Pension Benefits Statements
The next item of business is a statement by John Swinney on pension benefits statements. The Cabinet Secretary for Finance and Sustainable Growth will take questions at the end of his statement, so there should be no interventions.
Yesterday, business managers requested a ministerial statement on the events of the weekend concerning the issuing of annual benefits statements to members of the national health service superannuation scheme Scotland by the Scottish Public Pensions Agency. I am, of course, happy to come to the Parliament to inform members of precisely what happened, and to consider some of the possible implications for the agency and the wider review of data security that has been initiated by the Scottish Government.
I start with what happened over the weekend. The SPPA dispatched approximately 89,000 pension benefits statements to major NHS employers on 26 October. The packages were dispatched by FedEx, the Scottish Government's approved courier, as 162 packaged items, to 15 separate addresses. The statements contained names of members and national insurance numbers but no personal information relating to addresses or bank accounts. Statements are distributed by employers in the month following receipt.
Following an inquiry to the SPPA from NHS Greater Glasgow and Clyde on Friday 23 November, it became apparent that an item that had been dispatched to the health board had not been accounted for. At that stage, the agency instigated a search. At the same time, the agency informed the Scottish Government of the potential problem. Ministers were advised on Friday afternoon.
The SPPA responded as follows. It immediately contacted FedEx, which confirmed by Friday evening that one item that had been recorded as being received at its national distribution centre on 27 October did not appear to have been forwarded from the centre. The SPPA requested a search as an immediate response, and the search was initiated by FedEx on Friday evening.
The SPPA, together with NHS health boards, immediately made strenuous efforts to contact all organisations to whom packages had been sent. With the help of NHS colleagues, it was established by Sunday morning that 161 of the 162 packaged items were safely accounted for and that one item was not accounted for.
On Sunday morning, NHS Greater Glasgow and Clyde undertook a further check of all packages that it had received. When consignment numbers were checked against SPPA and FedEx records, it became clear that the unaccounted-for package had been received by NHS Greater Glasgow and Clyde. The health board undertook a further examination of the packages that had been delivered, and at approximately 1.30 pm on Sunday advised that the missing package had been found at its intended destination of Stobhill hospital.
Following receipt of an inquiry about the issue from Scotland on Sunday on Saturday afternoon, I decided to issue a statement making public the details that we had at the time regarding the fact that a package was unaccounted for. I did that because I judged that, in the context of wider public concern about missing data, there was an overriding need to explain the position.
The pension benefits statements were issued using the Scottish Government approved contractor and were received at the correct address. At no time were the data in the wrong hands, and there was no risk to any individual member of the pension scheme. The procedures that had been established by the SPPA demonstrated that the agency was able to track individual packages, even to the extent of identifying the exact content. It is unfortunate that the issue arose at the start of a weekend, which lengthened the time that it took to finalise matters. I appreciate the enormous efforts that members of staff and the management of the SPPA, NHS Greater Glasgow and Clyde and other health boards made over the weekend to satisfy ministers' inquiries.
As a result of the weekend's events, concerns have been identified for immediate action by the SPPA. Action will include: first, pursuing with FedEx the reasons why the agency was not alerted to the fact that the tracker had identified that an item had not been delivered; secondly, examining ways of immediately tightening up mail dispatch procedures within the SPPA and improving mail receiving facilities at organisations; and thirdly, confirming that all 59,000 benefits statements for members of the Scottish teachers superannuation scheme, which were dispatched on 16 November, have arrived safely. That exercise is under way, and I can report to the Parliament that, on the basis of responses from employers to date, no packages are unaccounted for.
In light of the problems that were encountered by HM Revenue and Customs, the Scottish Government is aware that members of the public will have concerns about the way in which we manage the data that we hold. We take data protection issues extremely seriously, and we have well-established standards in place for storing, accessing and transmitting sensitive data.
On 23 November, we announced that we would conduct a co-ordinated review of information security policies and data handling arrangements in Scotland. The review will consider the procedures that are in place for the protection of data, their consistency with Government-wide standards and policies, and the arrangements for ensuring that policies and procedures are fully and correctly implemented. The review will allow the Scottish Government to establish whether there is a need for further measures to improve the security of sensitive information. Taken alongside the survey of procedures for handling personal information that is under way across all United Kingdom Government departments, the review will enable us consistently to share best practice throughout the wider public sector.
