(2) what estimate he has made of the number of people whose personal data was inappropriately disclosed by HM Revenue and Customs in 2008-09;
(3) what progress HM Revenue and Customs has made towards meeting its target on the timeliness of reporting of data security incidents;
(4) what progress HM Revenue and Customs has made towards meeting its target on the reduction of data security incidents;
(5) what definition of a data security incident HM Revenue and Customs uses in relation to its departmental objective to reduce the number of such incidents by 2012;
HM Revenue and Customs (HMRC) is committed to protecting the sensitive information it has access to. To drive performance in this area, HMRC has targets:
to drive towards zero the number of data security incidents reportable to the Information Commissioner,
reduce the volume of customer data lost, and
for staff to report incidents promptly.
HMRC defines a data security incident as:
loss or theft of paper, letters and files containing ‘personal data’;
loss, theft or insecure disposal of portable equipment and media that carries ‘personal data’; and
unauthorised disclosure of customer information.
The Department's planned actions to achieve these targets are set out in its annual business plan. The Department's performance against these objectives is set out in its annual reports and resource accounts. These are available at:
It is not possible to provide accurate data regarding the total number of people whose personal data was put at risk or inappropriately disclosed during 2008-09.