Blame organisational failure not junior staff over lost HMRC records

The human element is often the weakest link in data management yet education remains a low priority. The loss of 25 million records by the HMRC should be the wake-up call for everyone – both public and private sector – responsible for data security.


During the past few months there has been a litany of reports involving the loss of personal information that is highly valuable to criminal organisations.

The Information Commissioner has highlighted these breaches in numerous reports. Do data holders think they can simply ignore him or do they just not understand what good practice really is?

It is naïve to blame junior officials for the HM Revenue and Customs (HMRC) data leak, rather than organisational failure. When it comes to data management, the human element is often the weakest link, while education is usually a low priority. An assumption prevails that people will do the 'right thing'. This is a dangerous approach. You have to ask what training did the 'junior staff' receive that would enable them to recognise the dangers of their actions?

Often organisations have information security policies that concentrate on the infrastructure that holds the data, but ignore securing the data itself. The IT security policy sits in the shiny folder on the shelf and gives them a warm and comfortable feeling. Unless the policy is taken off the shelf occasionally for testing and review, then the folder is only providing a false sense of security.

Even if the HMRC has good security practices, you have to question when the policies were last tested.

For everyone’s sake, this incident must be the wake-up call for those with responsibility for the security of personal information, whether in the public or private sector.

The fact it has taken over a month since the incident for the government to tell the public, banks and police, suggests that the incident response procedures were also not effective. Incident response plans are an integral part of information security best practice and should kick in immediately after an incident occurs.

The government has been lucky on this occasion in that it is possible that the discs have not fallen into the hands of a criminal organisation. If they had, the time between the incident and the response would have given them ample opportunity to maximise their potential gains and cause pre-Christmas misery for thousands.

"Recommended For You"

Ministry of Defence admits 600,000 records go AWOL Gartner: UK banks could be forced to close accounts after HMRC data loss scandal