The Scottish Government's strategic board has set up a team, led by the director general justice and communities, to support and co-ordinate the review. All bodies in Scottish central Government, including the NHS, are being asked to confirm compliance with existing information security policies and to offer any practical recommendations for improvements or the better management of risk. In addition, all Scottish Government staff have been reminded of the need to adhere to the standards for the protection of data and of the appropriate care that needs to be taken with data that are received, stored or transmitted to other bodies. We are moving quickly on those issues. The review team will report to me on compliance within the next two weeks.
Presiding Officer, I hope that the chamber will agree that while the weekend's events raise some issues for us to consider, they are a million miles away from a Government putting half the country's bank account details on an unencrypted disk, sticking it in the post and losing it.
The cabinet secretary will take questions on the issues that he raised in his statement. We have around 20 minutes for questions.
I thank the cabinet secretary for the advance copy of his statement.
Clearly, it is of great importance to everyone in Scotland that the personal information that public agencies hold on them is protected appropriately, particularly when the information is being shared and transferred. I, too, state my appreciation for the hard work of staff in resolving the situation.
Will the cabinet secretary tell the chamber, with absolute clarity, whether anyone in Government was made aware of any concerns on the matter between 26 October and the issue coming to light in the press? In The Herald of 26 November, the cabinet secretary said:
"the correct procedures were followed at all stages".
How can that be the case if files were lost and subsequently retrieved? As he acknowledged in his statement, for some time we had a lost package.
Should not the Government examine procedures to ensure that data transfers take place only if they are absolutely necessary, if written authorisation has been provided by a senior manager, and if clear instruction has been given on the appropriate standard of protection for the transfer?
Will the Scottish Executive introduce new security measures to ensure that all significant data transfers are conducted by automated electronic transfer? If data have to be transferred by removable media, will he also ensure that such media are securely encrypted at the appropriate level?
I thank Mr Kerr for his questions. To my knowledge, no one in the Scottish Government knew of the issue until officials were telephoned at around midday on Friday. I was telephoned at 2 o'clock, at which time I was told of the situation, and action was taken in light of that. The first time that the SPPA knew of the matter was when it received a call from NHS Greater Glasgow and Clyde at 11.45 am on Friday.
I turn to the comments that I made publicly. All the procedures that the SPPA undertook were followed absolutely. Where procedures were not followed properly was when FedEx did not alert the SPPA to the fact that there was an item for which it did not have a signature to say that it had been received. Obviously, I raised that issue in the statement. The situation is being examined to ensure that it is handled properly.
Mr Kerr asked two questions about data transfer. I have questions in my mind about why exactly we were transporting 89,000 printed pension benefit statements from one end of the country to various other parts. I am examining that issue with the SPPA, because I am not sure that the practice fits with the modern age and the ethos of efficient government, with which I am sure Mr Kerr agrees. We will examine the questions about data transfer.
On Mr Kerr's final point about the encryption of transferred data, as an absolute minimum encryption must be the standard of security when sensitive information about individuals is handled. The Scottish Government's internal review will consider that. Although we may not have answers to the question in the two weeks within which I expect to receive follow-up information, we certainly will pursue the issue as a matter of course.
I, too, thank the cabinet secretary for the advance copy of his statement.
When it was announced last week that HMRC had contrived to lose 25 million names, addresses, dates of birth and national insurance numbers in a demonstration of breathtaking incompetence, I dare say that there might have been some hubris in the corridors of the Scottish Government and the feeling that it could not happen here. The disclosure of lost information by the SPPA is certainly not on the same scale, but it is worrying nonetheless. On top of that, we learn today from The Courier that the Inland Revenue managed to send to a Dundee company through the post the personal and financial details of more than 50 people, and that the information was intended to be sent to the Inland Revenue's Cumbernauld office. One must wonder whether the reported incidents are simply the tip of the iceberg. All the evidence points to a systemic failure in information handling at all levels of government, which should be of serious concern to us all.
