Major programme seeks to ensure compliance with UK GDPR and other legislation
The chief executive of HM Revenue and Customs has signed off on plans for future work on a £200m project to improve data-protection across the department.
Details of HMRC’s Data Protection Remediation Programme (DPRP) were first released last year. The initiative, which forms part of government’s major projects portfolio and is due to complete by April 2025, is intended to address “HMRC’s continuing state of non-compliance with data-protection laws” by updating systems and amending practices.
In a newly published Accounting Officer’s Assessment – a requirement for all government major project – the department’s CEO Jim Harra rubber-stamped his conclusion that DPRP “is value for money and deliverable”.
In assessing the project’s value for money, programme leaders examined “available delivery options of varying scales… before completing a full economic appraisal of the shortlisted options”.
They concluded that “the most cost-effective delivery is to remediate an agreed number of prioritised systems and warehouses which carry the greatest risk and where remediation will provide the greatest contribution to ensure HMRC regulatory compliance… under GDPR and the Data Protection Act 2018,” according to Harra.
He added: “Delivery of the agreed option will reduce technical, reputational, and legal risk to a tolerable level by ensuring our systems remain supported, resilient, and reliable to enable HMRC’s executive committee to keep the risk position under active review and enable tolerance to be reviewed regularly via ExCom Data Committee [and] provide the basis on which any future remediation appetite can be considered beyond the current level of tolerance.”
Approval was also given to the project’s feasibility after assessors found that “the programme is being delivered via a dedicated team of experienced project and programme delivery specialists alongside a multi-functional team of business group colleagues to ensure the appropriate skills and knowledge are available to support delivery”, Harra wrote.
He added: “The sequential nature of delivery brings with it increased delivery confidence as each system or warehouse is remediated. Experience and lessons being learned are ensuring that any planning assumptions can be tested and revisited where necessary to ensure the delivery plan remains accurate. The programme’s approach has already seen the successful remediation of a significant number of the highest priority systems.”
A review conducted by the Infrastructure and Projects Authority in February 2022 awarded DPRP an Amber confidence rating on its traffic-light system. According to the HMRC leader’s accounting officer assessment, this review recognised “good evidence in the programme and portfolio leadership”, but also identified a “need to urgently agree future delivery plans and the potential shortage and compounding demands for subject matter experts”.
A further review by the IPA is scheduled for the coming weeks, as is an “HM Treasury approval point”.
DPRP was inaugurated in 2021, in light of an independent review of HMRC’s data-protection regime which took place the following year and found “ “important issues that needed to be addressed”, according to the department’s most recent annual report. The cost of delivering the project to conclusion is projected to be £205m.
An HMRC spokesperson said: “The work of the Data Protection Remediation Programme protects customer and colleagues’ personal data, reducing the scope for harm from fraud or criminal activity. It also helps customers get their tax right and harder to bend or break the rules. This ongoing work ensures customer data is safe. The accounting officer’s assessment concluded that the programme is value for money and deliverable.”