Skip to main content

HMRC Data Loss

Volume 469: debated on Monday 17 December 2007

With your permission, Mr. Speaker, I should like to make a statement on the progress report by Kieran Poynter, chairman and senior partner of PricewaterhouseCoopers, on the loss of child benefit records at Her Majesty’s Revenue and Customs. Before I turn to that, I can confirm that the police investigation continues, and although the searches are drawing to a close, their inquiry is not yet complete. However, the police have reiterated that they have no information or intelligence that the data have fallen into the wrong hands. They will keep that under review. The banks, too, say that they have found no evidence of any activities suggesting fraud arising from the incident, but they continue to monitor closely the accounts concerned, so they can see immediately if there is any unusual or irregular activity. As I told the House previously, the majority of accounts into which child benefit is paid are with a small number of banks, and those banks have checked the accounts back to 18 October—the date on which the missing data were posted. There are no reports of any activities suggesting increased fraud attempts deriving from the incident.

I deliberately gave Mr. Poynter wide-ranging terms of reference because of the seriousness of the loss and my concern about previous losses of data, to which I referred in my statement on 20 November. Mr. Poynter started his review on 23 November, just three weeks ago, and as he says, his work is far from complete and his conclusions will develop as his work progresses. Inevitably, therefore, the report is short, but I said last month that I would return to the House when it became available. A copy has been placed in the Vote Office in the usual way.

Kieran Poynter sets out the work that he has put in hand. He says that he has given priority to the immediate steps that Revenue and Customs must take to protect data security. It has already put in place a number of measures. Mr. Poynter says that they are measures that he would have recommended, and they are set out in his report. Mr. Dave Hartnett, the acting head of Revenue and Customs, said to the Treasury Committee on 5 December that the measures include the imposition of a complete ban on the transfer of bulk data without adequate security protection, such as encryption, as well as measures to prevent the downloading of data without adequate security safeguards. In addition, Revenue and Customs disabled all the personal and laptop computers it uses to prevent the downloading of data on to removable media; they will be reactivated only with the approval of a senior manager, and for a specific business-critical purpose.

Mr. Poynter has also started his investigation into exactly what happened in relation to the loss, but he makes the point that there are more inquiries to be made and more interviews to be carried out, and there is to be greater examination of the evidence available. As he says, it would be wholly inappropriate for him to draw final conclusions until his work is completed.

Mr. Poynter also draws attention to the responsibilities and accountability in Her Majesty’s Revenue and Customs generally. Those issues are also referred to in the capability review of Revenue and Customs, carried out by an independent panel overseen by the Cabinet Secretary. The House will be aware that the review was commissioned as part of a general review of the strengths and weaknesses of all Government Departments, and was announced in July 2006. The review of Revenue and Customs is published today, along with the Treasury’s review, and updates for four Departments. I am also publishing Revenue and Customs’ autumn performance report.

The capability review identifies a number of important strengths of Revenue and Customs, including a proven ability to bring in money to fund public services while driving down its own costs and delivering greater efficiency. It refers to committed people with honesty and integrity, and with a clear desire to transform and improve. The review also highlights a number of areas where improvements are needed; it mentions the need to set up a simpler structure, the need for clearer accountability, and the need to improve confidence and strengthen management information. The acting chairman agrees, and is announcing proposals to put in place a simpler organisational structure with clearer accountabilities. As Mr. Poynter says, that will make it easier to implement recommendations on data security as his review progresses.

I said in my statement that the Prime Minister had asked the Cabinet Secretary to ensure that every Government Department checked its procedures for the storage and use of data, and to make recommendations on how to improve data handling procedures across government. His interim report is also published today, alongside a written ministerial statement by the Minister for the Cabinet Office. The Prime Minister has already announced that the Information Commissioner will have the power to conduct spot-checks on departments. There will also be new sanctions under the Data Protection Act 1998 for the most serious breaches of its principles. These will take account of the need not only to provide high levels of data security, but to ensure that sensible data-sharing practices can be conducted with legal certainty. We will consult early in the new year on how this can best be done. There is also a range of other measures, which are set out in the report.

Revenue and Customs, and before that the Inland Revenue and HM Customs and Excise, have served successive Governments well. Their staff are dedicated and hard-working. However, the loss of these data was extremely serious and should not have happened, and again, I apologise to everyone who has been affected. As I told the House in November, the loss of these data, together with losses in previous incidents, means that a wide-ranging review was necessary so that lessons could be learned, procedures tightened and security improved. Mr. Poynter tells me that he expects to conclude his work in the first half of next year, and I shall report back to the House when I have his final report. I commend this statement to the House.

First, I want to reiterate to the Chancellor the sense of anger and betrayal felt by millions of people at the loss of their children’s data and their own data.

Today the Chancellor has to explain HMRC’s responsibility for the most catastrophic data security breach in British history, against a backdrop of its responsibility for the loss of confiscated drugs, money, passports and perhaps weapons, not to mention £5.7 billion of overpaid tax credits. In a few minutes another Cabinet Minister will bob up to admit to yet another serious data breach of security. What we and the public want is simple—a concrete assurance that such a catastrophic failure of data security will not happen again. As with every Treasury disaster, whether it is a failed bank or a lost disc, the starting point must be to establish exactly what happened and how it was allowed to happen. That is what the Poynter review was set up to do.

The Chancellor told the House on 20 November that responsibility lay with a junior official who had broken the rules. That line started to unravel almost immediately. First, the National Audit Office produced e-mails that established the involvement of senior HMRC officials in an earlier decision not to filter data in response to NAO requests, which is confirmed at paragraph 16 of the Poynter interim report.

Then data experts confirmed that the ability to download such a large volume of sensitive data to disc without authorisation signalled the absence of the most basic protections that should be built into any data-handling system. Finally, in the face of the mounting evidence, the acting chief of HMRC admitted that a systemic failure had occurred in that vast and unwieldy department cobbled together by the Prime Minister when he was Chancellor of the Exchequer.

We will obviously study the Poynter interim report with great care and we look forward to the final report. We welcome the ban on transfers of bulk data and the disabling of computers to prevent downloading to disc, but why on earth was that simple precaution not already in place? We welcome, too, the publication of the long delayed capability review, recognising HMRC’s need to rebuild its reputation with the public.

Can the Chancellor answer the following specific questions? Can he confirm that it was the practice that passwords were included on a note enclosed with data discs, and did that happen on this occasion? Who was the most senior official to be made aware of the decision routinely to send unfiltered databases to NAO in order to save cost? At what level was the downloading of the data to disc authorised in this particular case, and if it was not authorised, how was it physically possible? Finally, now that he has had time to think about it, can the Chancellor answer the question that was put to him on 20 November: why were police not informed for four days after he personally was aware of the loss, and the banks not informed for six days?

The question is not who put the discs in an envelope and dropped them in an unregistered mailbag. In any large organisation, stupid mistakes occur. That is why well-run, functional organisations have data security systems in place—systems to ensure that sensitive data are filtered out of files, systems to ensure that large volumes of data cannot be downloaded to disc, systems to encrypt personal information, systems to track important material when it is sent off the premises, and systems to make sure of a swift and appropriate response, rather than dither and delay, when something goes wrong. We have a term for when such systems do not work: we call it systemic failure. Responsibility for systemic failure lies not with junior staff, but at the very top. Two long months ago, the Chancellor said on the BBC that what people

“look to us to do is to deal with things that come up unexpectedly, and deal with that competently”.

They do indeed, and the Government have failed them. In the face of the overwhelming evidence of the systemic failure behind this disaster, the statement today can be described only as a wholly inadequate response from a wholly inadequate Chancellor.

First, I am grateful to the shadow Chancellor for taking the trouble to write to me to explain why he could not be here this afternoon; I quite understand his reasons. However, it is clear that his deputy had nothing in particular to say.

I asked Mr. Poynter to look into the facts and circumstances surrounding the loss of the data. He started doing so three weeks ago and, as he says, it is far too early for him to draw conclusions. As I have said on a number of occasions, we need to find out what happened and why, and to learn the lessons. When we have the final report next year, we can get the conclusions and implement them.

The hon. Member for Runnymede and Weybridge (Mr. Hammond) referred to paragraph 16 of Mr. Poynter’s report, but if he was going to quote it, he might as well have quoted it all. Mr. Poynter makes the point that he has seen the e-mail in question but that it does not “on its own” prove that the official took the decision referred to. In other words, further investigations need to take place.

The hon. Gentleman asked about the capability review, which was not held up, but was completed last week; I thought it appropriate to publish it today, alongside the interim report. The hon. Gentleman also asked a number of specific questions that are precisely the ones that I have asked Mr. Poynter to address. I suggest that we should get Mr. Poynter’s report and draw our conclusions after that.

