My Lords, I have a full House. With the leave of the House, I shall now repeat a Statement made in another place on the final report by Kieran Poynter, chairman of PricewaterhouseCoopers, into the loss of child benefit records at HM Revenue and Customs last year. The Statement is as follows:
“I should tell the House that the Independent Police Complaints Commission, which conducted its own investigation into the loss, is publishing its report today. The IPCC found no evidence of misconduct or criminality by any member of staff at HMRC. The Cabinet Secretary has also published today his wider cross-government work to improve data handling. The Poynter and IPCC reports are available in the Vote Office and the Library of the House. I am grateful to Kieran Poynter and his team and the IPCC for their extensive work. Both have provided a very full and detailed account of what happened.
“Improving information security is a challenge that every organisation is facing. In recent years, we have seen problems in both the public and private sectors as organisations struggle to keep pace with the development of technology in data storage and transfer. The public are entitled to expect government departments to ensure that their personal details are kept safe, and it is therefore essential that we do everything we can do to minimise the chances of this sort of loss happening again.
“I deliberately gave Mr Poynter wide-ranging terms of reference, not just because of the seriousness of this loss but also because, as I said in my Statement of 20 November, I was concerned about previous losses of data by HMRC. In my Statements to the House on 20 November and 17 December, I set out the circumstances surrounding the events that led to the loss of the child benefit data and the immediate action taken. My priorities then were to locate the missing disks and to ensure that adequate safeguards were in place to monitor bank and building society accounts of those who could have been affected.
“Despite extensive searches by HMRC and the police, the disks have not been found, but I can tell the House that I am advised that there is no evidence of any fraudulent activity as a result of the loss.
“HMRC took a series of immediate steps at that time, including a complete ban on the transfer of bulk data without adequate security protection, measures to prevent the downloading of data without the necessary safeguards, and the immediate disabling of the ability to download data from all desktop and laptop computers within the organisation.
“Mr Kieran Poynter’s report is in two parts. The first deals with the circumstances giving rise to the loss. The second part deals with his wider findings and recommendations. He examined in detail the circumstances surrounding the earlier transfer of data in March 2007, to which I referred in my Statements to the House. He found that in March, because the HMRC staff then involved were unaware of the relevant guidance, which in itself lacked clarity, they did not escalate the request to the appropriate level of seniority before releasing data to the NAO. As a result, no senior HMRC official was asked to permit the NAO to take the data off-site to conduct its analysis and no such official knew that this was envisaged.
“Mr Poynter has concluded that these events in March last year then created a precedent which allowed a similar transfer to take place in October without the appropriate level of authorisation or adequate consideration of the security risks of releasing such a large amount of personal information. He says that senior managers were unaware that the data had been moved from HMRC premises in March and October until the loss of data was subsequently reported to them.
“He concludes that the data loss incident arose following a sequence of communications failures between junior HMRC officials and between them and the National Audit Office. However, he finds that the loss was entirely avoidable and the fact that it could have happened points to serious institutional deficiencies at HMRC.
“First, information security simply was not the management priority it should have been. Secondly, management structures and governance were unnecessarily complex and did not establish clear lines of accountability. Moreover, he points to a lack of clarity in communications and the failure to involve senior HMRC staff as being contributing factors in both cases.
“Mr Poynter makes clear in his report that both these failings have now been addressed. He acknowledges the progress the department has made since last November. HMRC is a complex organisation, operating from some 900 sites and sending out more than 300 million items of mail a year.
“Against this background, Mr Poynter sets out the action that has been taken to make information security a priority. This includes the appointment of a chief risk officer, new, clearer security guidance and a wide-ranging programme of training to raise awareness of security issues among staff. He also sets out the action that has been taken to simplify management structures and governance. He acknowledges the new organisational structure as a positive step forward.
“Mr Poynter’s team has worked closely with HMRC and in particular those teams that process large volumes of personal data or provide corporate services such as IT. By providing detailed recommendations to the organisation as its work progressed, rather than leaving them to the final report, the review team has been able to support HMRC and help it make good progress in implementing its recommendations.
“However, Mr Poynter states that,
‘a great deal of work will be required to bring HMRC up to and to sustain the world-class standard for information security to which it now properly aspires’.
