This snippet in this morning’s Guardian seems to have been by-passed in the midst of the general furore about the topic.
“Shawn Williams, a partner in a law firm specialising in fraud cases, said he regularly received confidential data from Revenue & Customs in CDs with either no password or the password written on the disc itself.
“While it was common in other cases for passwords to be provided by phone only once the data had been sent, Williams had never known Revenue & Customs to carry out this procedure. He said the data was often “substantial” and arrived on a regular basis.
“”Any person of ill-intent coming into possession of that material has the opportunity to access that material without going through an elementary password procedure,” he said. “If there was not even that level of protection then the problem is even bigger than it appears to be. It is our strongest suspicion that the discs forwarded to the National Audit Office will have been packaged together with the necessary instructions to enable the recipient to access the data.
“”If so, then reassurances from the chancellor of the exchequer and chief secretary to the Treasury that the data has password or other encryption protection become meaningless.”"
So, that’s a fraud lawyer HMRC are contacting sent confidential data either (a) on disc (contrary to their data protection obligations); (b) with either no password (!!!) or a password written on the disc (!?!?!);
and that this appears to be standard HMRC practice.