I welcome the cabinet secretary's statement and his confirmation that an urgent review will be carried out, because public confidence in the Government's handling of personal information must be restored. However, I have a couple of questions. First, does the cabinet secretary think that it is acceptable that, for the four weeks from 26 October to 23 November, the SPPA was unaware that the packet in question had not reached its destination? The SPPA has procedures for tracking packages, but why was no alert system in place? Secondly, does he accept that the public have a right to be informed when sensitive information about them goes missing? Does he accept that that did not happen in the SPPA case, and will he undertake to ensure that, in future, members of the public who may be affected by the loss of information will be made aware of the situation at the earliest possible opportunity?
There is never hubris on the Government benches at any time.
I am happy to answer for the SPPA, which is a good and effective agency with well-motivated staff, but it is not my business to reply for the Inland Revenue or HMRC. However, if that responsibility falls on my shoulders in the passage of years, I will accept it willingly.
Mr Fraser may chart a course of charging HMRC with systemic failure in relation to information, but that is not a fair charge against the SPPA, which has never before experienced a situation in which information has not been accounted for. I assure Mr Fraser about the diligence of staff members and management of the SPPA and their efforts to address the issue during the weekend, which in my eyes was a demonstration of fine public service.
Mr Fraser asked why the SPPA was unaware of the issue for four weeks. The answer was contained in my statement: FedEx did not advise the SPPA that a package was unaccounted for. The FedEx system should have highlighted that. We are examining that issue, because it is a material point.
On informing the public, as I said to Mr Kerr, the issue came to light in the SPPA at quarter to 12 on Friday morning and it was resolved by Sunday at 1.30. It would be stretching the imagination to say that we could have communicated to people within that window of opportunity. In the context of the media inquiry that we received from Scotland on Sunday on Saturday afternoon, I made a judgment—which I think was correct—to disclose the information to the public. Obviously, at that time, efforts were under way to resolve the issue.
I thank the cabinet secretary for his statement and I associate the Liberal Democrats with his appreciation of the hard work done by the SPPA.
Given the recent appalling revelations on the inadequate safeguards for data that are held by the United Kingdom Government, it is vital that the Scottish Government does not follow suit. Does the cabinet secretary agree that the public must be confident that the Government is managing personal information efficiently and sensitively? Will he ensure that the Government's review is accountable not only to ministers but to Parliament? Because of the enormous public concern, will he agree to make the review independent of Government? Will the review consider not whether procedures were followed but whether those procedures are sufficiently secure?
Does the cabinet secretary agree that the next stage in data protection should not be to create a superdatabase with citizens' personal information and biometric data? Will he guarantee that there will be no Scottish system of identity cards and no centralised Scottish database of information that would put citizens' privacy at risk? Will he ensure that this Government will not share or provide information for any ID database that is introduced by the Labour Government in London?
We take data management very seriously and we are determined that data should be properly and securely protected. I will be happy to ensure that relevant Government officials and ministers are answerable to Parliament on issues relating to data management.
I do not rule out independent scrutiny of the review at this stage, but I am happy to agree that parliamentary scrutiny is the minimum required.
This Government does not believe in ID cards. As I have said, we have a variety of measures to protect the data that we hold on individuals. Data should be held securely and sensitively. That will be the Government's approach in all such areas.
We now move to questions from back benchers. I ask that those questions be brief.
I thank the cabinet secretary for clarifying that the data were at no time in the wrong hands and for mentioning the strenuous efforts that were made by the staff at the SPPA offices in Galashiels. Given his warm words, I ask him whether he will visit the SPPA to thank the staff personally. The fault apparently lay with FedEx.
I have already visited the SPPA: I went there over the summer. It is a Government agency and it does important work for us at a very attractive location in Galashiels. SPPA staff put in a lot of effort over the weekend to address the situation, for which I am grateful. I am equally grateful to staff in NHS boards throughout Scotland who had to address the situation. Such situations always seem to happen late on a Friday afternoon or evening, and go on into the weekend. In NHS Greater Glasgow and Clyde in particular, a lot of effort was put in so that the situation could be resolved as expeditiously as it was.
The statements of more than 89,000 health service employees were at some point—some of them—missing for four weeks. Many of us who receive child benefit will have received a written explanation from HMRC of the circumstances following 20 November. To pick up on Murdo Fraser's point, will the minister confirm that he will write to the 89,000 employees to clarify the circumstances that surrounded this particular issue?