In all, he makes 45 recommendations, all of which have been accepted. HMRC has made good progress on 39 of the recommendations, including 13 which have been fully implemented. Work is continuing on the remaining recommendations.
“Mr Poynter also makes a number of recommendations in relation to the way in which HMRC operates and the fragmentation and complexity of its IT systems. The organisation is already addressing these issues and will be spending £155 million improving data security over the next three years. The 45 recommendations, when fully implemented, will reduce the risk of a serious breach in the future and make sure that HMRC achieves the highest standards of information security.
“Kieran Poynter states that the decision to merge the Inland Revenue and HM Customs and Excise was the right one, but he says that the management structure subsequently adopted was not suitable—exactly the same failing identified in the capability review carried out by an independent panel, overseen by the Cabinet Secretary and published last December.
“In acknowledging the significant changes the organisation has undergone, Mr Poynter judges that,
‘these changes individually and collectively represent good decisions which have created the platform from which to build a high-quality, efficient administration’.
In order to build from this platform, the management needs to continue to address the issues highlighted by Mr Poynter in his wider review and the capability review. In particular, HMRC’s security procedures must be improved to ensure information security is a management priority and, importantly, the management must raise staff morale.
“Mr Poynter acknowledges the new organisational structure put in place earlier this year as a crucial step and makes recommendations to develop it further. He concludes that his findings represent an opportunity to modernise work practices and systems, which will make the organisation more efficient as well as rebuilding its reputation for data security.
“I am grateful to Dave Hartnett, the acting chairman, who has overseen these improvements and led the organisation through a difficult time. Yesterday Mike Clasper, who has considerable business experience, was appointed as the new chair of HMRC. He and Dave Hartnett have made it clear that the implementation of the Poynter recommendations and, crucially, the importance of information security will be priorities.
“The Information Commissioner, who has been kept informed since the outset, has indicated that this review has investigated all the facts and issues with which he needs to be concerned; he fully supports all of Kieran Poynter’s recommendations. The Information Commissioner proposes to serve the appropriate enforcement notice on HMRC under the Data Protection Act.
“It is quite clear that the loss was entirely avoidable and, again, I apologise unreservedly to anyone who has been affected. HMRC employs tens of thousands of people, who work hard and who are dedicated to providing an excellent service to the public. The staff are entitled to expect clarity as to how they discharge their duties. The public are entitled to expect that their privacy is respected and that security of highly personalised information is the highest priority. It is essential that we now implement his recommendations. I commend this Statement to the House”.
My Lords, I thank the Minister for repeating the Statement made by the Chancellor in another place. We were beginning to think that the Government had forgotten about this. Last December, they assured us that Mr Poynter would issue his full report in the first half of this year. Well, he just about made it, with a couple of sitting days to spare.
Mr Poynter’s first review, published just before Christmas, was disappointing in its lack of hard facts, so we welcome this report. What is still a mystery is why it has taken so long. The Government want to introduce 42 days for the purposes of establishing evidence as to the facts in criminal cases, but they have allowed Mr Poynter to take eight months to establish the facts in this case. Doubtless that was convenient for a Government who hoped that this would disappear off the public radar screen.
Now that we have a definitive study on what happened in HMRC, we can address the critical issue of whether this failure was systemic, isolated or procedural. The distinction is important because Ministers take responsibility for systemic failures. The headings in Chapter IX of the Poynter review say it all: “Information security not a management priority”; “An unsuitable organisation design with muddled accountabilities”; “Fragmentation and complexity”; “Inadequate information security policies”; “Embracing the digital age”, which actually means not embracing it; and “Morale is low”.
This organisation has not had a long history contributing to a cumulative list of failings. It was created in 2005 by a decision of the current Prime Minister, when he was Chancellor. He chose to merge two adequate organisations and, in doing so, created one monster. He knew exactly what he was doing. He appointed a chairman from outside the public sector who spoke in management riddles and then set up an organisation that is described in the Poynter report as a,
“‘constructive friction’ matrix type organisation”.
Let no one believe that the Prime Minister just appointed an outside expert and left him to it. That is not the Prime Minister’s style. He would have known in detail what was being done to the organisation and approved of it. He might not have understood its disastrous consequences, but he must have known about it. Through a strategic job move, the Prime Minister may cleverly have escaped paying the price for the systemic failure that he helped to create and, certainly as Chancellor, oversaw. In another era, he would not have escaped. Ministers have resigned for much less in previous regimes.
