Exposed: RPA failings go right to the top

The head of the Rural Payments Agency failed to tell DEFRA secretary Hilary Benn that personal details belonging to 100,000 farmers had been lost – despite knowing about the breach for over a month.

Agency chief Tony Cooper knew about the loss of 38 computer tapes as long ago as 21 September. But Mr Benn was only informed of the missing tapes on 28 October following a Farmers Weekly investigation.

Latest details emerged after Farmers Weekly gained access to an internal DEFRA report made available to MPs, which revealed the timetable of communication related to the incident.

Although DEFRA officials knew of the loss on 23 July and RPA civil servants learnt of the incident on 8 September, this is the first indication that senior RPA staff, including Mr Cooper, knew of the missing tapes but chose not inform ministers.

Instead of alerting Mr Benn or farmers to the breach, at least three meetings were held between RPA staff between 21 September and 1 October to discuss how the data loss should be managed.

In an email to RPA staff, the agency’s chief information officer, David Halsey, said he had alerted Mr Cooper to the “potential problem”, but he wanted to double check the data was “genuinely lost before starting hares running”.

While Mr Benn told MPs there was “only a low risk” of usable data being lost and it was “most likely” the lost tapes had been destroyed, senior civil servants in those meetings disagreed.

The RPA’s security officer said there was “no evidence” the unaccounted tapes had been destroyed.

“[The two tapes] have a high probability of containing sensitive data,” he said. In an RPA report to DEFRA on the incident, the agency’s stance should be “to announce a potential loss of sensitive data,” he added.

However other staff members, including the agency’s head of communications, expressed concern over the amount of information revealed to DEFRA, as the agency would “lose control” of what was released to the public.

Security cock-up

In a further slip-up, the copy of the RPA’s report into the data loss, which should have been edited in a way to protect the identity of those involved in investigating it, was made available without being properly secured. This meant Farmers Weekly could easily restore the document to its original form, revealing the names of every member of RPA staff involved in the meetings, as well as the identification numbers of every tape and disc involved.

RPA chiefs turn mole catchers

The RPA has reportedly begun a witch-hunt to catch the whistleblowers who leaked the loss of farmers’ bank details to Farmers Weekly.

A source close to the moles, who were civil servants working on the single payments system, said RPA chiefs were furious farmers had been made aware of the loss of confidential data.

He claimed an action group has been set up in a bid to catch the civil servants responsible.

“What the RPA needs to recognise is they made some extremely knowledgeable IT people redundant,” he added. “There are many past employees who are extremely bitter at losing their jobs. They have a wealth of information.”