Emails released by the National Audit Office confirm that officials at HM Revenue and Customs did not want to remove sensitive information from child benefit data sent to the auditors because this would cost extra.
The revelation comes as the fallout from HMRC’s loss of 25 million people’s records continues to rock the government.
Chancellor Alistair Darling blamed the loss – Britain’s biggest data breach – on a junior official at HMRC who had posted unencrypted disks with information on child benefit claimants to the NAO.
But the emails, published by the NAO alongside its briefing for the chancellor, appear to bear out key accusations made by the Conservative Party – that cost was an issue and that a senior official at HMRC was aware that unfiltered data was likely to be sent.
Correspondence dated 22 November between the assistant auditor general Caroline Mawhood and acting HMRC chair Dave Hartnett shows both sides have agreed that a crucial email was sent on 13 March by “a junior HMRC manager” to the NAO, and that the email was copied to the Process Owner for Child Benefit – a much more senior HMRC official.
The two sides also agree there was “no evidence that the Process Owner for Child Benefit made the decision to release the data”.
The crucial emails discuss the dispatch of HMRC data to the NAO in March for an audit exercise on HMRC’s 2006-07 resource account, in which the information was safely received by the NAO. The lost disks were produced on a similar basis in October, in relation to the 2007-08 audit.
The exchange of emails on 13 March begins with a note at 08.20 from a sender at the Child Benefit office in Washington, Tyne and Wear, to an unnamed HMRC officer, attaching a data scan produced by HMRC’s data services contractor EDS. This was then passed on to a recipient at the NAO.
At 14.41, the NAO recipient responds, asking for the data to be segregated if possible into two files. The purpose of this is unclear in the released email documents, where details have been blanked out.
The released text includes queries raised by the NAO official, who writes: “I do not need address, bank or parent details in the download – are these removable to make the file smaller?”
But in an email sent at 15.23, the junior HMRC manager replies: “Your original request was for a 100% scan of the data, and fortunately a scan was complete earlier this year and we have shared this with you at no extra cost to the department.”
The HMRC official says the NAO should take up “issues with the data extracts” with other departmental civil servants.
The email then goes on to point to cost considerations. “I must stress we must make use of the data we hold and not over burden the business by asking them to run additional scans/filters that may incur a cost to the department,” it says.
Correspondence from October, also released by the NAO shows that the audit body asked for the data to be sent “as safely as possible due to their content” – but the second set of CDs did not arrive.