LONDON (Thomson Financial) - The government will spend 155 million pounds on improving data security after a devastating report into the loss last year of personal details of 25 million child benefit claimants said the incident was 'entirely avoidable'.
The report by PricewaterhouseCoopers chairman Kieran Poynter was also scathing about weaknesses in the management structure of the Her Majesty's Revenue and Customs (HMRC) -- formed after the merger of the Inland Revenue and Customs and Excise.
Poynter lambasted HMRC's 'inadequate awareness, communication and training on data security', and said there was no clear chain of responsibility for sensitive data.
The government admitted last November that two compact discs sent to the National Audit Office (NAO) with the details of 25 million child benefit claimants had been mislaid, because they were sent via unregistered post by a junior staff member at HMRC.
Chancellor Alistair Darling was forced to come to parliament and reveal that the missing discs contained names, addresses, dates of birth, child benefit numbers, national insurance numbers and, 'where relevant', bank details.
The information was given to HMRC's post service provider TNT NV but was not 'recorded or registered'. It also emerged at the time that no alarm was raised for three weeks and a second set of discs was sent, registered, by the same junior staff.
Acting HMRC chairman Dave Hartnett today described the loss as 'the most serious incident in the department's history'.
Poynter's report found that 'there was no evidence whatsoever of misconduct or criminality' but the loss had still 'damaged HMRC's reputation' as the discs have still not been found, despite extensive searches by the police and the department.
He said existing data security policies at were too complicated and difficult for staff to navigate and that personnel had been inadequately trained.
Poynter added that there was a lack of certainty about who is accountable for data guardianship in the HMRC staff as a whole.
A separate report by the Independent Police Complaints Commission also discovered that during a previous exercise in sending information to the NAO another junior staff member had queried the wisdom of sending discs with full personal information through the post but was ignored, told to get on with the job and 'rebuked' for raising the issue.
IPCC Commissioner Gary Garland said no individual was responsible for the error, but added that the 'real problem is the woefully inadequate data protection handling and the muddle through ethos' within the department.
Cabinet Secretary Sir Gus O'Donnell also Wednesday released his review of information security within government, commissioned by the Prime Minister Gordon Brown after the HMRC fiasco.
O'Donnell said action has already been taken to encrypt around 20,000 laptops while 90,000 employees at HMRC are being given additional data security training and new, stricter, guidelines being put in place to ensure sensitive personal data is handled correctly.
He told a press conference he wanted to 'change the culture' within HMRC, starting with all civil servants dealing with personal data to undergo mandatory annual training.
'Government departments must be able to share the information they hold - there are countless benefits in doing so...but we can only do this good work if the public trust us to keep their personal information safe and secure,' he said.
However, he admitted that while he wanted to regain public trust in the government's ability to handle sensitive data, he could not guarantee that the same problem would not occur with the new national identification card scheme.