The report makes distressing reading. The HMRC officials involved were spun as being junior officials but, in fact, they are the grades that form the backbone of the Civil Service. The report finds that they did not know, understand or follow laid-down procedures and did not prioritise data security. They were not trained and the policies were opaque.
Have any of the staff involved in the data loss been disciplined or dismissed? I note that several immunities were for some reason granted to some unspecified individuals. I am not asking for personal details; I am merely asking for the overall picture. If the report is right that those individuals were muddling through in an environment where doing the right thing happened more by luck than judgment, it might then be right that no action should be taken against the individuals.
The chairman of HMRC resigned last November, but he left on feather-bedded terms, so his departure does not really count. However, if no one else in HMRC has taken the blame and the Prime Minister has not accepted responsibility, absolutely no one is carrying the can. It simply cannot be right that the slate is wiped clean by this report.
We are being invited to accept that a contrite and reformed HRMC will not make the same mistakes again, but is the statutory framework robust enough? The Government fought off our amendments to the 2005 Act that created HMRC. Will they now undertake to review the statutory framework?
The problem is not confined to HMRC. Since the previous government Statement, we have had many more data losses, including secret terrorism papers left on a train. Even a Cabinet Minister cared so little for the rules that she took a laptop containing classified information to her constituency. The Government have forfeited the trust of the public in relation to data security.
Will the Government now call a halt to the identity card project? It should not proceed until there is complete assurance about citizens’ data. The national children’s database, which will contain sensitive information about some of the most vulnerable in our society, carries exactly the same dangers. So, too, does the NHS spine. If it eventually works, and if the Government compulsorily upload patient data from GPs, they will at a stroke expose the most intimate details about individuals to major security risks. All these projects should be put on hold until the public can be confident that they can be operated securely.
The Statement referred to something published today by the Cabinet Secretary on cross-government work to improve data handling. I checked the Cabinet Office website at lunchtime but could find no trace of this document. Since I have been unable to find out what the document says, will the Minister say whether that, too, contains further embarrassing confirmations that government departments cannot be trusted with citizens’ data?
I have one final question for the Minister. Appendix A of the report, which describes Mr Poynter’s terms of reference, states:
“I have agreed with HMRC and HMT that my review is focused on data loss and therefore excludes misuse of data—including any misuse of data held by HMRC by its staff”.
This extraordinary exclusion was not made plain when the terms of reference for the report were published last year and has not, I believe, been made plain in any other way. Can the Minister say why the Poynter review was constrained in this way? More important, who is looking at whether HMRC has misused data that it holds? Losing the data of 2.5 million people was bad enough, but the misuse of data belonging to a single individual would be even more reprehensible. Can the Minister assure us that this stone will not be left unturned?
My Lords, I, too, thank the Minister for repeating the Statement and for bringing the Poynter review to the House. The report is the most extraordinarily damning indictment of the management of HMRC that one could wish to read. I will repeat just the three principal criticisms. The Statement says that,
“information security was simply not the management priority it should have been … management structures and governance were unnecessarily complex and did not establish clear lines of accountability”,
and there was,
“a lack of clarity in communications and the failure to involve senior HMRC staff as being contributing factors”,
in all the cases that were looked at. The incident that spurred this inquiry was simply an accident waiting to happen. It is not just a question of technical management issues. It goes to the whole ethos of the way in which this huge department works and its attitudes towards individuals’ personal data.
When we were considering the Bill that merged the two departments, we received an extraordinary letter from the late Lord Callaghan. He described how, as a young boy, he joined the Inland Revenue. On his first day, he appeared before a large man, with a large beard, who made him swear an oath that he would secure, to the best of his abilities, all personal data that came into his possession. He was made to swear that it would not get into the public domain or into anyone’s hands, as indeed it should not. Yet one of the many damning statements in this document is that there is no mandatory induction briefing on data management for people entering HMRC; at least I assume that that is the case, as the report urges that such mandatory briefings should be given.
