25 million exposed to identity fraud – an easy mistake to make?
The episode of HM Revenue and Customs losing data points to deeper problems of how we as a society value and thus secure information
22 November - The loss in the post of two unencrypted CDs containing sensitive personal data of 25 million Britons by HM Revenue and Customs (HMRC) has sparked a major debate on information assurance. However, this debate is long overdue and it is regrettable that it has taken a mistake of this proportion to bring this issue to the fore.
Emphasis is, quite rightly, currently being placed on damage limitation and ensuring the same mistake does not happen again. However, this problem runs much deeper than making sure procedures are followed. The fundamental problem is that there is no common agreement on the value of the information we hold on one another. Until we have such a common agreement then mistakes such as this will continue to occur.
We instinctively protect things that are of value to us. Conversely we are more prone to take risks when the consequences of failure are low. However, information, unlike gold bars or hard currency, is worth different things to different people.
The poor hapless individual who burnt the entire child benefit database onto two compact discs and then popped them into the post to the National Audit Office (NAO) is probably only now beginning to understand that what he thought was worthless was in fact very valuable – but to someone else and for different reasons. We can all point the finger of blame and claim, with hindsight, we would not take such risks ourselves. But if we do not have a culture that values information uniformly then how can we expect people to calculate correctly the risks they take with it?
HM Revenue and Customs is responsible for collecting the bulk of tax revenue, as well as paying tax credits and child benefits, and strengthening the UK's frontiers. A colossal amount of money passes through HMRC for a whole variety of reasons every year and child support payments account for a relatively small proportion of that total. This means, purely in business terms, the data and the database have relatively low intrinsic value to the HMRC. This value is diminished still further as the onus is on the parent to work out what they are entitled to and then provide information to allow HMRC to distribute the funds. HMRC are not tasked with ensuring that every parent receives benefit – but simply to make sure that all those that claim get what they are entitled to. The personal information is required to ascertain entitlement and enable the logistics of payment. HMRC therefore feels no ownership of the information and receives no direct benefit from the personal information held on the child benefit database.
Likewise the NAO receives no direct benefit from the personal data contained in the database. Their job is to check that public good services that are provided to citizens by the State are done so in a fair and efficient manner. They wanted a small proportion of what was contained on the discs in order to audit the HMRC against one of their agreed targets. However, just as child benefit is a small proportion of what the HMRC does, auditing the HMRC against their performance of child benefit payments is also a small part of what the NAO does.
Therefore from the perspective of the HMRC and the NAO, the communication method used for low value correspondence could seem entirely appropriate. We do not know why the official chose to download the entire database rather than extract the desired data but it may be that it was technically easier to do so. If the extra information seemed of no additional value than that requested to both sender and receiver then it would not be unreasonable to assume that the same communication method would be appropriate.
However, viewed from the perspective of a parent, a child or an identity fraudster the data is very valuable indeed.
This whole episode leaves wider questions that could well encompass other issues, such as the debate on whether we introduce ID cards. If the importance of how we value information is not appreciated now, it will certainly emerge profoundly when this subject comes to the fore.
As information becomes an integral part of modern life we need to be able to value it – and that means understanding what it means to one another. There are a plethora of information assurance initiatives and an equal number of expert opinions but each seem to be driven by a different set of values of the information.
The public sector faces a dilemma where it is driven by the need to secure information for national security and data protection reasons on the one hand, while on the other, maintain a free flow of information for the efficient functioning of public services.
Private sector business tends to take the middle ground driven by anti-fraud, liability and customer relationship management. And the citizen level is patchy due to the absence of leadership and standards in this area.
Until we reach a common understanding of the value of information and implement proportionate assurance methods then each one of us should think long and hard before hitting the send button on an email or dispatching information through the post. A properly constructed public debate on this issue is long overdue. What may seem worthless and innocuous to us may be very valuable in the wrong hands – and we are just not equipped with the right tools to make that judgement.
Dr Sandra Bell
Senior Research Fellow
The views expressed above are the author's own, and do not necessarily reflect those of RUSI.