Docs went off by signed-for post as intended today, recorded photographically at every step. Thought I’d share the cover-letter I included..
Dear Sir or Madam,
Further to my phone call on January 24th, please find enclosed the offending documents as requested, including original cover-letter.
Note that interleaved as page 2 of the copy of the 2008/09 Tax Return is the page of personal information belonging to XXXXXXXX of XXXXXX, and not myself.
I am aware that this is a serious issue and breaks the UK’s data protection laws, and I am fittingly disturbed that enough information to readily steal someone’s identity could be accidentally released to a 3rd party in such a way.
I am also likewise disturbed that this extra page of information was included in a second needless copy of my requested 2008/09 Self Assessment Tax Return.
When a single figure from it was requested, I understand that information could not be divulged by telephone, but it is incomprehensible to me that it could not be provided through the secure website where it is apparently located for exactly one year after it’s submission before being removed. As the tax returns occur at the same time every year, removing it exactly when it is most likely to require checking seems at best spectacularly unhelpful.
This was thrown further into stark contrast to the actual method by which I could receive it; unregistered and untracked 1st class post, in a poorly sealed budget envelope that arrived with holes already torn from its travels.
You might argue that if it were to be intercepted I would know something had happened to it since it did not arrive and could thus take precautions. But even if that faint shadow of security is acceptable, the logic only works if a known number of the documents are being sent. IE; If I request one copy and five are sent, I do not know anything is wrong if only the single copy I actually requested arrives in my hands.
Can you guarantee to me that these two copies were the only two copies dispatched? Or have more copies I do not know about perhaps been lost in the post? Has my own information been handed over to a 3rd party as XXXXXXXX’s has been to me?
Furthermore I am concerned with the instructions I was given on relaying this leak to the telephone advisor; Simply placing the information back into the same envelope in which it was sent to me and re-posting it back to HMRC. This seems a poor option for several reasons;
- The envelope is already used, damaged, post-marked and labelled with an existing post-routing sticker. All these I suspect would conspire to reduce it’s chances of correctly making it back through the postal system to you.
- Without a covering letter and addressed to HMRC as a whole, it occurs that it could be easily overlooked in postal-sorting, and simply trigger yet another copy to be dispatched to me under the impression it was a failed delivery and possibly lead to the destruction of the evidence. And additionally it could imply that my address was no longer correct.
- The documents enclosed as I understand it are evidence of a crime, and to further suggest that it simply be dropped back into the post under the same conditions in which it arrived seems bordering on negligent.
- Though I suspect a note has been made on my file, I was not given any form of call or reference number. Though I will admit I did not ask about one, again it seems odd one was not offered.
I am taking it upon myself to include this covering-letter to explain both the situation and the number of incidents that have occurred along the path to resolving it. It is my hope that this will expedite the investigation and lead in some small way to improving the handling of our citizens information, as well as make plain my own displeasure at the actions and reaction of HMRC so far.
Additionally I hope you will note that this has been sent via 1st Class Signed-For, to ensure its receipt.
As a less important but still irritating side-note, I would recommend you consult an IT professional. Either for additional training or additional features in your data-entry software, as I do not know if it is because of a feature your software currently lacks, or that your staff simply do not use it correctly, but the copies I received were of terribly unprofessional quality.
Speaking as someone with some history in graphic-design and IT, it distresses me that only the document pages I was not meant to receive were printed in perfectly clear black and white (showing the information in an explicitly legible font, arranged in efficiently used tables) whereas the information I actually requested was in the form of a series of bitmap screen-grabs (images not only including the programs tool-bar, but wasting several pages on blank space and unused tables, as well as poorly legible mono-space fonts that were sometimes further compounded by being light-grey on a white background). You patently have the capacity for legible print-copies, but it implies they are only considered necessary for internal use.
To someone with worse reading difficulties than mine, I expect these prints would be near-illegible.
From the layout of the images sent, you seem to be using Microsoft Access (in itself, implicitly revealing the software, and suggesting additional modes of attack to those looking for security holes).
It would not take a database professional more than three days, working with the limited set of data found in a tax return, to produce a query table which would omit unfilled entries from a print-out and arrange them in a clear and concise form which would produce a visually clear and source-anonymised document.
The amount of information in my copy could have been reduced to a single double-sided sheet of A4 rather than the fourteen single-sided sheets I was sent, eight of which contained no information.
It is also worth noting that perhaps if this was done it would be vastly less likely that a page of someone’s information would be lost within the many surplus pages of another’s.
I eagerly look forward to your reply on all matters addressed, as well as the future results of the investigation I have unwillingly been made a part of.
Most sincerely,
Peter William Turpin