Qualityworld

• Knowledge portal
• FAQs
• Information
• Qualityworld
  • Current issue
  • Reader survey
  • Editorial comment
  • Free Qualityworld
  • Past articles
  • Advertisers
  • Subscribe to Qualityworld
  • Advertise in Qualityworld
• Journal of Quality
• Jobs
• Press
• Links

Quality assured?

The headlines in 2007 were filled with data loss and security breaches. But, asks Paul Simpson, how much can be pinned to procedural failure and how much is actually due to low staff morale?

Last year proved to be an 'annus horribilis' for data management, with data security crises unfolding almost on a daily basis:

• an ex-contractor at the Department for Work and Pensions (DWP) had two discs with thousands of benefit claimants' details for more than a year after she stopped work at the DWP
• a computer disc containing personal information on more than 15,000 customers was lost when it was sent from a HM Revenue and Customs (HMRC) National Insurance contributions office to Standard Life's headquarters in Edinburgh
• a laptop with sensitive information was stolen from the car boot of a HRMC worker
• it emerged that around 80 passports are lost in the post on a monthly basis
• a hard drive sent to the US state of Iowa with details of three million learner drivers' was lost.

I'm sure many of us in quality assurance have been shaking our heads and saying, 'why didn't they ask us?' The HMRC failure and subsequent media witch-hunt is a classic case of not understanding the systems approach to quality management. But these data security scandals also offer us the opportunity to gain important quality knowledge.

Dealing with disasters – whether quality, environmental, health and safety or information security – is integral to operating a management system. Determining a practical approach to ensure you don't find yourself in a similar predicament is common sense. Taking the HMRC as an example, there appear to be some stark lessons we can learn, specifically in the quality areas of:

• process approach
  1. process planning and risk management
  2. organisational culture (including personnel empowerment and competence)
• change management
• systems approach

Process approach

HMRC sent two discs containing the entire child benefit database, unregistered and unencrypted, to the National Audit Office by courier in October. They never arrived. The press raved and screamed ministerial incompetence, but the real picture is far more complex. To understand the problem we need to know how the process works and where failings exist.

Key process areas

The agency collects and administers direct and indirect taxes; pays and administers child benefit, child trust fund and tax credits; and is responsible for environmental taxes, enforcing the national minimum wage and recovery of student loans.

To do so effectively:

• the government needs access to data about its citizens to manage the child benefit system
• HMRC employees need access to that data to process applications and run the benefits system
• the National Audit Office requires access to data to ensure government departments are providing an efficient and effective service

To run the benefits system successfully the process needs to provide access to data to those that need it and to ensure information is available on a 'need-to-know' basis.

Process planning and risk management

All departments in HMRC should be looking at risks associated with a potential loss of data. The Liberal Democrats estimate this data is worth £1.5bn to criminals. Any planning of processes should take this market value into account in order to prioritise the organisation's efforts on areas of highest risk.

Failure costs

Aside from the risk of misuse of data, fixing the problem is costing taxpayers. An apology letter sent to seven million families potentially affected by the loss of data has cost the government £3m, according to Accountancy Age magazine. For HMRC chairman Paul Gray the cost was also high – his job.

From a purely political point of view, failure costs may be much higher as future strategies like the national identity card scheme, and the elections themselves, are dependent on the electorate's trust in the government.

Warning signs

The information commissioner, Richard Thomas, in his foreword to the Information Commissioner's Office (ICO) 2006-7 annual report wrote that 'the roll call of banks, retailers, government departments, public bodies and other organisations which have admitted serious security lapses is frankly horrifying'. He also asked how laptops holding details of customer accounts could be used out of the office without strong encryption, and condemned online recruitment procedures that allowed applicants to see each others' forms.

In his evidence to the Justice Committee, following the recent HMRC failure, he gave further examples of data security failures, citing one case where ICO investigators discovered 12 major clearing banks dumping paper waste in rubbish bags on the high street.

Each of these examples should have lead to a review in HMRC and possibly prevented data loss in the first place. Each failure creates an opportunity to learn lessons and improve systems by taking corrective action and action to prevent recurrence.

There are many standards outlining how this should be done (see figure 1), from the general quality management requirements in ISO 9000, to codes of practice for information security management (such as ISO/IEC 17799) to business continuity planning standards such as BS 25999-2.

Each standard uses a 'plan-do-check-act' approach to identifying how the organisation is going to satisfy its obligations to manage its resources – in the HMRC's case, data – and ensure it meets stakeholder needs. ISO/IEC 27001, as the standard defining requirements for information security management systems, in particular identifies a risk-based approach to assessing threats to handling and storing information data including management responsibilities, risk management methods and continual improvement.

Organisational culture

On top of disagreements as to the cause of the data losses, there are also reports that low pay at the ICO is leading to low morale. The information commissioner, in his report to the House of Commons Justice Committee, concluded: 'The level of pay for our staff has been a long-running difficulty.'

By all accounts the two merged departments of Customs and Revenue have very different cultures due to their origins. Thousands of HMRC employees went on strike in July to protest the introduction of lean working practices they believed were leading to excessive individual monitoring, deskilling of work and repetitive strain injury.

