Corporate report

Data Protection Remediation Programme Accounting Officer Assessment summary

Published 20 March 2023

Accounting Officer Assessment

It is normal practice for Accounting Officers to scrutinise significant policy proposals or plans of major projects, and then assess whether they measure up to the standards set out in Managing Public Money. From April 2017, the government has committed to make a summary of the key points from these assessments available to Parliament when an accounting officer has agreed an assessment of projects within the Government’s Major Projects Portfolio.

Background and context

The Data Protection Remediation Programme (DPRP) partners with information assets, process, and system owners to deliver remediation activity to ensure HMRC regulatory compliance with its legal obligations under General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).

This activity will ensure HMRC remains a trusted tax authority where customer data is safe and used only in accordance with the guidance and legislation set out.

Regularity

No regulatory changes are required to enact this programme. The programme focus is to deliver remediation activity to address HMRC’s Data Protection risk to ensure HMRC can comply with its legal obligations under GDPR and the Data Protection Act 2018 (DPA 2018).

The Information Commissioner’s Office (ICO), as the UK’s independent authority set up to uphold information rights in the public interest can take enforcement action against HMRC for failing to demonstrate compliance within the parameters of UK GDPR.

Propriety

The programme adheres to the HM Treasury’s Managing Public Money guidance and the HMRC change lifecycle governance. It undertakes the appropriate assessments and reporting. Clear governance processes have been established for effective programme management.

A programme board, chaired by a suitably experienced and empowered Senior Responsible Officer (SRO), is established as the main decision-making authority and key internal and external stakeholder representation is in place. In addition to the programme board, the programme also reports into and be guided by the ExCom Data Committee (EDC) (chaired by HMRC’s Deputy Chief Executive) which ensures senior leader engagement and suitably strategic decision making.

The programme joined Government Major Projects and Programmes (GMPP) in Quarter 4 reporting for 2021 to 2022. As part of GMPP the programme will report quarterly to the Infrastructure and Projects Authority (IPA) on progress. An assessment of the Programme’s progress has been published within the IPA’s Annual Report and the HMRC Annual GMPP Transparency Publication on 20 July 2022.

A HM Treasury Approval Point is scheduled for March 2023.

Remediating HMRC systems will protect customer and staff data by reducing the scope for harm and supporting harm prevention in relation to fraud or criminal activity.

Value for money

The Programme has undertaken an appraisal of the available delivery options of varying scales as set out in HM Treasury’s Green Book methodology before completing a full economic appraisal of the shortlisted options.

The most cost-effective delivery is to remediate an agreed number of prioritised systems and warehouses which carry the greatest risk and where remediation will provide the greatest contribution to ensure HMRC regulatory compliance linked to its legal obligations under GDPR and the Data Protection Act 2018 (DPA 2018).

Delivery of the agreed option will reduce technical, reputational, and legal risk to a tolerable level by ensuring our systems remain supported, resilient, and reliable to:

• enable ExCom (HMRC’s Executive Committee) to keep the risk position under active review and enable tolerance to be reviewed regularly via ExCom Data Committee
• provide the basis on which any future remediation appetite can be considered beyond the current level of tolerance

Feasibility

The programme is being delivered via a dedicated team of experienced project and programme delivery specialists alongside a multi-functional team of business group colleagues to ensure the appropriate skills and knowledge are available to support delivery.

The sequential nature of delivery brings with it increased delivery confidence as each system or warehouse is remediated. Experience and lessons being learned are ensuring that any planning assumptions can be tested and revisited where necessary to ensure the delivery plan remains accurate. The programme’s approach has already seen the successful remediation of a significant number of the highest priority systems.

In February 2022 the programme completed a Gateway 0 IPA review with an Amber confidence level attributed. This was principally due to the need to urgently agree future delivery plans and the potential shortage and compounding demands for subject matter experts. The review highlighted good evidence in the programme and portfolio leadership of awareness, understanding and plans for action in these areas of concern. The recommendations from that review have since been actioned and a further review is scheduled for early 2023.

Conclusion

As the Accounting Officer for HMRC, I have considered my assessment of the Data Protection Remediation Programme and on balance, the proposal is value for money and deliverable. I have therefore approved it as of 28 February 2023. I have prepared this summary to set out the key points which informed my decision.

If any of these factors change materially during the lifetime of this programme, I undertake to prepare a revised summary, setting out my updated assessment. This summary will be published on the government’s website (GOV.UK). Copies will be deposited in the Library of the House of Commons and sent to the Comptroller and Auditor General and Treasury Officer of Accounts.

Accounting Officer’s name: Jim Harra, Chief Executive HMRC.

Date of signing: 28 February 2023