PROCEDURES at the North-East child benefit office that lost CDs containing the personal records of 25 million people were "woefully inadequate", an inquiry has revealed.

Investigators said no individuals at the Emerson House complex, Washington, Wearside, were to blame for the security breach.

Instead, HM Revenue and Customs (HMRC) was accused of wholesale failings in "institutional practices and procedures" concerning data.

The Independent Police Complaints Commission (IPCC) investigation was launched after two CDs went missing between the North-East and London last October.

Investigators found that staff worked on confidential data without adequate support, training or guidance, with a "muddle through" ethos. Officials were so ignorant about data security that, when the CDs were lost, they simply sent another set.

It was three weeks before an employee reported the loss, setting in motion a chain of events that led to a national outcry.

The CDs contained names, addresses and bank details of every person who claims child benefit.

Among the data were 335 "nationally sensitive" records, the report revealed.

IPCC commissioner Gary Garland, who oversaw the inquiry, said the CDs have never been found despite an exhaustive search led by Scotland Yard.

He said: "The transit of CDs to the National Audit Office (NAO) was clearly compromised by ineffective practices and procedures.

"This meant an event like this was certain to happen - the only question being when."

Mr Garland said it was very unlikely the CDs would fall into the hands of criminals.

He said that even if they did, the mass of data would be almost impossible to decipher by a "knock-about villain".

The CDs were sent to an internal courier by a junior official after being requested by the NAO, which wanted to check the £10bn annual cost of child benefit.

The package was last seen being placed in an in-tray in the Washington offices with the remark: "That's it - it's gone now."

The CDs did not reach their destination.

Duplicates were sent on October 24 and the alarm was raised on November 8.

In an emergency statement to Parliament, Chancellor Alistair Darling suggested only one person was to blame for the breach and that "senior management of HMRC were not told of this". HMRC said the person acted "completely outside" his job remit and that he had made "a colossal error". Yesterday, a spokesman declined to say what had become of the employee. The report makes clear that staff were working without any coherent strategy for mass data handling. The report does not name any of the 16 officials involved in the scandal at the North-East child benefit offices. It reveals they were given limited immunity from disciplinary action and two were given immunity from prosecution. Officials said this was to speed up recovery of the discs and no evidence of misconduct or criminality was found. The IPCC findings were supported by another report published yesterday by independent investigator Kieran Poynter, who found that "the loss was entirely avoidable". His report supported the Government's decision to create HMRC by merging the Inland Revenue and HM Customs, but said its management structure was "not suitable". Mr Darling yesterday "apologised unreservedly" to everyone affected by the data loss. Dave Hartnett, HMRC acting chairman, admitted the data loss was avoidable and should not have happened.

He said: "Since the incident, HMRC has significantly tightened data security. While the data has not been found, I can confirm that there is no evidence of any fraudulent activity as a result of the loss."

Shadow Chancellor George Osborne said the reports offered "a truly devastating account of incompetence and systemic failure at the heart of this Government".

He said: "The first duty of any Government is to protect the security of its citizens, and this Government breached that duty when it lost the names and addresses of every child in the country and the bank account details of ten million parents."

The agency will spend £155m on improving data security over the next three years. The reports' conclusions have been welcomed by union leaders.

Mark Serwotka, of the Public and Commercial Services union, said: "The Government's belated recognition that HMRC staff are hardworking, and need clear procedures and guidelines from their senior managers, stands in stark contrast to the earlier attempt by the Chancellor to scapegoat an individual junior civil servant for the data loss."