Further to our previous posting, National Audit Office reveals some emails about the HMRC data security and privacy scandal - but the NAO is not totally blameless, about our worries about the National Audit Office's lack of "best practice " secure data handling:
It is, presumably, deliberately, not clear from the censored NAO letter of 9th November, exactly which copies or extracts of the 25 million records are being described as having been analysed by the private firm of financial auditors KPMG:
I also confirm that I have asked KPMG to provide me with assurances that they have deleted or erased the data that they analysed as part of our 2006-2007 Resource Accounts audit; and that we have similar procedures in place to ensure that we delete the 2007-2008 data that we have received. I will let you have a copy of this confirmation one I have received it.
The words "deleted or erased the data" do not sound like they apply to the Read-Only CDs, which cannot be simply "erased" - they need to be physically destroyed, which cannot have been done, since the CDs were returned to HMRC on April 16.
Charitably, the words may apply to further digital copies of the data selected and imported into other computer systems which was analysed i.e. only a small subset of the 25 million records.
What about the vast majority of the data which was not analysed , what happened to that ?
Worryingly, the report in The Guardian on this part of the story claims that:
In a further letter, sent by an unidentified senior official in the NAO to Revenue & Customs, it emerged that the audit office had passed on all 25m names to the auditors KPMG. The NAO said last night this had been delivered by hand and it had asked for the information to be deleted.
Does this mean that there were actually 3 sets of physical transfers of the 25 million records, as unencrypted CDs, by the National Audit Office back in March / April e.g.
1) Delivery of the HMRC March CDs from by NAO, "by hand", to KPMG
2) Return (method undivulged) from KPMG back to NAO
3) Return (method undivulged) of the CDs back to HMRC on April 16th
Surely the NAO did not need to hand over the entire 25 million record Child Benefit Award database files on CDROM to KPMG back in March ? Why could they not just select the 1500 records that they intended to audit ?
Did NAO or KPMG staff make further copies of the CDs, or load them onto the hard disk of a portable laptop computer or onto high capacity USB flash memory media etc. to transfer to KPMG ?
Were any of these copies strongly encrypted ?
Even if there was only one single Child Benefit Award database record being transferred between HMRC and NAO and KPMG, rather than 25 million of them, then we expect that personal sensitive data to have been protected by strong encryption.