By Danielle Newton. Last Updated 10th December 2024. This article aims to show you what you could do following an HMRC data breach. As a department of the UK Government that processes personal data, HMRC is bound by the rules of the UK General Data Protection Regulation (UK GDPR) and also the Data Protection Act 2018. These laws aim to keep your personal data safe.
When you think about data breaches, you might think of criminal hackers stealing data over the internet. However, human error might be to blame in many more cases than criminal activity.
During the course of this guide, we’ll look at what harm can be caused by a personal data breach. We’ll also explain the types of security incidents that could result in a claim. Finally, we’ll list some example compensation amounts so you can see what could be paid.
We don’t just help in regards to personal injury claims, slip trip and fall claims or public accident claims. We also provide free legal advice if you’re looking to claim data breach compensation.
During a no-obligation telephone consultation about your case, an advisor will assess whether you could be compensated. If the claim appears strong enough, we could connect you with a data breach lawyer from our panel. If they decide to represent you, they’ll provide a No Win No Fee service.
Do you have evidence of a valid claim? Why not call us on 0800 408 7825 today? Alternatively, please carry on reading to learn more.
Select A Section
- Our Essential Guide On Claiming For A HMRC Data Breach
- What Is A HMRC Data Breach?
- How Could HM Revenue And Customs Suffer A Data Breach?
- How Could I Claim Compensation For Stress Should An HMRC Data Breach Occur?
- Compensation Payouts After A HMRC Loss Of Data Incident
- No Win No Fee Claims For A HMRC Data Breach
- Contact Us About A Data Breach
- Useful Links
Our Essential Guide On Claiming For A HMRC Data Breach
Her Majesty’s Revenue & Customs (HMRC) plays a vital role in collecting the money that covers the costs of public services. They’re involved in tax collection from businesses and individuals. Much of the personal data they process will be protected by the UK GDPR.
If a body that handles personal data fails to protect yours through positive wrongful conduct, and you suffer psychologically or financially as a result, you could seek compensation from them. In this guide, we’ll explain the process of doing so.
The Information Commissioner’s Office (ICO) is responsible for enforcing data protection laws. They have been given the authority to investigate any potential data breach. Where fault is found, they may help the organisation involved to put things right. Additionally, they could issue fines or enforce changes in how personal data is processed at the organisation. However, they do not have any power to compensate individuals (data subjects) affected by a breach. Therefore, we’ll explain how you could take action.
What Is A HMRC Data Breach?
It’s important to understand what a data breach is when you entrust your personal data to others. According to ICO documentation, personal data breaches are breaches of security that result in:
- The unauthorised or accidental loss, destruction, alteration, access or disclosure of personal data.
They can be accidental or deliberate.
Personal data is any information that can be used to identify you directly or alongside other information.
A personal data breach claim isn’t always possible, though. To be entitled to claim you’ll need to show that:
- There was a data breach and your personal data was involved; and
- The defendant’s failure to act or their actions caused the breach to occur; and
- You lost money and/or suffered mental harm because of the breach.
Also, you’ll need to ensure you claim within the allowable time limits. In some cases, you’ll have 6 years to begin taking action. However, for some claims against public bodies, a 1-year time limit applies. Therefore, we’d suggest that you talk to us about your options as soon as possible.
How Could HM Revenue And Customs Suffer A Data Breach?
In this section of our guide on what you could do after an HMRC data breach, we’ve added some possible data breach scenarios. They include:
- Tax demands containing personal data sent to the wrong postal address, despite having the correct address on file.
- Personal tax information is shared with others without a lawful basis.
- A device containing personal data is lost or stolen and is unsecured.
- Where a message is sent to the wrong email address and it contains your personal data, but the recipient isn’t authorised to access this.
- If an officer discloses personal information about you to an unauthorised party.
- Where unredacted personal information is published in an online report.
As shown in the list above, human error could be the cause of data breaches just like criminal activity can.
Examples Of HMRC Loss Of Data Incidents
According to the HMRC’s Annual Report and Accounts for the 2020 to 2021 period, the organisation disclosed 17 data breaches to the ICO over a 15 month period. More than 3,000 individuals may have been affected during this time period.
The incident which impacted the most people at once was an incident that occurred back in June 2020. The incident involved the use of personal information to make unauthorised changes to customer records. The HMRC reports that as many as 1,023 people were potentially affected by this incident alone.
One disclosed incident involved loss of data by the HMRC back in March 2020. An office move resulted in a locked pedestal being forced open and the subsequent loss of personal content.
In one disclosed incident that occurred in March 2021, four people were affected when an HMRC employee contravened company policy to access internal systems in order to locate their estranged wife and children. The affected individuals were informed of the breach and the employee was dismissed for their actions.
If you have evidence of a personal data breach by the HMRC, call our advisors.