There has been a long period during which data protection and data management have slipped down the agenda in the two departments. This may have been exacerbated by their merger but I do not think that it was caused by it. We cannot simply blame the staff; Ministers must also take some of the blame. I cannot see anything in the report to suggest, for example, that Ministers experienced or expressed any concern, at any point, about attitudes towards data security and the methods of storing data and communicating them within HMRC.
If what Mr Poynter calls the “transformation”—it is a wonderful word in respect of these matters—takes place, he claims that the following benefits will ensue: improved efficiency; improved tax yield; better customer service; and a higher level of staff satisfaction. If this is the case, as seems plausible, why did no Minister or senior member of staff at HMRC seem to have any awareness of these pretty substantial and obvious benefits of managing data differently? If they were aware of them, why did they not do anything about them?
On the point made by the noble Baroness, Lady Noakes, has anybody taken personal responsibility for any of this mess whatever? Has anybody resigned or been disciplined? Or was the malaise so widespread that everybody—Ministers and civil servants—was equally to blame?
An interesting side issue discussed in the report is the way in which HMRC communicates to taxpayers. The report deals with the problem that HMRC has not really come to grips with the digital age. It points out that the volume of paper issued by HMRC is almost unbelievably large. It says, for example, that each business gets on average 68 mailings per year—as a small businessman, I can assure noble Lords that it certainly feels like that. Nearly all these mailings could easily be dealt with in an e-mail rather than on paper. The fact that HMRC is still thinking in terms of paper for communicating with individual taxpayers and businesses shows a cast of mind that has not moved on to take account of modern circumstances.
The report says, in respect of this, that legislation may be needed to allow HMRC to specify how customers exchange data with it. Although the Government have apparently accepted all the recommendations, for some reason this is not a recommendation; it does not appear in the table at the end of the report. Can the Minister say whether the Government agree that there would be benefits if HMRC started communicating with taxpayers in a modern way? Do they think that legislation as Mr Poynter suggested might be needed to enable them to specify that it does that? If so, can they give us an indication of when such legislation might be forthcoming?
This report deals entirely with HMRC, as does the Minister’s Statement. When we discussed this previously, in the immediate aftermath of the data loss, there was much discussion of what was happening elsewhere in government. From the report and the Statement, we are completely unclear on how far the lessons that Mr Poynter has drawn have been accepted across government, as opposed to just within HMRC, and what is being done about them. As the noble Baroness said, recent examples suggest that the attitude towards data in HMRC, which has clearly been most careless, extends across government and certainly to Ministers and their private offices. What actions will flow to try to ensure that the slack ethos around data, which is clearly evidenced across government, not just in HMRC, will now be tackled?
Finally, to end where the noble Baroness ended, will the Government now accept that the country has no faith in them to introduce large-scale new systems that involve individual citizens having data kept and transferred electronically by a Government whose track record in this area is so absolutely woeful?
My Lords, I thank noble Lords for their contributions. I shall try to deal with each of the questions raised. The noble Baroness asked why it took so long for the report to be finalised. I think that she acknowledged that it was delivered within the timeframe within which it was promised. It seems important, given the issues at stake here, that we had a thorough report rather than a rushed report that did not deal fully with all the issues. We make no apologies for that.
I guess that we had the inevitable political point-scoring about why Ministers have not taken responsibility for all of this, a matter that the noble Lord, Lord Newby, touched on as well. It is because HMRC is operationally independent of Ministers. It is established by statute and run by a chairman and commissioners, who are responsible for its operations but answerable to Parliament through the Chancellor of the Exchequer. Moreover, somebody did resign over it—the previous chairman, Paul Gray, the man at the top of the organisation.
The noble Baroness referred to the merged organisation as a “monster”. I remind her that the Poynter report made it clear that the merger was not a contributory factor to this; indeed, with other developments, it was seen as a good platform from which to build an efficient and effective operation. I might also just remind her that in 2000, when the merger took place, the opposition parties—including the noble Baroness herself, I understand—did not oppose the merger.
My Lords, throughout the consideration of the Bill we warned of the dangers that would come from merging these organisations. The danger may have come from a source that we did not imagine, but we knew that the Government were doing a very dangerous thing. I will not accept that we simply agreed with the proposal.
My Lords, I accept that issues around data security in the legislation were dealt with by opposition parties, but, at the end of the day, the noble Baroness did not oppose the merger of these two organisations.
