Investigating the Home Office’s criminal records blunder can improve government accountability

When the government needs someone to investigate a serious incident like the Home Office’s recent loss of criminal records, it helps to have an ex-Commissioner of the Metropolitan Police on call. The home secretary has asked Lord Hogan-Howe, head of the Met from 2011-2017, and last year appointed a Cabinet Office non-executive director, to find out what went wrong.

Over the weekend of 9 and 10 January up to 400,000 criminal records were deleted in error during a routine IT exercise. Coding that had been introduced last November caused records which should have been retained to be deleted. This means that the police will not be able to access these fingerprint, DNA and other records to identify and pursue suspects.

Matthew Rycroft, the permanent secretary of the Home Office, told the Public Accounts Committee that 99% of the deleted records are over 10 years old, that the police could access other data sources and that he is “confident that the data is all recoverable”. But he acknowledges that until the data has been fully recovered the mistake means there is a “minimal risk” to the public. By any standards this is a major error, and Hogan-Howe will need to look in detail at what went wrong and who should properly be held accountable for a mistake which will erode public trust in the government’s ability to hold and manage data.

The home secretary was right to order a proper investigation into the data loss

There are echoes of 2007, when the then-government was destabilised by the loss of two HM Revenue and Customs computer discs containing details of the 25 million families who claimed child benefit. The scandal dominated the media for weeks, the chair of HMRC resigned and the civil service put in place new safeguards for handling data. Those safeguards seem to have failed in this case, but their existence should help provide clarity on what went wrong at the Home Office.

But the case also provides a useful illustration of why accountability in government is not straightforward. In constitutional and parliamentary terms, the home secretary, currently Priti Patel, is responsible for everything that goes on in her department. She is also the elected official in line to be blamed by the public when things go wrong. But ministers should be able to rely on top civil servants to run their departments well. When a specific mistake like this happens, a proper investigation needs to look at the actions of officials at different levels before it is time to call for a ministerial or permanent secretary resignation.

Named individuals have specific responsibilities for ensuring records are held securely

So what went wrong at the Home Office? The first thing Hogan-Howe needs to do – before anyone decides what the consequences of the error should be – is to work out who had which responsibilities for keeping the data secure. He can then look at what part of the system failed, before ministers and the permanent secretary work out what should happen as a result.

In this case the responsibilities might be quite clear. At each level individuals should have assigned roles. The working level specialist who introduced the code and carried out the data cleanse is responsible for having the skills to do his or her job and alerting managers if they need more training or support. He or she must also understand basic information management good practice – every civil servant is required to undergo an annual refresher course on keeping data secure. The specialist’s manager, in turn, is responsible for team performance and ensuring those they manage have the right skills.

But the level of seniority matters, and senior civil servants are expected to take on more responsibilities than those they lead. Above these working level staff should sit an “Information Asset Owner”. That person is the civil servant responsible for understanding what information is held, what is added and removed, how it is moved and who has access to it. Part of the job is to give written annual assurance about data security for auditing purposes.

That assurance is given to the Home Office’s “Senior Information Risk Owner”, the member of the executive team or board who has overall responsibility for the department’s information management and risk policy. Their job is to make sure that Information Asset Owners are performing properly, to set policy on information management for the department and to provide assurance to the permanent secretary that the proper procedures are in place. They need to follow cross-government standards and promote best practice as set by the Cabinet Office.

At the top of the civil service hierarchy the permanent secretary is responsible for appointing the Senior Information Risk Owner, and ultimately for the performance of the department and its information management. If these jobs are not properly filled or there is a sloppy culture around information management then he should also be held responsible.

The home secretary or relevant minister is responsible for the political leadership of the department, for taking policy decisions about the use of the data and the response to the incident, for explaining to Parliament what happened and to set out publicly the Home Office’s response plans.

The investigation needs to show whether accountability sits with politicians or civil servants

This sort of structure can sound bureaucratic, but clarity about these different responsibilities is the most important way to ensure proper accountability, to avoid errors, to work out what went wrong and then to decide what the consequences should be. Accountability often flows upwards. But the buck should stop with those whose job was to prevent something like this happening.

If Hogan-Howe finds that the expert or their immediate managers acted recklessly or irresponsibly then that is where accountability sits. If working level civil servants or contractors were being asked to operate in an environment where data was not treated securely, there was a culture of lax observance of rules, where systems were not up to scratch or where they were being asked to operate beyond their skill set and concerns had been ignored or minimised, then the Information Asset Owner should be held accountable.

If the investigation finds that there was a systemic problem in the department, with multiple failings and inadequate information management policies, then the Senior Information Risk Owner should be held accountable. If there was a lack of resourcing, a fundamentally insecure approach to data across the department, if roles were left unfilled or ministers were misled then it is the permanent secretary who needs to carry the can.

And if information was provided and highlighted to the home secretary or ministers, if they insisted on the implementation of policies without regard to the data risks or the culture those policies might create, if they refused to take action to correct the data loss, or misled Parliament or the public, it is then that politicians should be held accountable. And if a media and public furore becomes too intense, or lasts too long, then there is always a chance that the prime minister might decide that political reality means sacrificing a member of his team.

The rest of government can learn from the Home Office’s mistakes

Hogan-Howe has the advantage of investigating roles and accountabilities which were – or should have been – clear and well established since the 2007 HMRC discs incident. This is rare. In other areas of government, like policy advice given by civil servants to ministers, or programmes of work where senior officials move in and out of leadership jobs rapidly, accountabilities are often less well defined.

The investigation into this error should show whether the 2007 data handling reforms worked, as well as if the roles established are clear enough to identify who should be held responsible for the mistake. There should also be useful lessons to learn about strengthening accountability for the advice given and implementation of government programmes more widely.

The government recently announced the creation of a new Central Digital and Data Office to be a “strategic centre” for data – presumably including standards for data security. Its new executive director, Joanna Davinson, joins from the Home Office, where she is currently the head of digital, data and technology. This, it would be hoped, means she has an opportunity to help the whole of government learn from the Home Office’s mistake.