A study has shown that HMRC reported itself to the ICO for 17 breaches over a 15-month period. Over 3,000 individuals may have been affected during this time. The most impactful data breaches may have occurred in June 2020. This was a month where the HMRC used personal data to make changes to customer records that weren’t authorised.
Source: https://www.itpro.co.uk/security/data-breaches/361823/hmrc-suffered-17-data-breaches-over-15-months
How Could I Claim Compensation For Stress Should An HMRC Data Breach Occur?
You may be wondering, ‘If an HMRC data breach were to occur, what potential steps could I take?’
There are several steps you could take following a personal data breach. Firstly, you would need to prove that your personal data was compromised in a breach. You would also need evidence that shows the breach was caused by the organisation’s failings and that you also suffered mental or financial harm as a result of the breach.
Evidence that can be useful for a personal data breach compensation claim includes:
- Any correspondence between yourself and the organisation responsible. For example, you may have been informed that your personal data was compromised in a data breach by letter. You can submit this letter as evidence.
- The results of an investigation by the ICO. If the data breach was reported to the ICO and they investigated, the results of the investigation could support a data breach claim.
- If you are claiming for mental suffering, you could submit a copy of your medical records showing the psychological injury you suffered, along with the prognosis and what treatment you required.
- For monetary losses, you could submit copies of your bank statements or a credit report to demonstrate how you were harmed financially.
If you have any questions, such as “Could I claim compensation for stress if an HMRC data breach were to occur and affect my personal data?’, please get in touch with one of the advisors from our team.
Compensation Payouts After A HMRC Loss Of Data Incident
Following a successful HMRC data breach claim, compensation can be awarded for two different types of damage. These are:
- Material damage: this refers to financial losses stemming from a breach of personal data. Examples include a loss of earnings for time off work and money spent on therapy.
- Non-material damage: non-material is the psychological impact of having your personal information breached.
In the case of Vidal-Hall and Others v Google Inc [2015], the ruling stipulated that people who experienced personal data breaches can claim compensation for psychological injuries independent of financial loss. This means that you can claim for one type of damage on its own, or both.
We have provided the psychological injury brackets from the Judicial College in this table. Solicitors (or others responsible for valuing claims) can use these guidelines to help value your potential HMRC loss of data claim.
Compensation Table
It is important we emphasise that the top entry is not a JCG figure. This information has been provided for guidance purposes only.
| Type of Harm | Severity | Guideline Compensation Amount |
|---|---|---|
| Very Severe Psychological Injury with Financial Losses | Very Severe | Up to £250,000 + |
| General Psychiatric Injury | Severe (a) | £66,920 to £141,240 |
| Moderately Severe (b) | £23,270 to £66,920 | |
| Moderate (c) | £7,150 to £23,270 | |
| Less Severe (d) | £1,880 to £7,150 | |
| Post-Traumatic Stress Disorder | Severe (a) | £73,050 to £122,850 |
| Moderately Severe (b) | £28,250 to £73,050 | |
| Moderate (c) | £9,980 to £28,250 | |
| Less Severe (d) | £4,820 to £9,980 |
No Win No Fee Claims For A HMRC Data Breach
For many, the thought of paying for a solicitor and then losing the claim is off-putting. We realise that and it’s why our panel of data breach solicitors offer their services on a No Win No Fee basis. If your claim is taken on under a No Win No Fee agreement, you won’t need to worry about paying any solicitor fees upfront. Also, you’ll only pay for your solicitor’s work if you’re compensated.
After reviewing your case, you’ll be sent a Conditional Fee Agreement (CFA) if a solicitor agrees to work for you. A CFA is a formal term for a No Win No Fee agreement. This contract will make it clear what conditions must be met before you’ll need to pay the solicitor’s fees.
Essentially, you’ll pay a ‘success fee’ if your claim is won. Success fees are legally capped. If you have evidence of a valid claim, you could do so on a No Win No Fee basis. Why not find out today?
Contact Us About A Data Breach
We’ve almost reached the end of the article about what you could do following an HMRC data breach. If you have a justifiable claim, you could contact us by:
- Calling our advisors on 0800 408 7825.
- Asking a specialist for advice using our live chat.
- Contacting us online to arrange a callback when it’s convenient for you.
We are happy to provide free legal advice whether you decide to take action or not. Therefore, why not call today?
Useful Links
Data Breach Solicitors – More on how data breach solicitors can help you to claim damages.
Failure To Use BCC – If you’ve suffered because the BCC field was not used in an email and your personal data was exposed, this guide could help you to claim.
Lost Device Claims – This article looks at how you could be compensated if a lost device containing personal data causes you to suffer.
Your Data Matters – Several guides from the ICO on protecting your personal data.
HMRC Subject Access Requests – Information on how to request copies of the data HMRC holds about you.
Anxiety Support – Detailed information about anxiety support that’s available from the NHS.
You’ve reached the end of this article about what steps you might take after an HMRC data breach. Please call if you’ve got any further questions.
