|G-Cloud, GDS, HMRC and Skyscape, the company with just one director, who owns all the shares – Whitehall SNAFU|
|Open letter to Lin Homer, Chief Executive, HMRC, asking about the wisdom of entrusting their data (our data) to the cloud with Skyscape Cloud Services Ltd.|
|Response from Phil Pavitt, Director General Change, Security and Information, HMRC, on behalf of Lin Homer.|
|Open letter to Phil Pavitt.|
28 November 2012
|Response dated 26 November 2012 from Phil Pavitt, please see below:|
HMRC and Skyscape Cloud Services Ltd
Dear Mr Moss
Thank you for your letter of 24 October 2012 expressing your concerns in respect of Skyscape Cloud Services Ltd suitability to host HMRC data. I apologise for the delay in responding to you.
Further to my reply of 22 October, I wanted to provide you with some more information to alleviate your concerns. I must reiterate our assurance that using Skyscape HMRC data will continue to be kept in accordance with existing legislation and HMRC security policies.
When fully operational, Skyscape Cloud Services Ltd will securely host all HMRC data currently held on office File and Print Servers (FAPS). FAPS support the work of many HMRC offices and hold data for a wide range business purposes e.g. administrative and customer related. FAPS do not hold the definitive tax records for the UK and these records remain distributed across a number of secure systems.
HMRC routinely risk assesses and tests the security of our solutions and services. Our secure connection to Skyscape will be delivered in line with HM Government standards to protect our data, with ongoing assurance checks throughout the life of this service.
As emphasised in my letter of 24 October, in order to deliver through G-Cloud, Skyscape were required to meet a set of mandatory criteria set out by Government Procurement Services (GPS) including financial standing and Experian risk assessments. Additionally, HMRC carried out its own standard taxation and financial compliance checks before awarding the contract and Skyscape passed the standards set by HMRC and Government.
All G Cloud contracts are let on a one year basis, with exit provisions agreed to transfer the data to a new supplier should this prove necessary.
Data security remains integral to HMRC and a pre-requisite of any of our data being migrated to Skyscape is for their solution, including all the constituent parts, to be formally accredited by CESG (the Communications-Electronics Security Group) to Impact Level 3 (IL3). All security aspects of the service will have to be proven in line with HM Government security standards. This will include the need to ensure the ‘cloud’ is hosted in a UK domiciled, secure data centre(s) and operated by staff with appropriate security clearance. We are also carrying out internal accreditations including Internal Risk Management and Accreditation Document Set (RMADS) and PSN risk assessments.
I trust that this answers your concerns and you are able to appreciate our decision to contract with Skyscape.
HMRC Director General Change, Security and Information