The noble Baroness asked about the wider capability review around government and the Cabinet Office data-handling review. This has looked across government and the review was published today. I shall ensure that she and the noble Lord, Lord Newby, get a copy. One is available in the Library. The review was commissioned by the Prime Minister and sets out the wide range of actions that have already been put in place to improve data security. It outlines what will be done to strengthen policies further by building on existing momentum. The changes announced fall into four groups: core measures around mandatory minimum measures being put in place; a culture change; all civil servants dealing with personal data undergoing mandatory annual training; and stronger accountability and increased scrutiny.
The noble Baroness predictably referred to ID cards. The national identity register will be protected to the same level as some military databases. Only a very small number of officials managing the register will have full access to it. There is a much longer answer to that point, but this report should not be used as an opportunity to seek to undermine ID cards. She asked about the misuse of data. As I understand it, Kieran Poynter chose to exclude data misuse, which was not the cause of the data loss. HMRC has strong safeguards against wrongful use of its data enshrined in law and treats any misuse as gross misconduct. Nevertheless, the safeguards recommended by Mr Poynter will also strengthen this aspect of the department’s procedures.
The noble Lord, Lord Newby, asked about HMRC letters and whether more should not be sent by e-mail. Open internet e-mail is less secure than post sent through the Royal Mail. E-mail is not a secure form of communication and therefore not particularly suitable for sensitive information. He referred to the remarks of Lord Callaghan when he joined the Inland Revenue. Section 3 of the Commissioners for Revenue and Customs Act requires a formal signed declaration from all people joining HMRC. This has been in place from day one of the creation of HMRC on 18 April 2005.
The noble Baroness asked whether major IT projects introduced new security risks. Uploading data to new IT systems can make them more secure. We are discussing the inappropriate downloading or transmission of data.
The Cabinet Office report was put on to the website at 12.30 today and, as I said, is available in the House Library. Ed Miliband issued a Written Statement earlier, which can be made available to noble Lords.
I believe that I have dealt with the points that were raised but I emphasise that this is a serious matter. The report is effective. I emphasise that the Government have accepted all its recommendations and have made good progress in implementing some of them. The noble Baroness asked whether there had been misuse of data and whether individuals are to be prosecuted. The IPCC report made it clear that no criminal activity or misconduct had been identified that would generate disciplinary action.
My Lords, my noble friend is right: it is indeed a serious matter. One of the more moderate points made in the report was that HMRC is a complex organisation. That is putting it mildly. It is equally disturbing to read that it is going to take a lot longer to build a high-quality department.
We are in a different era of data protection management from when our late noble friend Lord Callaghan joined the Inland Revenue. Data protection would have been a problem whether the department had been merged or not. The report said that the merger was right. If it was right, what did we gain from it apart from the appalling management that it has been under? What was the benefit? Were there major staff savings? Has the Minister got any figures for staff savings, which would have been a substantial benefit? I am not aware of any. My own experience was a long time ago, when I was responsible for the Revenue and for Customs for five years. In those days, data were at a very different level, and paper was still used. Now the department has merged, and we cannot go back and de-merge it, although I would have preferred the two separate departments. The only thing that they seem to have in common is that they both collect revenue. I cannot for the moment see why and how the merger was decided on. It is not my noble friend’s fault and I am not blaming him, but I would like to know if he has any information that might help us: are we eventually going to get a high-quality merged department and, if so, when?
My Lords, on the question of whether the merger was right, as I said earlier, the Kieran Poynter report indicates that, together with other changes, it provides a good platform for building an efficient and effective organisation. I do not have available all the detailed thinking behind that merger, but some of it must be self-evident, as the noble Lord himself identified. The two departments were dealing with the same customers to a certain extent. There are overlapping issues around enforcement that might be dealt with more efficiently. It seems to me an entirely reasonable proposition. The merger was not identified by Kieran Poynter as the cause of this lack of focus on data security, but he clearly indicated that the merged organisation had serious institutional deficiencies that had to be corrected and are being corrected. In terms of savings, there has been a head-count reduction, but the report indicates that the head-count reduction was not a cause of data loss, although it identifies concerns about cost that may have driven some of the behaviours.
