HMRC Data Breach – Essential Claims Guide

By Danielle Newton. Last Updated 23rd June 2023. This article aims to show you what you could do following an HMRC data breach. As a department of the UK Government that processes personal data, HMRC is bound by the rules of the UK General Data Protection Regulation (UK GDPR) and also the Data Protection Act 2018. These laws aim to keep your personal data safe.

When you think about data breaches, you might think of criminal hackers stealing data over the internet. However, human error might be to blame in many more cases than criminal activity.

HMRC data breach

During the course of this guide, we’ll look at what harm can be caused by a personal data breach. We’ll also explain the types of security incidents that could result in a claim. Finally, we’ll list some example compensation amounts so you can see what could be paid.

We don’t just help in regards to personal injury claims, slip trip and fall claims or public accident claims. We also provide free legal advice if you’re looking to claim data breach compensation.

During a no-obligation telephone consultation about your case, an advisor will assess whether you could be compensated. If the claim appears strong enough, we could connect you with a data breach lawyer from our panel. If they decide to represent you, they’ll provide a No Win No Fee service.

Do you have evidence of a valid claim? Why not call us on 0800 408 7825 today? Alternatively, please carry on reading to learn more.

Select A Section

  1. Our Essential Guide On Claiming For A HMRC Data Breach
  2. What Is A HMRC Data Breach?
  3. How Could HM Revenue And Customs Suffer A Data Breach?
  4. How Could I Claim Compensation For Stress Should An HMRC Data Breach Occur?
  5. Compensation Payouts after a HMRC Loss of Data Incident
  6. How Much Is A Data Breach Claim Worth?
  7. No Win No Fee Claims For A HMRC Data Breach
  8. Contact Us About A Data Breach
  9. Useful Links

Our Essential Guide On Claiming For A HMRC Data Breach

Her Majesty’s Revenue & Customs (HMRC) plays a vital role in collecting the money that covers the costs of public services. They’re involved in tax collection from businesses and individuals. Much of the personal data they process will be protected by the UK GDPR.

If a body that handles personal data fails to protect yours through positive wrongful conduct, and you suffer psychologically or financially as a result, you could seek compensation from them. In this guide, we’ll explain the process of doing so.

The Information Commissioner’s Office (ICO) is responsible for enforcing data protection laws. They have been given the authority to investigate any potential data breach. Where fault is found, they may help the organisation involved to put things right. Additionally, they could issue fines or enforce changes in how personal data is processed at the organisation. However, they do not have any power to compensate individuals (data subjects) affected by a breach. Therefore, we’ll explain how you could take action.

UK Government data breach statistics

Let’s now look at how many data security incidents involving central government departments have been reported to the ICO. The graph below shows non-cyber security incidents during the period July 1st to September 30th 2021.  The most common type of incident was data being posted or faxed to the wrong recipient.

HMRC Data Breach Statistics

Because of the UK GDPR, organisations (including government departments) need to inform the ICO about notifiable security incidents. These figures are collated and published each quarter. Our chart is based on these statistics.

What Is A HMRC Data Breach?

It’s important to understand what a data breach is when you entrust your personal data to others. According to ICO documentation, personal data breaches are breaches of security that result in:

  • The unauthorised or accidental loss, destruction, alteration, access or disclosure of personal data.

They can be accidental or deliberate.

Personal data is any information that can be used to identify you directly or alongside other information.

A personal data breach claim isn’t always possible, though. To be entitled to claim you’ll need to show that:

  • There was a data breach and your personal data was involved; and
  • The defendant’s failure to act or their actions caused the breach to occur; and
  • You lost money and/or suffered mental harm because of the breach.

Also, you’ll need to ensure you claim within the allowable time limits. In some cases, you’ll have 6 years to begin taking action. However, for some claims against public bodies, a 1-year time limit applies. Therefore, we’d suggest that you talk to us about your options as soon as possible.

How Could HM Revenue And Customs Suffer A Data Breach?

In this section of our guide on what you could do after an HMRC data breach, we’ve added some possible data breach scenarios. They include:

  • Tax demands containing personal data sent to the wrong postal address, despite having the correct address on file.
  • Personal tax information is shared with others without a lawful basis.
  • A device containing personal data is lost or stolen and is unsecured.
  • Where a message is sent to the wrong email address and it contains your personal data, but the recipient isn’t authorised to access this.
  • If an officer discloses personal information about you to an unauthorised party.
  • Where unredacted personal information is published in an online report.

As shown in the list above, human error could be the cause of data breaches just like criminal activity can.

Examples Of HMRC Loss Of Data Incidents

According to the HMRC’s Annual Report and Accounts for the 2020 to 2021 period, the organisation disclosed 17 data breaches to the ICO over a 15 month period. More than 3,000 individuals may have been affected during this time period.

The incident which impacted the most people at once was an incident that occurred back in June 2020. The incident involved the use of personal information to make unauthorised changes to customer records. The HMRC reports that as many as 1,023 people were potentially affected by this incident alone. 

One disclosed incident involved loss of data by the HMRC back in March 2020. An office move resulted in a locked pedestal being forced open and the subsequent loss of personal content.

In one disclosed incident that occurred in March 2021, four people were affected when an HMRC employee contravened company policy to access internal systems in order to locate their estranged wife and children. The affected individuals were informed of the breach and the employee was dismissed for their actions.

If you have evidence of a personal data breach by the HMRC, call our advisors.

A study has shown that HMRC reported itself to the ICO for 17 breaches over a 15-month period. Over 3,000 individuals may have been affected during this time. The most impactful data breaches may have occurred in June 2020. This was a month where the HMRC used personal data to make changes to customer records that weren’t authorised.


How Could I Claim Compensation For Stress Should An HMRC Data Breach Occur?

You may be wondering, ‘If an HMRC data breach were to occur, what potential steps could I take?’

There are several steps you could take following a personal data breach. Firstly, you would need to prove that your personal data was compromised in a breach. You would also need evidence that shows the breach was caused by the organisation’s failings and that you also suffered mental or financial harm as a result of the breach.

Evidence that can be useful for a personal data breach compensation claim includes:

  • Any correspondence between yourself and the organisation responsible. For example, you may have been informed that your personal data was compromised in a data breach by letter. You can submit this letter as evidence.
  • The results of an investigation by the ICO. If the data breach was reported to the ICO and they investigated, the results of the investigation could support a data breach claim.
  • If you are claiming for mental suffering, you could submit a copy of your medical records showing the psychological injury you suffered, along with the prognosis and what treatment you required.
  • For monetary losses, you could submit copies of your bank statements or a credit report to demonstrate how you were harmed financially.

If you have any questions, such as “Could I claim compensation for stress if an HMRC data breach were to occur and affect my personal data?’, please get in touch with one of the advisors from our team.

Compensation Payouts after a HMRC Loss of Data Incident

It’s important to note that there are two main criteria that the data breach needs to fulfil for you to be able to claim. Firstly, there needs to be some form of wrongful positive conduct from the third party that processed your personal data. This can be either due to an action or inaction that has resulted in you suffering a data breach.

For example, the reason you may be able to claim for an HMRC data breach could be because their failure to update cyber security systems caused important personal data to be lost or stolen.

However, there is a second criteria you must fulfil in order to be eligible to claim for a data breach. To claim, you also need to have suffered some form of financial harm or mental suffering because of the data breach. This is known as material and non-material damages.

  • Financial harm relates to material losses that you have suffered due to the breach. For example, if your payment details have been sent to the incorrect email address, money may be stolen from your bank account.
  • Mental suffering relates to the psychological injuries caused by the breach. For instance, you could suffer from anxiety, distress, depression or post-traumatic stress disorder (PTSD) as a result of your personal data being exposed.

To potentially claim for a loss of data, you would need to prove evidence to support your case. A solicitor from our panel can help you build your case and offer guidance related to the claims process. Contact us now using the above details.

How Much Is A Data Breach Claim Worth?

In a case at the Court of Appeal (Vidal-Hall and Others v Google Inc [2015]), an important decision was made. The Court held that compensation can be sought for the mental harm caused by a data breach even if the event didn’t cause you to lose money. This was a change to previous rulings where you needed to suffer financial loss in order to seek damages for mental harm.

So, how much could be awarded if you’ve suffered from anxiety, depression or distress because of a breach? To give you some idea, we’ve added a compensation table below. Please bear in mind, claims are unique and so these figures are for guidance only. If your case is taken on by a solicitor from our panel, they will inform you of what you could claim once your suffering has been assessed.

Solicitors and insurers use guidelines from the Judicial College to help determine settlement figures. Therefore, the figures in our table are based on the same guidelines. The figures below are taken from the most up-to-date guidelines, published in April 2022.

Injury / Claim Severity Compensation Range
Mental Harm (anxiety, distress etc) Severe (a) £54,830 to £115,730
Moderately Severe (b) £19,070 to £54,830
Less Severe (d) £1,540 to £5,860
Post-Traumatic Stress Disorder Severe (a) £59,860 to £100,670
Moderately Severe (b) £23,150 to £59,860
Less Severe (d) £3,950 to £8,180

If you’d like a free assessment of how your claim might be valued, why not get in touch with an advisor?

No Win No Fee Claims For A HMRC Data Breach

For many, the thought of paying for a solicitor and then losing the claim is off-putting. We realise that and it’s why our panel of data breach solicitors offer their services on a No Win No Fee basis. If your claim is taken on under a No Win No Fee agreement, you won’t need to worry about paying any solicitor fees upfront. Also, you’ll only pay for your solicitor’s work if you’re compensated.

After reviewing your case, you’ll be sent a Conditional Fee Agreement (CFA) if a solicitor agrees to work for you. A CFA is a formal term for a No Win No Fee agreement. This contract will make it clear what conditions must be met before you’ll need to pay the solicitor’s fees.

Essentially, you’ll pay a ‘success fee’ if your claim is won. Success fees are legally capped. If you have evidence of a valid claim, you could do so on a No Win No Fee basis. Why not find out today?

Contact Us About A Data Breach

We’ve almost reached the end of the article about what you could do following an HMRC data breach. If you have a justifiable claim, you could contact us by:

  • Calling our advisors on 0800 408 7825.
  • Asking a specialist for advice using our live chat.
  • Contacting us online to arrange a callback when it’s convenient for you.

We are happy to provide free legal advice whether you decide to take action or not. Therefore, why not call today?

Useful Links

Data Breach Solicitors – More on how data breach solicitors can help you to claim damages.

Failure To Use BCC – If you’ve suffered because the BCC field was not used in an email and your personal data was exposed, this guide could help you to claim.

Lost Device Claims – This article looks at how you could be compensated if a lost device containing personal data causes you to suffer.

Your Data Matters – Several guides from the ICO on protecting your personal data.

HMRC Subject Access Requests – Information on how to request copies of the data HMRC holds about you.

Anxiety Support – Detailed information about anxiety support that’s available from the NHS.

You’ve reached the end of this article about what steps you might take after an HMRC data breach. Please call if you’ve got any further questions.