Email trail of missing HMRC discs

The National Audit Office has released the email trail showing how two discs containing records of 25 million child benefit recipients has been lost by HM Revenue and Customs.

The collection of emails, letters and other documents - now published on their website - shows that the road to the data breach began in March when the NAO first requested data sets for an audit. It also confirms that cost concerns limited the ability to screen personal details from the data, shows that the discs were password protected, and suggests that senior managers did indeed have oversight.

In a November letter to the HMRC, Caroline Mawhood, the assistant auditor general, explained that the emails regarding the transfers of data in March and again in October were indeed sent by a junior HMRC manager, but said that the message was copied to the Process Owner for Child Benefit - a senior manager.

In March, two discs containing records were sent via internal post, arriving safely. But heavily-redacted emails, marked confidential, have shown that the junior manager sending the data was reluctant to do so in the filtered form requested by the NAO, because of a fear of charges from their data management firm, EDS.

In the first email, dated 13 March, a junior manager wrote: "I must stress we must make use of data we hold and not over-burden the business by asking them to run additional data scans/filters that may incur a cost to the department."

In a reply, the NAO official requests that address, bank and parent details be removed, not for security reasons but in order to make the file smaller. Throughout the emails, the use of CD discs to send the records is assumed.

The first set of discs arrived safely, and the NAO carried out its audit and returned the discs in April. Months later, however, the process was repeated with different results.

On 2 October, a NAO official again requested data sets, and noted: "Last time we had a 100 zipped files on 2 CDs. Please could you ensure that the CDs are delivered to NAO as safely as possible due to their content."

The next message, from the HMRC to the NAO, asked the recipient of the CDs to call when they had arrived, in order to receive the passwords for the discs. This confirms that the discs were indeed guarded by a password, and that contrary to some concerns, were sent separately from the mailed discs.

In a briefing note created for the chancellor, the NAO said they contacted HMRC on 24 October saying the discs had not arrived and requesting a second set be sent. The second set arrived, but the first set was still missing.

Complicating matters, the NAO moved offices over three weekends on 3 November, as did the HMRC audit team.

The HMRC contacted the NAO on 8 November, prompting a search of the expected route of delivery and an email to staff asking if they'd seen the package. Several subsequent searches have happened, but the discs remain missing.

The NAO also released a document explaining that they had requested the data for auditing purposes. A Second Director, whose name has been redacted, said he or she should have better communicated with the HMRC about how the data was to be used, and how the NAO might better be able to "sample" the child benefit data.

The director added: "We do take seriously our data protection responsibilities and I recognise that the security incident that has arisen here has occurred solely as a result of a data request that we initiated; and I accept responsibility for that."