My Lords, will the noble Lord recognise that the Annunciator could scarcely have been less informative? It is not helpful to have a Statement simply entitled “HM Revenue and Customs”, when it covers an enormous range of subjects. If we are to have sensible reactions to Statements, we should have something a little more specific.
I do not think that any of us who have spoken to officials in the merged department could fail to understand the way in which morale has been adversely affected, when compared with the morale that existed in the two great departments of state with their historic traditions. My noble friend raised the question of who had been held accountable, and the noble Lord said that a senior official resigned. Was it clear at the time that the reason why he resigned was this sad series of events? Do we now have a new doctrine where the Minister concerned is accountable to the House but, if something goes wrong, he remains in office and the officials concerned resign? That seems different from the traditional way in which we have dealt with these matters.
It would seem from subsequent events that part of the problem is that officials and Ministers take home laptops and documents, and they are left around. Should there be a complete ban, except in the most rigorously controlled circumstances, on any such work being taken home?
My Lords, the noble Lord makes a fair point about how the Statement was described. I am not sure who undertakes the description, but it is a fair point.
The noble Lord touched on morale in the services. It is right that merging two big organisations that started off with distinct identities brings particular challenges that have not been met. The Poynter report makes that clear. That is one of the challenges in dealing with the recommendations. That touches on the same point as my noble friend made about the benefits of bringing all those departments together, which include efficiency in sharing back-office functions, effectiveness in joining up the collection of tax revenues and customer focus. We should not forget about the customers in all of this. There must be benefits from treating all customers’ tax affairs in one place.
The noble Lord asked about taking home laptops. This report was not occasioned by that point, but we need to make sure that people who have secure information on laptops and so on do not use them outside a secure area. That issue was picked up in the wider review undertaken by the Cabinet Office. I cannot do more than repeat what I said about responsibility: HMRC is operationally independent; it has a chair and the commissioners; and that is where responsibility properly lies.
My Lords, I had conduct of the merger of the two organisations in the other place. It was common ground between the two Opposition parties that we were extremely anxious that the Revenue culture should prevail, certainly on non-criminal matters. The Revenue culture was that security of personal information should have the highest priority. I look forward to hearing from the Minister what practical steps will be taken to restore that culture and ethos, which we all used to respect and have confidence in.
My Lords, the noble Lord is right in focusing on that point. As the report says, there were serious institutional deficiencies. A key one was that information security was not a management priority. There is the whole range of the report’s recommendations—45 in all—all of which the Government have accepted. That will enable us to address the issues, but that issue is fundamental. The report also makes the point that, even if information security had been a management priority, the management structure then in place would not have been particularly helpful in making sure that that policy was implemented. The whole range of measures that are detailed in the report—some of which are already under way—will enable the information security issue to be re-established, so that trust can be maintained and built in HMRC’s handling of personal and confidential data.
My Lords, may I crave the House’s indulgence in asking a question that may be blindingly naïve? I speak as one who is less than electronically literate. Is it possible that all or some of this information in this highly technological age could have been communicated electronically without the necessity of the physical conveyance over hundreds of miles of those lists?
My Lords, that is one of the points that the report draws out: downloading data, putting them on a disk and posting it carries risks. Being able to communicate electronically is part of increased data security.
My Lords, I declare a past interest: I was general secretary of the Inland Revenue Staff Federation, which sadly is no more. I was there for about 35 years. I apologise to the noble Lord on the Liberal Benches—I cannot recall his name—but I assure him that the old culture of the Revenue has gone and has been effectively destroyed over the past 20 years.
At the heart of the problem that these reports deal with are two matters. The first is in the Poynter report at page 63, and the noble Baroness, Lady Noakes, referred to it. I do not wish to put words in her mouth—if I do, I apologise—but there is no doubt that the present state of the Revenue is largely down to the significant importation of private sector culture. That has come in two ways: in the appointment of the chairman—I do not wish to be unkind to the new chairman, but his CV hardly bears up as a good example of what the report says should be done—and the appointment of board members of Revenue and Customs. The last time that I looked, only one or two of them actually had Revenue experience.
The second matter is mentioned on page 85 at recommendation 43:
“We recommend that HMRC, rather than being solely savings-driven in its business case, should also evaluate the opportunity to redeploy staff towards yield improving compliance activities—building the business case based on yield improvement rather than staff reduction”.