When he appeared before the Treasury Committee, Dave Hartnett, the acting head of Revenue and Customs, left open the question whether there were systemic flaws. No doubt in the coming weeks we will question both him and the National Audit Office. The NAO is very much involved in the situation, as evidenced by its letter of 9 November to Revenue and Customs offering an apology.

As we take the issue forward, can the Chancellor give us reassurance that both on the Gershon efficiencies and on the reduction of staff numbers he will be sympathetic to Revenue and Customs, which is a young organisation that has brought two different departments with two different cultures together? Such sympathy and sensitivity from the Government is essential. Will the Chancellor give us that reassurance?

I agree with much of what my right hon. Friend has said. I certainly agree that, as I said in my statement, all of us should acknowledge the hard work and dedication of staff at Revenue and Customs. It is a major exercise to bring together two major departments. Perhaps I should remind the hon. Member for Runnymede and Weybridge (Mr. Hammond) that despite his complaint about Revenue and Customs, the Conservatives supported the bringing together of the organisations at the time, as did just about every other Member.

However, my right hon. Friend is right: in merging two organisations, issues clearly have to be tackled. We need to learn from the problems that may have arisen and put them right. Indeed, Dave Hartnett, the acting chairman, has already made announcements about changing the management system and that will provide for clearer accountabilities.

On the National Audit Office, I said in my original statement on 20 November that Sir John Bourn had rightly decided to mount his own inquiry and that there would be close co-operation between the NAO inquiry and that conducted by Kieran Poynter. It is absolutely essential that we learn all the lessons, which will include how the request for the information for audit came to be made in the first place, at what level it was made and how it was dealt with by HMRC. All those facts need to be determined by Mr. Poynter, but we do not yet have them.

May I thank the Chancellor for his courtesy in bringing us up to date? I hope that he appreciates the damage that has been done to public confidence by this episode, compounded by the events in Coventry and the report on the Driver and Vehicle Licensing Agency about which we shall hear shortly. If data and valuable information are consistently lost, stolen or abused, the public completely lose confidence in government in general at all levels. It is difficult to see how we can have confidence in the Government’s proceeding with much more ambitious initiatives not only the compulsory—identity card scheme, but the DNA database and the NHS spine.

The Chancellor exchanged comments with the Conservative spokesman on the specific issue of the distinction between systemic and procedural failure, with systemic failure being the responsibility of Ministers and procedural failure being that of officials. That is a subtle semantic distinction of which St. Thomas Aquinas would be proud, but surely the fundamental point is that good systems produce good procedures and bad systems produce bad procedures. In this episode, we have had bad systems and bad procedures.

I welcome what the Chancellor said about the ban on the transfer of data without encryption. That is clearly the way forward. Has he secured the full agreement of the IT companies to use outside encryption specialists to enable that work to proceed? More generally, has he now agreed that it would be completely inappropriate to try, as he has been doing, to block through the courts the publication of the gateway reviews on the way in which the IT companies manage their affairs in Government Departments?

In terms of the Chancellor’s comments about the integration of the work of the Poynter study and the wider 2006 study of Government Departments, what is the significance of the work that David Varney, the former head of the HMRC, is doing on so-called transformational government? Is not the purpose of the study to break down barriers in data transfer between Government Departments? Is there not a danger that if that proceeds without proper safeguards it will merely compound the danger of the kind of error that we have already experienced?

Finally, I want to ask two or three specific and narrow questions. The Government have been asked some parliamentary written questions, not least by my hon. Friend the Member for Falmouth and Camborne (Julia Goldsworthy), about whether there are protocols that govern data transfer within government. None of those questions has been answered, including those asked of the Chancellor’s own Department. Are we to infer from that that there are no protocols? Is that what that obfuscation is designed to achieve?

When the Government sent out their letter of apology, they sent out millions of letters containing large amounts of personal data that far exceeded what was necessary to communicate an apology to their recipients. Since, according to information from the Courts Service, it seems that 8 per cent. of all official letters go astray, have not the Government compounded the original disaster by putting out large amounts of personal data that will simply finish up in the wrong hands?

On the hon. Gentleman’s last point, I have some sympathy for what he says. I think that HMRC’s intention was to apologise to all those who receive child benefit, but I do not think that it was ever intended that that letter, too, would be accompanied by information that, as far as I can see, did not need to be sent. I agree with the wider point that the hon. Gentleman raised in that respect.

