Private data 'also given to firm'

The discs containing the data were unencrypted

Unencrypted discs with 25 million Child Benefit records on them were handed to an accountancy firm by government auditors, it has emerged.

The National Audit Office (NAO) gave the CDs - similar to the ones lost by HM Revenue and Customs (HMRC) officials - to accountants KPMG for auditing.

It said the discs - with bank account details on them - were delivered "by hand" to KPMG and returned safely.

The Information Commissioner is probing whether data laws were broken.

A spokesman said the commissioner would be looking at "all aspects" of data protection surrounding the missing Child Benefit records as part of its investigation.

Meanwhile, police looking for the missing discs say they expect to finish their search at the HM Revenue and Customs office in Tyne and Wear on Friday night. The focus will then turn to premises run by the couriers, TNT.

'Treated securely'

An NAO spokesman said it had not asked for sensitive information to be included in the material sent to it by HMRC - but it was confident it had taken steps to ensure its security.

"We feel we treated this data securely but at the same time we will look at any lessons that may have to be learned," he added.

I also confirm that I have asked KPMG to provide me with assurances that they have deleted or erased the data Letter from NAO director

The data given to KPMG was for the 2006/07 audit and was sent to the NAO offices in March this year. The missing data was produced for the 2007/08 audit.

The details were revealed in a letter sent by the NAO, which was released on Thursday.

The letter from an NAO director, whose name is blanked out, says: "I also confirm that I have asked KPMG to provide me with assurances that they have deleted or erased the data that they analysed as part of our 2006-07 Resource Accounts audit."

Returned safely

The letter was dated 9 November - the day after senior management at HMRC was told about the missing discs.

The NAO told the BBC the data was delivered to KPMG's offices by hand and had now been returned safely.

A KPMG spokesman agreed with this statement and said any trace of the data contained on the discs had been erased from the company's computer system.

The Child Benefit details had originally been put on to disc and forwarded to the NAO by HMRC officials at its Tyne and Wear offices in March.

Request declined

Just 1,500 Child Benefit records needed to be examined as part of the auditing process - but all 25 million records were handed to KPMG, as the NAO wanted to be able to select individual records at random.

The NAO asked if HMRC would remove bank accounts and other details from the data before it was sent to them, but this was declined.

An NAO spokesman said discs containing the Child Benefit records had been delivered by a member of its audit team to KPMG.

The spokesman said there was nothing unusual about this, as KPMG was a "long-standing strategic partner".

Internal mail

He said the NAO needed to use KPMG's "mainframe IT capacity" to analyse the Child Benefit data.

Asked if it had considered removing the bank details of individuals from the discs on security grounds before handing them to a third party, the NAO spokesman said the data belonged to HMRC.

"It is HMRC's data to manage," he told the BBC News website.

In March officials at HMRC's offices in Tyne and Wear began the practice of downloading the entire Child Benefit database - including bank account details and National Insurance numbers - on CDs and sending them through the internal mail to the NAO for auditing.

The practice only came to light on Tuesday when it was revealed two discs had been lost - raising fears data protection laws had been broken.