LONDON (12/06/2007) - It would have cost less than £50,000 (US$102,000) to strip confidential data from the records of 25 million people lost in transit between HM Revenue and Customs and the National Audit Office, HMRC's acting chair Dave Hartnett told MPs today.
Hartnett - acting up in place of Paul Gray, the former HMRC chair who resigned as the data loss scandal broke - made the admission to MPs on the Commons Treasury committee.
The acting HMRC chief also admitted that the child benefit data on the two CDs was the latest in a string of data security breaches, acknowledging that there had been seven breaches "of some significance" since the merger between Inland Revenue and HM Customs and Excise in April 2005.
The data held on the two CDs lost in Britain's biggest data security breach included bank details, NI numbers, and children's names, addresses and dates of birth.
Emails released by the National Audit Office last month confirmed that HMRC officials did not want to remove the sensitive information from the child benefit data sent to the NAO because this would cost extra.
Quizzed by the Treasury committee on the cost of desensitizing the information, Hartnett initially said: "I don't know the answer to that," noting that the "key issue is that the data should not have left our premises anyway".
But when pressed, he added: "I'd have thought it would be less than £50,000 but I haven't got the precise figure."
Hartnett later told the MPs that HMRC had subsequently established how easy it was to ensure data management contractor EDS stripped out the confidential details when it passed information to U.K. payments association Apacs as part of measures to protect bank accounts in the wake of the data loss scandal.
"When we needed to pass data to Apacs... we were able to segregate the data in the way you [the committee member] describe with our IT supplier -- and quickly -- and it is therefore a matter of huge regret that we did not do that before," he said.
In a statement that suggests HMRC believes the NAO is partly to blame for the data loss, Hartnett added: "But I think the important issue is that those who asked for and provided that data had stepped outside the procedures we had established."
Hartnett said he did not know how much the filtering of data for despatch to Apacs would have cost, but said no-one had alerted him that it was going to be a significant amount.