When "no comment" is not "no comment"

Yesterday in Parliament, the Lib Dem MP Martin Horwood asked the Chancellor "what steps his Department is taking to reduce the vulnerability of tax correspondence to identify theft." The response by Jane Kennedy went as follows,

HMRC initiated immediate increases in security with a new process:
* transfers will now only take place if they are absolutely necessary;
* written authorisation for the transfer has to be given by senior HMRC manager (it was last time wasn't it?); and
* a clear instruction has been given regarding the appropriate standard of protection for the transfer (no change there then).

Where directors decide that a data transfer by disc is unavoidable such media must, in every case, be securely encrypted at the appropriate level (same as before then?). On 20 November the Chancellor announced an independent review of HMRC's data handling procedures to be conducted by Kieran Poynter, the chair of Price Waterhouse Coopers.

Now, Martin Horwood, whilst obviously thinking about the HMRC DiscGate incident, didn't actually ask about HMRC specifcally yet the reponse leapt straight to telling him what changes had occured to mitigate a recurrance.

However, two questions later, Keith Vaz asked about security training at HMRC and received the following response from Kennedy

It would be inappropriate to comment on this issue as there is an ongoing Metropolitan Police Service investigation and an independent review of HMRC’s security processes and procedures for data handling led by Kieran Poynter, the Chair of PricewaterhouseCoopers.

So, in the first question Kennedywas more than happy to talk about security procedures at HMRC and the 'non-changes' they had put in place (preempting the 'independent review'), and yet in the next breath she couldn't possibly comment? Seems to be having problems sticking to the line doesn't she? She managed to stick to it in other questions though.