HMRC chief signs off on £200m plan to address areas of ‘greatest risk’ to data protection

Written by Sam Trendall on 28 March 2023 in News

Major programme seeks to ensure compliance with UK GDPR and other legislation 

Credit: Arek Socha/Pixabay

The chief executive of HM Revenue and Customs has signed off on plans for future work on a £200m project to improve data-protection across the department.

Details of HMRC’s Data Protection Remediation Programme (DPRP) were first released last year. The initiative, which forms part of government’s major projects portfolio and is due to complete by April 2025, is intended to address “HMRC's continuing state of non-compliance with data-protection laws” by updating systems and amending practices.

In a newly published Accounting Officer’s Assessment – a requirement for all government major project – the department’s CEO Jim Harra rubber-stamped his conclusion that DPRP “is value for money and deliverable”.

In assessing the project’s value for money, programme leaders examined “available delivery options of varying scales… before completing a full economic appraisal of the shortlisted options”.

They concluded that “the most cost-effective delivery is to remediate an agreed number of prioritised systems and warehouses which carry the greatest risk and where remediation will provide the greatest contribution to ensure HMRC regulatory compliance… under GDPR and the Data Protection Act 2018,” according to Harra.

Related content

He added: “Delivery of the agreed option will reduce technical, reputational, and legal risk to a tolerable level by ensuring our systems remain supported, resilient, and reliable to enable HMRC’s executive committee to keep the risk position under active review and enable tolerance to be reviewed regularly via ExCom Data Committee [and] provide the basis on which any future remediation appetite can be considered beyond the current level of tolerance.”

Approval was also given to the project’s feasibility after assessors found that “the programme is being delivered via a dedicated team of experienced project and programme delivery specialists alongside a multi-functional team of business group colleagues to ensure the appropriate skills and knowledge are available to support delivery”, Harra wrote.

He added: “The sequential nature of delivery brings with it increased delivery confidence as each system or warehouse is remediated. Experience and lessons being learned are ensuring that any planning assumptions can be tested and revisited where necessary to ensure the delivery plan remains accurate. The programme’s approach has already seen the successful remediation of a significant number of the highest priority systems.”

A review conducted by the Infrastructure and Projects Authority in February 2022 awarded DPRP an Amber confidence rating on its traffic-light system. According to the HMRC leader’s accounting officer assessment, this review recognised “good evidence in the programme and portfolio leadership”, but also identified a “need to urgently agree future delivery plans and the potential shortage and compounding demands for subject matter experts”.

A further review by the IPA is scheduled for the coming weeks, as is an “HM Treasury approval point”.

DPRP was inaugurated in 2021, in light of an independent review of HMRC’s data-protection regime which took place the following year and found “ “important issues that needed to be addressed”, according to the department’s most recent annual report. The cost of delivering the project to conclusion is projected to be £205m.

An HMRC spokesperson said:  “The work of the Data Protection Remediation Programme protects customer and colleagues’ personal data, reducing the scope for harm from fraud or criminal activity. It also helps customers get their tax right and harder to bend or break the rules. This ongoing work ensures customer data is safe. The accounting officer’s assessment concluded that the programme is value for money and deliverable.”


About the author

Sam Trendall is editor of PublicTechnology. He can be reached on

Share this page




Please login to post a comment or register for a free account.

Related Articles

Home Office preps Plan B to ensure continuity of UK police database
8 June 2023

Department says that work to deliver replacement of 50-year-old system is on track but that it is ‘prudent’ to create a contingency plan

HMRC launches £140m procurement to support comms digitisation
26 April 2023

Five-year contract will cover all incoming and outgoing messages and ambition to operate in ‘similar ways to leading private sector companies’

Scottish minister warns on Westminster’s ‘hands-off’ approach to AI and requests urgent UK summit
6 June 2023

Richard Lochhead compares technology to previous industrial revolutions and says government’s job is to minimise harms and spread opportunities

DWP, Home Office, MoJ and Defra launch £1bn tender for shared services tech providers
2 June 2023

Departments look to sign joint deal with a software provider and a system integrator

Related Sponsored Articles

Proactive defence: A new take on cyber security
16 May 2023

The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...