As all the recommendations of the report have been accepted, when and how will that be done? If my noble friend cannot answer that, will he keep the House informed of progress on this critical paragraph?
My Lords, I cannot give my noble friend any great detail on that. Each of the 45 recommendations is listed at the rear of the report, and we have ticked those that we have completed or are addressing and others where progress has been made. I am not sure where the recommendation he referred to sits in that configuration, but I will look at the matter in detail and report back to my noble friend and the House generally. Low morale is an important issue, and the Poynter report identified that as one of the contributory factors, as I said.
Perhaps I may take this opportunity to say something further about laptops, which a noble Lord asked about. One of the Cabinet Office recommendations is that all government laptops are to be encrypted if they handle sensitive personal data. Implementing that is well under way.
My Lords, the noble Lord said in the Statement that £155 million was to be spent over three years. Could he be more specific on how that money is to be spent?
My Lords, I will try. This comes from what the Poynter report describes as a three-stage process for change, based on 10 principles for information security. There are short-term changes to bring greater control through improving existing processes and investigating phasing out data transfer by physical media. In the medium term, there is consolidation through better processes and technology, including moving to e-mail for communications—a point made by a noble Lord earlier—and scanning post and records. The £155 million in the current spending round over three years is addressed largely to that. Kieran Poynter also recommends in the longer term transformation to a new IT-based operating model through a direction of travel that would involve an integrated data system for managing customer information and would place greater responsibility on the customer for maintaining their data. That part of it—the longer-term proposition—will need to be looked at in conjunction with the next comprehensive spending round. The £155 million is for spending over the next three years on the short- and medium-term recommendations made in the report.
I stress that, in the complexities of dealing with data—this issue arose within the department rather than from sharing data across departments—we should not lose the prize of improved public services and customer focus to be had from being able to share information effectively and securely across government. If we take our vision off that, we will not improve public services as we could. Although it is hugely important that we ensure that data security is at the heart of what we do, we should not let that stop us sharing information effectively across government the better to deliver public services.
My Lords, I declare an interest as chairman of a young IT company dealing in digital information assurance.
As one of the few Ministers who had the privilege of simultaneously being responsible for Customs and the Revenue, I echo the sentiments of my noble friend Lord Barnett. I was very unenthusiastic about the merger of those two bodies and am distressed to hear of the collapse of morale that has apparently taken place. When I was responsible for them in 1974-75, I thought that they were two of the finest departments with which I had the privilege to serve and that the officials with whom I worked were of the very highest calibre. It is overlooked that there is a basic conflict of interest between the two departments, particularly when it comes to handling intercompany pricing transactions, especially with respect to imports and exports.
Leaving that on one side, I have two questions for my noble friend. First, do the Government accept that their responsibilities relate not just to the custody of the data that they hold—making sure that it does not leak—but to the integrity of the data while it is in their custody, in other words, that it is not tampered with either maliciously or out of neglect? Secondly, can he assure us that he will come back to this House in no more than six months’ time to give us an update on the report?
My Lords, on the second question, I will certainly seek to do that. These matters are not wholly within my remit as a lowly DWP Minister—my noble friend will understand that. Data security is about not just custody but integrity and how the data can be effectively shared. My noble friend is absolutely right.
Although morale is an issue in HMRC—that was identified as key—we should not forget what real progress HMRC has made, the huge amount of talent in that department, the huge scale of its operations and the service that it provides to customers. Let us not forget that in all the challenges that the department faces.
My Lords, one fact in particular for me stands out from the Statement: the lost disks have yet to be located. None of us can know how much of a time bomb for the economy that may be, but does it not suggest that there is a strong case urgently to pursue the recommendation of the IPPC report? It states:
“Where breaches of security are discovered, HMRC should report these promptly so that any remedial or recovery action can be taken. This did not occur in this particular case”.
In other words, is there not now an extremely strong case for the Government to be subject to a breach notification order?
We have accepted all the IPCC recommendations. It is true that the less than timely reporting of that loss of data may not have helped. I stress that, despite the police investigation and extensive work by HMRC itself, that data has not been located. On the Data Protection Act and the data commission, we are expecting an enforcement notice to be placed on HMRC to require it to use its best endeavours to implement the full range of recommendations from the Poynter report.