The minister says that he is absolutely certain that the data did not fall into the wrong hands during the four-week period, but how certain can he be? Many of us have criticised FedEx and its handling of the issue. Has the minister considered requiring Strathclyde Police to examine the documents to ensure that data did not fall into the wrong hands?
At no stage were 89,000 records missing. One package out of 162 was unaccounted for—not missing, unaccounted for. There is absolutely no reason to write to the vast proportion of the 89,000 people, because their statements were entirely accounted for.
The member's second point concerned the one package that was unaccounted for. I can say with absolute certainty that it did not fall into the wrong hands because the package for which FedEx did not have the appropriate signature to say that it had been received in Greater Glasgow and Clyde NHS Board was a different package from the one that was allegedly missing. That assures me that the package that was unaccounted for had been delivered to Greater Glasgow and Clyde NHS Board, because it was signed for by the health board. The only problem was that it was not immediately obvious where it was within the health board. However, that issue has been resolved to my satisfaction.
Does the cabinet secretary have any plans to discuss with Greater Glasgow and Clyde NHS Board its procedures for checking on the whereabouts of important documents once they are on its premises?
I had a conversation yesterday with the chief executive of Greater Glasgow and Clyde NHS Board, in which I thanked him and his staff for their efforts over the weekend. He indicated to me—as he has said publicly—that he will supply a report on mail handling within the health board to the Scottish Government's director general health, which will address any of the operational issues that remain following my statement.
I ask the cabinet secretary to clarify one of his previous answers. When he talked about the 162 packages, he said that the one that had gone missing had been accounted for and that there had been a mismatch. Were all packages accounted for, or were any unaccounted for?
I said in my statement that 161 packages were accounted for. One was not accounted for, and when the process of checking in detail was carried out over the weekend, the situation was satisfactorily explained by the merging of data from the SPPA, FedEx and Greater Glasgow and Clyde NHS Board. Once that work had been undertaken over the weekend, the issue was resolved.
I welcome the general review that has been commissioned by the cabinet secretary, and I ask him whether it will consider best practice from elsewhere in Scotland and in the UK—best practice that we can learn from—on the transmission of information between different agencies.
We must be alert to best practice in other areas. As I stressed in my statement, the issue was resolved as speedily as it was because of the information tracking systems that are at our disposal. As a consequence of those systems, we have a strong base in the handling of such information, but we must constantly examine those systems to guarantee that they improve. In particular, we must ensure that we meet the high standards that Mr Scott correctly identified as being demanded by the public, on whose behalf we hold information.
I was glad to accompany the cabinet secretary on his visit to the SPPA in Tweedbank in the summer to congratulate it on its hard work. Given the hope of expanding the services from the agency in the Borders, that hard work is important.
I ask him to clarify one aspect of the review. I heard no mention that it will include FedEx and other Government contract holders or preferred suppliers. Will he confirm whether that is the case? If they will not be included, why not?
We will be considering all aspects of the arrangements that were in place in this instance. When the SPPA considers its procedures, it will examine in particular the management of mailroom logs and its relationship with receiving organisations and, specifically, the courier services that it engages. That will be an essential part of work that the SPPA undertakes in reviewing this incident. However, as I said to Mr Kerr, I have questions about the way in which we manage and move information, and we must consider carefully the arrangements for undertaking such activity.
We have already had some talk about the electronic transfer of data. Given the inherent cost benefits of that method, what tests have taken place on the security of electronic transfer using the Government intranet, for example?
One of the questions that I asked over the weekend was precisely why we were dispatching 89,000 printed benefits statements in this day and age. I understand the answers for that now, which are to do with the fact that a number of elements of the current information technology systems could not be easily adapted to undertake electronic transfer of information on that volume. There is also a logistical argument that, if the pension benefits statements are going out from one place, such as the SPPA, there is every likelihood that they will go out in an organised and systematic fashion, as they habitually do. However, on this one occasion, we have had an issue with the mail handling outwith the SPPA.
I will certainly consider whether the current method is the most appropriate way of handling such a volume of information. I will liaise carefully with the SPPA and other Government organisations on the question and, of course, keep Parliament informed of developments.