Given that this story is about computer discs, albeit missing ones which contained the personal details of 25 million people, it is surprising that it has remained on the news agenda for so long – nearly a whole week.
But look on BBC News Online now, and it’s not easy to find a mention of it. a href=”http://news.bbc.co.uk/1/hi/uk_politics/7111056.stm”[Link]</a>
The story had lingered because it was announced by the Government. Had it been an online exposÃ©, a documentary or a disclosure by a newspaper or magazine, it would have been quickly pushed down – or off – news running orders by the latest Government announcements.
It was Alistair Darling, the chancellor, who made the announcement about the missing CDs on 20 November. And he did so with political mastery. In The Guardian [Link], Simon Hoggart observed with characteristic insight that Darling’s tactic was to play up the seriousness of the incident to pre-empt opposition criticism of complacency.
Darling described the mistake as ‘massive and unforgivable”. But was it a mistake? It was in fact established poor practice that was exposed by two CDs going missing.
The lax approach to IT security was accepted internally, in part, because there is little external scrutiny and published reports on Government IT practices and projects. Now and then, there’s a report from the National Audit Office on a large IT-based project. Apart form that, there’s nobody looking over the shoulder of officials. So the incident of the missing CDs did not surprise me.
Given this lack of scrutiny, Alistair Darling’s statement was refreshingly informative. He mentioned that the copying of child benefit to two CDs in October was carried out at a junior level, which the media reported, but he was careful not to blame only one official.
In the fourth sentence of his speech to the Commons, he disclosed that the same thing had happened before, in March 2007 – the child benefit database was copied to discs and sent to the NAO. But Darling said so much of interest in his speech that nobody noticed that the March incident had established the practice of sending unencrypted CDs through the post to the NAO.
So, initially at least, much of the reporting had as its target the apparently aberrant junior official. The BBC said: ‘The Chancellor blamed mistakes by junior officials at Her Majesty’s Revenue and Customs, who he said had ignored security procedures when they sent information to the NAO for auditing.”
And a Sun exclusive [Link] , under the headline ‘Blamed clerk has doc help”, said the junior civil servant blamed for the data security scandal has had psychiatric counselling. The paper acknowledged in a separate story, however, that the practice of sending CDs through the post had gone on for some time.
HMRC’s spokespeople put their weight behind speculation that it was all the fault of the junior official. One HMRC official told The Guardian: ‘This individual should not have been involved. It was none of their business. They should have forwarded it [a request by the NAO for a download of child benefit data] on to someone else – another group of civil servants at a more senior level.”
Shift in coverage
But Computer Weekly [Link] reported in detail on 21 November that the downloading of sensitive information on to CDs would have carried on indefinitely had the discs not gone missing – a point we made on Newsnight – and the coverage began to focus less on the junior official and more on whether there had been systemic failures of IT security, and not only at HMRC.
Telegraph.co.uk rightly pointed out that the copying of the child benefit database was known to an assistant director at HMRC.
It established this from internal emails which had been exchanged between the NAO and HMRC. Perhaps to the surprise of Gordon Brown and Alistair Darling, the NAO released the emails. Fortunately, the NAO is answerable to Parliament and not to the Government.
Now that media interest has subsided, there’s a concern that, without pressure from continued coverage, nothing much will change.
A reader of my blog wrote to me saying: ‘This [the loss of child benefit data] is nothing less than a national disasterâ€¦ yet media coverage has disappeared. Is it Government media control, or just plain [lack of] interest?’
I believe we’d see a big change in the way Government is administered if there were regular, published, incisive reports on the workings of central departments, to supplement the one-off studies by the NAO.
Private sector boards of directors don’t like to make mistakes, because they worry about profits and their shareholders.
But Whitehall’s boards operate largely in secret and don’t even publish minutes of their meetings until months later, and even then they say little or nothing.
Made much more accountable by enforced openness, public sector boards would make sure that incidents like the missing CDs wouldn’t and couldn’t happen.