Wednesday, November 21, 2007

Systemic : The word of the day

This word has been popping up all day.

Alice Miles - The Times:

    "It might have been random, but it betrays a total and arrogant carelessness about the privacy of the individual. And it wasn't just one guy; it happens often. It was clear from Alistair Darling's statement to the Commons yesterday that there is systemic security failure at Her Majesty's Revenue & Customs."


David Cameron - PMQs a few hours later (Hansard):

    Mr. David Cameron (Witney) (Con): I join the Prime Minister in paying tribute to Captain John McDermid, who was killed in Afghanistan last Wednesday, and to the two service personnel who were killed when their RAF Puma helicopter was lost in Iraq last night. They all died serving our country.

    I also join the Prime Minister in congratulating the Queen and the Duke of Edinburgh on their diamond jubilee. They have had a remarkable life together, and a life of public service.

    Millions of people will today be worrying about the safety of their bank accounts and the security of their family details, but they will not just be worried; they will be angry that the Government have failed in their first duty—to protect the public. Does the Prime Minister think that the matter should be treated as an isolated incident, or does he believe that there is wider, systemic failure and a lack of leadership at Revenue and Customs?

    The Prime Minister: It is precisely because we have to check all procedures, not just in HMRC but in all departments, that I have asked the Cabinet Secretary to conduct a review. There is also the review that will be conducted by the chairman of PricewaterhouseCoopers into HMRC itself. I have to tell the right hon. Gentleman that there is no evidence of fraudulent activity taking place, and that this was a failure in implementing the proper procedures. It is important that he should know that the procedures that should have been followed are these: only authorised staff must be allowed access to protectively marked information; information must not be removed without appropriate authorisation; and encryption should be used whenever any information is being sent. Those were the procedures. They are in existence now, and they should have been operated.

    Mr. Cameron: It is all very well holding reviews, but the Government have had 10 years to sort out the department. I have to say to the Prime Minister that if a junior official in an organisation can access so much information and send it not once, not twice but three times, that is evidence of systemic failure. Last year there were more than 2,000 breaches of security at Revenue and Customs. In May this year, 8,000 families needing tax credits had their bank details revealed, and later in the year details of 15,000 taxpayers, including private pension information, were lost in the post. The Government said at the time:

    “We have…reviewed our arrangements and introduced safeguards to prevent this happening in future.”

    Clearly, that was completely wrong. Does the Prime Minister accept systemic failure in the department?

    The Prime Minister: What I accept is that the review must look at all the procedures that are adopted by HMRC, but it must also look at other Government Departments and agencies. In relation to the case that the right hon. Gentleman is quoting—that of Standard Life—yes, a review was done, and it proposed that there be changes in both encryption and audit. The problem was that the information that was lost was lost on October 18, and the procedures that should have been followed were not followed. Let me just tell him—[Interruption.]

    Mr. Speaker: Order.

    The Prime Minister: I think that the House should know that under the “Manual of Protective Security”, which all departments are obliged to follow, any data that are sensitive will attract a protective marking—“restricted/confidential”—and should be encrypted when in transit. There is absolutely no doubt that that is the procedure; it just was not followed, and that is what the investigation has got to look at.

    Mr. Cameron: But this has been going on for years. [Interruption.] Yes, let us look at what happened in September 2005, two years ago: Revenue and Customs lost vital data about savings from one of its clients, UBS. The data were stored on a CD-ROM and were not encrypted. The data went missing from a Revenue and Customs office, and what happened? Revenue and Customs claimed it was a one-off incident in a single office. That is what I call systemic failure—when procedures are not followed over and over again. HMRC was the Prime Minister’s department. He insisted that it paid child benefit, and he increased its scope. Clearly there is a problem with its security, its privacy, its culture and its leadership. Does the Prime Minister feel at all responsible for this?

    The Prime Minister: The Leader of the Opposition should know that his party supported the changes that we made to HMRC. The National Audit Office reported on the changes that we brought about and said the performance of HMRC had not been adversely affected. The adjudicator for HMRC said that the changes had not had any negative impact. I have to ask the right hon. Gentleman: what if we had followed his advice at the last general election? He proposed that we cut expenditure on HMRC. His report—the James review that he put into his manifesto—said that his party should cut £660,000 million by what they called the “Rationalisation of data processing”. It was he who recommended further cuts.

    Mr. Cameron rose—[Interruption.]

    Mr. Speaker: Order. The Leader of the Opposition.

    Mr. Cameron: I have to say that on a day when the Government have lost the details of 25 million people, to try and blame the Opposition is pathetic. What people want from their Prime Minister on a day like this is for him to stand up, show some broad shoulders, be the big man and take some responsibility. This morning his Chancellor, to give him credit, had the guts to admit that his confidence had been shaken. The Prime Minister was in charge of the Department for 10 years. By definition, that must have been when the systemic failure developed, so has his confidence been shaken?

Even John Hutton on Newsnight was letting the word into his vocab, perhaps a Freudian slip
admitting the depth of the damage this has done.

And of course its the charge that will do the political damage.

I find it amazing to here ministers, like John Hutton, trying to reassure about ID cards and biometric security, when really they don't understand the technical issues involved at all.

Apparently there has been an attempt to use the format of the data on the CD's with their famous weak password encoding to suggest they wouldn't be of any us. That is just laughable - but of course the aim - as so often with this government - is to mislead, misdirect and spin. Change the agenda, make excuses, suggest other people are to blame, anything except to take responsibility and make good. This is their systemic failure and it is the most damning of all.

The trail is now leading to the misinformation originally given to the public by this Labour government. It wasn't just a junior official failure - but authorised by a more senior member of HMRC to save money. NAO had requested key sensitive data was left out, but it was too much trouble and money to pay their contractors to do the job - so they took a risk with 25 million peoples personal data instead.

Gordon Brown should consider that procedures and rules don't make an organisation effective. They are no defence for organisations that continually fail. The management has shown systemic failure. And the design of that management is very much the business of one Gordon Brown when he was chancellor of the exchequer.

They are, as I have often said, shameless, as if they had honour they would resign.

No comments: