HMRC lifts lid on £200m programme to achieve data-protection compliance

Recently released information provides details of three-year project to minimise risk and improve use of data

Credit: Biljana Jovanovic/Pixabay

HM Revenue and Customs has revealed details of a £200m three-year project to address significant risks it is facing as a result of issues with data protection and ensure compliance with GDPR and other regulation.

The department’s Data Protection Remediation Programme (DPRP) was officially inaugurated – and added to the Government Major Projects Portfolio – on 1 April 2021, according to data sets recently released by the Infrastructure and Projects Authority. 

The scheme was launched in light of an independent review of HMRC’s data protection practices that took place in 2020 and identified “important issues that needed to be addressed”, according to the department’s most recent annual report.

The IPA data revealed that the scheme is scheduled to run until the end of March 2025, with £205m dedicated to its delivery.

Further detail of the DPRP has been released via a newly published letter detailing the appointment of Craig Ogilvie as the project’s senior responsible owner. Ogilvie, who is head of HMRC’s wider data transformation programme, is expected to devote 50% of his time to his duties as SRO of the remediation scheme. The letter is dated 13 July, but lists his appointment as being effective from 6 December last year.

Sent jointly by Jim Harra and Nick Smallwood, the respective chief executives of HMRC and the IPA, the message outlined that DPRP “exists to deliver remediation activity to address HMRC’s data protection risk, so that it can comply with its legal obligations under GDPR and the Data Protection Act”.

Related content

The missive said that data protection is considered by the department to be a “Tier 1 risk”. This echoes the FY22 annual report, in which data-protection was rated as ‘red’ on the department’s traffic-light risk system.

The letter added: “As a result of HMRC’s continuing state of non-compliance with data-protection laws, and a failure to take effective action and prioritise, there is a risk of enforcement action (including fines, significant interruption to critical business and national infrastructure and reputational damage), compensation claims and significant impacts on customer and staff rights to the protection of their personal data.”

The DPRP project will have a particular focus on addressing data-protection problems related to individuals’ rights.

The letter explained: “HMRC does not have appropriate methods and procedures in place to delete, suppress or otherwise stop processing personal data if required. HMRC does not have appropriate systems and procedures to change inaccurate information, add additional information to incomplete records or add a supplementary statement.”

In addition to fixing these issues, delivering the remediation programme is also intended to provide a range of benefits that will support the tax agency’s five stated strategic objectives – in particular the second and third of these: “make it easy to get tax right and hard to bend or break the rules; [and] maintain taxpayers’ consent through fair treatment and protect society from harm”.

“Work to bring compliance with [data-protection regulation] makes HMRC’s prosecution process more robust [and] improved data sharing assurance process enhances HMRC’s ability to identify wrongdoing,” the letter said. “[DPRP will be] protecting customer and colleague data by reducing the scope for harm and supporting harm prevention in relation to fraud or criminal activity. Taxpayers [are] more likely to consent and interact with HMRC if they trust us to protect their data.”

Personal objectives for Ogilvie will include ensuring compliance across the department’s highest-priority IT systems – which will include ensuring “an archiving [and] deletion capability, rights of access, purpose limitation, law enforcement compliance, and data security and data accuracy”.

Also part of the SRO’s core workload is a project to put in place measures that ensure a “GDPR-compliant consent [process] for agents and third parties”.

‘Considerable deletion of personal data’
The DPRP is one of three programmes being overseen by a new Data Transformation Directorate established by HMRC last year. It sits alongside the Securing Customer Data and Single Customer Records projects.

In the FY22 report, the department claimed that it has already made tangible progress on improving its data-protection culture and practices, including the commitment of additional resources “dedicated to the management and remediation of our data protection and security risks – which has significantly improved our risk posture”.

Other measures taken so far include “significant work to address data retention and data risk issues”, involving the “considerable deletion of personal data items”.

“[We have] continued to work with the ICO, reporting security incidents where required to do so, and actively collaborating with ICO questions relating to issues and the management of our responses to data subject requests and requests under the Freedom of Information Act,” the report added. “In these engagements we are being transparent about the risks we carry, working with the regulator to address their concerns and act on their recommendations All our data protection compliance challenges are investigated and analysed so that we can understand and learn from them. Our organisational security maturity has continued to increase. We have measured this through our compliance with government security standards, and through assessment of improved governance, policies, processes and technology.

“We understand that we will only achieve full data protection compliance through sustained investment, and by promoting a culture of data protection.”

An HMRC spokesperson added: “Data security is a priority for us. We’ve been transparent with the ICO – and in previous annual reports – about our data compliance challenges and we are working hard to address these, with robust plans in place so we can deliver. We have invested heavily in our systems over the last few years. Our data protection performance is improving, and we will continue to work closely with the ICO to deliver the standard of service we are all committed to.” 


Sam Trendall

Learn More →

Leave a Reply

Your email address will not be published. Required fields are marked *