The Government, of necessity, hold a great deal of information on behalf of citizens of this country and we need to be careful to reconcile two things. First, we must maintain people’s privacy, by ensuring that we do not send out information that might fall into the hands of people who are not entitled to receive it and might cause difficulties for people’s security or general privacy. At the same time, as the hon. Gentleman rightly says, we must accept the fact that in health services, for example, there might be good reasons for different hospitals, GPs and others to be able to obtain information to provide a better service for patients. It suggests to me that in government, as well as in the private sector, we need to ensure that procedures are far tighter, that people are aware of them, and that they are properly enforced. The Poynter review, as well as other work that is being carried out, will achieve that.

Finally, if we are not answering parliamentary questions on these matters, I will look into that when I get back to the office and try to answer the hon. Gentleman as soon as I can.

May I welcome the Poynter report, particularly when it refers to committed people with honesty and integrity? I also thank the Chancellor for his comments about the dedicated and hard-working staff. Does he agree that, given all that has gone on in recent weeks at HMRC in Washington, the staff have shown great fortitude despite inaccurate attacks on their town and attacks on their ability to deliver child benefit—which has been massively increased by this Government—to millions of families? That benefit will be particularly welcome and important in the run-up to Christmas.

I agree with my hon. Friend. As I said in my statement—and as has been acknowledged in the capability review—there are many people working for HMRC who do a first-class job and who are dedicated to what they do. Many of them have worked for the service for many years. However, we owe it to them to ensure that we have the proper procedures in place so that they can do their job properly, in addition to meeting our principal objective of providing a first-class service to the public and ensuring that, when information is provided on a confidential basis, it remains confidential.

If the Chancellor is really arguing that seven serious breaches of security in the two and a half years since HMRC was founded do not constitute a systemic failure, how many does he think that it would take before the failures could be judged as systemic? Will he also confirm that there has now been an eighth breach of security, at the HMRC store at Coventry airport?

Yes, there was a breach of security at the weekend at an HMRC store. I say to the hon. Gentleman that I would prefer to draw my conclusions when I have the benefit of the facts established by Kieran Poynter. I appreciate, having listened to many Opposition Members, that the last thing that they want is the facts.

May I concur with my hon. Friend the Member for Houghton and Washington, East (Mr. Kemp)? Many of my constituents also work at the child benefit centre in Washington. Does my right hon. Friend the Chancellor agree that it is all very well to have procedures, but that they are useless unless people know about them? Would he care to comment on a story in The Guardian last week that clearly stated—possibly based on rumour—that many of the staff in the child benefit centre did not even know about the procedures that were already in place?

As I have said on many occasions, it is important to proceed on the basis of the facts to be established by Kieran Poynter, and then to draw our conclusions, rather than to proceed on the basis of what may or may not be in a newspaper.

Notwithstanding what Poynter may come up with, does the Chancellor recognise that, in years past, this event would have been seen as a serious problem or even a disaster? Right now, however, given the lack of public confidence in the banking system following Northern Rock and some of the huge write-downs that are likely to be announced over the next few months, does he not agree that the Government have a responsibility to make it clear to members of the public where the liability should lie, should any fraud take place? Will he tell us whether he believes that, in the case of fraud, liability should lie with the Government or with the banks?

I disagree with the right hon. Gentleman that the two issues can be conflated in the way that he suggests. The loss of data was caused primarily as a result of the two discs concerned being posted in an envelope that was not registered and that did not arrive at its destination. The present uncertainty in the financial markets arose from problems in the housing market in the United States. Yes, it has spread beyond that, but the two issues are not related.

My right hon. Friend is obviously responding correctly to a calamitous event for which he was not responsible. He is taking steps to find out exactly what happened, and to ensure that it does not happen again. May I ask him a question on a slightly wider point? The National Audit Office is concerned with matters of financial audit, but we do not have an equivalent body to deal with matters of administrative or performance audit. A proposal has been made by a former Cabinet Secretary that we need such a body. Do not recent events make the case for such a body even stronger?

I am grateful for what my hon. Friend said in the first part of his question. In relation to the second part, that is something that Kieran Poynter might suggest. I do not know; we shall have to wait for him to reach his conclusions. My hon. Friend makes the good point that if there are systems in place, we need to ensure that they work and that they are being operated on a daily basis. Ensuring that confidentiality is in with the bricks in any Government organisation—and, indeed, in any private sector organisation—is very important.

But some facts have emerged in recent weeks, have they not? We know now, for instance, that on 13 March the National Audit Office asked for the personal details to be stripped from the data. We know that it was a senior executive officer in HMRC who refused that request on cost grounds because of a contract with EDS—

Well, that is what I have been informed by the Comptroller and Auditor General, and we also know from that e-mail that that was copied to the senior process owner. Although we obviously have to await the final recommendations, some things are clear, so will the Chancellor now accept that there needs to be change at the very heart of HMRC, and that the privacy of taxpayers must be sacrosanct and cannot be compromised in any way because of a contract with EDS or cost-saving measures?

We do not know all those things, as I believe the hon. Gentleman well knows. The Poynter inquiry, and, indeed, the parallel inquiry of Sir John Bourn on behalf of the National Audit Office, were set up precisely because we need to find the facts before drawing our conclusions. I am not sure whether the hon. Gentleman has had an opportunity to view Mr. Poynter’s interim report, but it says that although the e-mail in respect of the first request in March was copied to the person responsible for the data:

“That email on its own does not prove that the official actually took the decision in relation to the manner in which HMRC should have responded to the request”.

What the hon. Gentleman said about that was quite wrong. In addition, I was not going to labour the point, but I should draw the House’s attention to the letter written by the second director at the National Audit Office to the same senior official in HMRC on 9 November, in which it is recognised that the way in which the request was communicated—let me put it this way—could have been better. An apology was given for what happened, but let us wait and establish the facts rather than rush to judgment, which the hon. Gentleman has been rather quick to do of late.

May I thank my right hon. Friend for keeping the House informed? Our constituents get sick and tired of being asked for the same information repeatedly by organisations—whether they be in the private or the public sector—particularly when they generally regard the Government as one undivided body, so will my right hon. Friend assure me that his Department will continue with the policy of “ask once, use many times”, while at the same time maintaining the highest standards of security and privacy for data?

I agree with my hon. Friend that people get fed up with being asked for the same information by what they perceive to be the same organisation. Perhaps that illustrates the point raised by the hon. Member for Twickenham (Dr. Cable)—that if information is to be transferred between Departments, we need to ensure that there are sufficient safeguards so that only the person who is supposed to get the information actually receives it. That is why the review set up by the Cabinet Secretary, Sir Gus O’Donnell, is important to ensure not so much that individual Departments have the right safeguards, but that if information is transferred, it is done in an appropriate way. We need to marry up the two requirements of ensuring confidentiality while also ensuring that when it is in the public interest and the interest of individuals for information to be shared between different organisations, that can happen on a proper footing.

After the data loss, the Government set up a helpline so that those affected could discuss their concerns. Will Mr. Poynter’s review be looking into the operation of that helpline to determine how many calls were made and also why the decision was made to use an 0845 number, particularly when it costs some mobile phone users 40p a minute to access it? Should those affected be paying through the nose to sort out the Government’s problem?

No, Mr. Poynter will not be looking into that. If the hon. Lady would care to table a parliamentary question on the number of people who contacted the hotline, I will certainly answer it. We were anxious to make sure that a helpline was available fairly quickly, which meant that all those things had to be organised in a matter of days and we did the best we could. It was quite heavily used on the first day or so, but I understand that usage tapered off after that. We tried to do our best to ensure that help was available, which meant that arrangements had to be made fairly quickly.

My 30 years’ experience in public sector IT suggests that a prerequisite for secure, stable and successful systems is close end-user involvement at the specification, design, development, testing and implementation stages. In the light of two decades of substantial contracting out of those processes to the private sector, does the Chancellor of the Exchequer expect that Kieran Poynter’s final report might question the logic of that continuing process, and urge that the Government try to restore the knowledge and ability within their own ranks so that they can once again be an intelligent client and not be allowed to be sold some duff systems that are utterly insecure in operational practice?

That is another case in which it would be best to get Mr. Poynter’s conclusions and findings and then decide how we are to proceed.

When we had the dreadful news about the mess-up over the loss of information, we were reassured that any financial losses, if they happened at all, would be monitored, and people were urged to be vigilant. May I ask what measures have been put in place to prevent inappropriate access to children whose data were included on the lost discs, in case people use that data to make contact inappropriately?

As I said in my statement, the banks are constantly monitoring the accounts, and the vast majority of child benefit payments are made through a fairly small number of banks. The banks have been able to check their records back to 18 October, when it is believed that the discs were posted, and have not found any evidence of irregular or unauthorised dealings. They will continue to do that, just as members of the public will be vigilant when they look at their bank statements. We have also been in touch with organisations representing children’s interests, and I have spoken to my right hon. Friend the Secretary of State for Children, Schools and Families to see what steps are appropriate. The hon. Lady raises an important point. We must put in place the right procedures and decide in due course whether, and to what extent, it is right to give any publicity to what we are doing in that regard.

I welcome the statement but I am not sure that the public will be reassured that their personal details are safe in Government hands, especially as there seems to be a new revelation of inept handling of data by Government Departments every week. Only last week, the Northern Ireland Assembly was informed that 7,000 vehicle owners in Northern Ireland had their details lost when data were sent unsecured through the post. Will the Chancellor assure me that the spot-checks to which he referred in his statement will extend to Government Departments under the control of devolved Administrations across the United Kingdom? In light of the weekly revelations, does he understand why people are increasingly concerned about the introduction of ID cards in the future?

I agree that it is important to put in place safeguards, not just for the United Kingdom Government but for the devolved Administrations, and Sir Gus O’Donnell’s report makes specific mention of that. I do not agree with the hon. Gentleman, however, about ID cards. As I said to the acting leader of the Liberal Democrats, the hon. Member for Twickenham, an increasing amount of information is held by Government Departments. In addition to that, those in the private sector, whether banks, supermarkets or organisations such as Google, have a remarkable amount of information and can build quite a detailed picture of what each and every one of us does. The point of ID cards is to ensure that that information is linked to the person who is supposed to get it. I see such a mechanism as a safeguard for me as an individual, because I can be far more confident that any information held about me, whether by the Government or the supermarket that I use, will only be released if I am happy for that to happen.

Many of us in the House who have experience of information technology will know that removing a column from a spreadsheet, or removing some data from even a large dataset, can take just a few seconds. Will the Chancellor tell us how much it would have cost to remove the sensitive data from the discs before they were sent?

As I said, the whole point of Kieran Poynter’s inquiry is to find out all this information, and that is what he is doing.

How long can it take Kieran Poynter to establish the answer to that simple question? Dave Hartnett, the HMRC’s acting chairman, said two weeks ago that that was one of the items that Kieran Poynter would consider. It would be a very simple matter to find out how much it would have cost to desensitise the data, which would have been easy to do and would have de-risked the whole operation.

I asked Kieran Poynter—with, I think, general support—to take a thorough look at what had happened, at the previous incidents, and at anything else that he considered relevant. Inevitably, coming to the House with an interim report that is only three weeks old leaves a number of entirely legitimate questions to be answered, and they will be answered in the final report. I told the House that I would come back when the interim report was ready, and that is why I have made my statement today, but, as Members well know, many of the questions that they are asking will be answered only when we have Kieran Poynter’s final report.

The Chancellor says that there is no evidence of attempts to commit fraud by means of the data. That may not be altogether surprising, given the immense publicity and increased awareness over the last couple of months, but do the data not give rise to the possibility of fraud for many years to come?

Has the Chancellor had any discussions with the banks about how long they will continue to monitor the affected accounts? Will he also tell us whether the data were sent out with a password or whether the password was sent separately?

I think that I said on 20 November, when I made my earlier statement, that the data were password-protected, but I also said that they needed to be encrypted in order to be protected more adequately. Monitoring will continue for the foreseeable future, but one of the things on which I want Kieran Poynter to advise us is what further steps we might take.

Since this problem occurred two months ago, millions of letters have been sent to families apologising for the fact that their details were given out, and thousands of hours of officials’ and police time have been spent on trying to resolve the problem. What, to date, is the total cost to the taxpayer of the clear-up operation?

It is not possible to answer that question at the moment. What I will say is that I think it entirely right that the police were called in, entirely right that HMRC has devoted considerable resources to trying recover the data, and entirely right that we should spend the appropriate amount of money in order to find out what happened and then put it right.

The whole House will be relieved to see that the Minister for the Cabinet Office is present, as he is responsible for information security. What discussions has the Chancellor had with the Minister? In particular, when did he brief him on the report that he received in February from Sir Edmund Burton, which said that there was a systemic problem affecting all Departments in relation to information security?

The Chancellor has confirmed that a theft took place from a secure HMRC store in Coventry. Will he now tell us exactly what went missing? Did it involve drugs, or guns? What action has been taken to recover the property? Is all this the result of a systems breakdown across the whole service, or of continued procedural lapses that are independent of one another?

As I said a few moments ago, I can confirm that various materials have gone missing from a warehouse. [Hon. Members: “What are they?”] The matter is being investigated by the police, and in view of that I do not think I should say anything further.