff are aware of the importance of information security from the moment they start the process of joining the organisation.  Include mention of the importance of information security in the recruitment advert and the job description, mention it at interview, in the letter of appointment, and in the contract of employment.  Itemise responsibilities in the job description.  Include information security as a mandatatory part of the induction process.  Don't let staff graduate through the induction process until they have completed the information security element.

• Ensure that new staff understand what constitutes a data breech and the disciplinary consequences. 

• Provide annual information security refresher training for all staff in information security on an annual basis.  Face to face training for staff working in areas of high information security risk, and a e-learning package for the rest.

Bridget Treacy of law firm Hunton and Williams has posted a well-informed article on the Poynter Review here