To understand the background of the HMRC data loss it is important to understand different types and causes of human error and the role of culture in influencing behaviour. One approach is to categorise error into three groups:

• slips – intention correct but action wrong
• mistakes – not deliberately doing the wrong thing but doing what is believed to be correct data security
• violations – deliberate rule breaking, may well not have malicious intent, probably believed to be justifiable

Any investigation into data security breaches should determine the type of error which lead to the problems encountered and establish whether systems were adequate. Effective corrective action will be very different for instances when security systems are simply not adequate in order to prevent mismanagement of data, as opposed to organisational culture favouring short cuts with systems to speed up processing or reduce departmental cost.

Change management

Since the merger of the Inland Revenue (76,000 staff) with Customs and Excise (23,000) in 2005 the department has been trying to manage the change and attempt to generate the anticipated savings from merging two departments. To unsettle things further the government wants 12,500 cut from the combined workforce. At any time of massive change the balancing act is between undertaking change and carrying on business as usual, ensuring staff continue with their core task of collecting tax.

Critics and unions forecast that combining two distinct organisations, with very different cultures and legal powers, was always going to be a difficult task. The Institute of Chartered Accountants in their written submission expressed concerns about this:

'Whilst our members are broadly enthusiastic about moving to e-compliance, there is a widespread lack of confidence in HMRC's IT systems and their ability to deliver when most needed.'

At the same time the Institute expressed concerns over the range of services the merged body would be expected to deliver, stating that it is 'being pushed in too many directions' with 'considerable' pressures to increase revenue, improve compliance, fight fraud, deliver improved services (particularly e-services) and to manage a tax system which is in a constant state of flux and where the volume of tax legislation has doubled in ten years. All these improvements were expected, despite cuts in budgets and staff numbers.

David Hartness, the new acting chair of HMRC, has started his tenure with a statement before the public accounts committee of the House of Commons denying that cost efficiencies, job cuts or their change programme had anything to do with what he called a 'dreadful mistake.'

This flies in the face of reports from ex-employees and middle managers of HMRC on the BBC web site (anonymous because employees have signed the Official Secrets Act). One says: 'The child benefit problems are only the tip of the iceberg. Morale is non-existent. Mistakes happen continuously.'

Another, a former middle manager who had left HMRC after 10 years service, reported that in order to realise all the benefits of the merger HMRC has moved to a call centre approach with individuals having access to relevant data – leading to drastic changes in ways of working. A system called 'lean processing' has been introduced, jobs divided up into their individual parts – every aspect dealt with separately, and no-one has overall ownership or responsibility for the task.

He went on to add: 'The move to using call centres means that people don't take personal responsibility any more. This is a top-down matter, due to the target-driven, staff-reducing culture.'

In their own review of effectiveness in implementing change, HMRC commissioned a report on the 'Pathfinder' programme – their implementation of lean tools, techniques and philosophy aimed at delivering 30 per cent improvement in productivity.

This report was received in September 2007 and discusses the goals of the programme:

• redesigning service delivery processes so as to eliminate waste and variability and maximise flexibility. This will improve productivity, quality and reduce lead time
• changing current management processes to create appropriate management infrastructure to sustain improvements
• changing mindsets and behaviours of leaders and front line staff to support the new systems and deliver continuous improvement

In its conclusions the report authors indicated that HMRC Processing is a long way from being a lean organisation, but it is moving in the right direction.There is no mention in the report of data security management – presumably it fell outside of the team's scope.

'Whatever the findings of the investigation, it is important that responsibilities and authority levels remain in balance'

Whatever the findings of the investigation it is important that responsibilities and authority levels remain in balance. To redesign processes to enable and empower employees to access data you need to first ensure they have the necessary competence in dealing with the data (including risks associated with revealing it).

A treasury sub-committee has heard that HMRC is spending about £130,000 a day on IT consultancy fees because of internal skills shortages needed to deliver change – an indication that the management of the merger is causing problems not originally anticipated.

Instead of trying to apply a sticky plaster over a single (albeit disastrous) failing, the investigation into HMRC should be extended into a review of systems including:

• processes for acquiring, storing, accessing and transferring data across departments
• management of organisational change
• roles of different departments including HMRC, the National Audit Office, the ICO, the Ministry of Justice and any other department involved in the deployment of data

Into the future

The loss of the data at HMRC should not be used as a stick to beat any individual, department or government, but as an opportunity to learn lessons and improve ways of working.

Many suggestions for improvement already in the public domain include additional legislation or powers for inspection by the National Audit Office or the ICO. To prejudge the solutions before effective investigation and, in particular, understanding of the system and processes in place will solve nothing.

In the same way that Deming surprised Ford bosses in 1981 by talking about management when they were expecting him to talk about quality tools and techniques, HMRC's culture and the way its managers operate needs to be addressed. This principle can easily be read across to HMRC data losses. Employees only make the mistake of sending out unencrypted data because they can.

The eight principles that underpin quality management systems would be a good starting point for investigation of the HMRC data losses. Adoption of these principles throughout national and local government would help prevent further embarrassing and costly failures. A simple enough statement to make, but without acceptance of basic principles all these departments are built on sand

Author

Paul Simpson is a director of XBS Solutions Ltd. Heis a member of the CQI and chairman of its editorial advisory panel. For more information, visit www.xbs.org.uk