HMRC Data Breach Compensation Claims
By Stephen Moreau. Last Updated 14th July 2023. Any organisation with access to your tax information has a responsibility to keep it confidential and secure. Any use or sharing of it must be considered valid and lawful by data protection laws. If you suffered harm because your tax information was not kept secure or was used inappropriately, you could be eligible to make a claim for compensation against the organisation responsible. This is a guide on what you could do if you have suffered due to a tax or HMRC data breach.
This guide will talk about data breach compensation claims, valid use of your information and explain the actions you can take if you have suffered harm from a breach and are looking to make a claim for compensation.
Our advisers can also help you. They offer free legal advice and can discuss your claim at length over a free consultation. You can get in touch with one now by
Select A Section
- What Is A Tax Or HMRC Data Breach?
- What Sensitive Data Could HMRC Hold?
- Examples Of A HMRC Personal Data Breach
- How To Claim For A Breach Of The UK GDPR
- HMRC Data Breach Compensation Calculator
- Talk To A No Win No Fee Solicitor
Personal data or personal information is any information that can be used to identify you, whether directly or indirectly. For example, your address or bank details are personal information.
A personal data breach occurs when a security incident causes the accidental or unlawful disclosure, loss, destruction, change of or access to personal information.
Any unlawful use, sharing or altering of any of your tax information can be a data breach. As it is your personal data, it comes with protections under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018.
Organisations with access to your tax information have a responsibility to
- Maintain the strict confidentiality of the information, and not process or share it without a lawful reason
- Ensure that it is properly secured, whether physically or digitally, so as to prevent unauthorised access
- Maintain the accuracy of your personal information, so as not to share false or misleading information
A data breach can be grounds for a claim, if it leads to a person suffering harm, such as financial or psychological harm, from a breach. It would also need to be caused by the wrongful conduct of the organisation. For instance, the organisation might not have provided adequate cybersecurity, allowing a hacker to gain unauthorised access to personal data.
If you were affected by an HMRC data breach, please reach out to one of our advisers to discuss your options.
Can I Claim Compensation If I Have Evidence I Was Affected By An HMRC Data Breach?
You may be curious as to whether you can claim compensation from the HMRC for the stress caused by a data breach. Firstly, there is legislation in place to protect your personal data.
If there is a data breach involving your personal data, the data controller should inform you without undue delay. The data controller is typically an organisation. It is their job to determine why your personal data is collected, what data they need and how it will be stored. These tasks might be outsourced to a data processor.
In addition to informing data subjects of their personal data’s compromise, the data controller needs to inform the Information Commissioners’ Office (ICO) of a notifiable data breach within 72 hours of awareness. The ICO is an independent body that upholds data rights.
To be eligible for data breach compensation, you must be able to prove that the data breach occurred due to the data controller or processor failing to adhere to the legislation. In addition to this, you must have evidence that your personal data was compromised and that you suffered harm as a result. For example, if the data controller informed you, any communications between yourself and the controller could be submitted. Confirmation from the ICO that the data breach happened could also be submitted.
If you have evidence, you could potentially claim for a HMRC data breach. Additionally, you will need proof of the harm you suffered. For financial losses, this could be your banking records. If you are claiming for stress due to a data breach, you could submit your medical records.
Government Data Protection Breach Statistics
The Information Commissioner’s Office (ICO) is the UK’s independent body dealing with information rights. They publish quarterly reports of data security incidents and breaches that organisations have identified and reported back to them.
In the 3rd quarter of 2021/22, central government reported 67 data breach incidents.
HMRC documents can carry personal information such as
- Name and contact information
- Employment history
- Salary information
- National Insurance number
Confidentiality applies to any and all personal information; whether it’s a name, a phone number or a person’s missed tax payment; all of this information should be kept confidential and only be used or shared for valid reasons.
A personal data breach could occur because of the below.
A human or clerical error could lead to:
- A person’s tax information being sent to the wrong address
- Wrong, or inaccurate information about a person being sent out in response to a request
As mentioned, data protection applies to both maintaining the accuracy of the information and making sure it is not shared with unauthorised people. Whether done intentionally or accidentally, actions such as these can be grounds for a claim.
Poor data confidentiality
People with access to personal information might not be aware of or follow the strict standards set out in data protection laws. An administrator, for example, might share information with an unauthorised person about your date of birth from your tax documents. They could do this if they’re unaware that this can constitute as a data breach.
Bad Data Security
It falls on the organisation with access to your personal data to make sure it is secure.
Bad data security practices are actions like:
- Leaving employee personal data in areas that can be easily accessed by other employees
- Using a shared device to store or access tax information
- Leaving important administrative duties to untrained or new staff
If you suffered harm from a breach of your HMRC data, please get in touch with an adviser for information on the actions you can take.
If an organisation failed to properly secure your tax information, you could make a data protection complaint in writing to them. Usually, organisations will advise you of a personal data breach if it risks your rights and freedoms so you won’t need to inform them. However, if you do contact them and they provide an unsatisfactory response or you are unable to solve your data protection complaint with them, you can pass the matter on to the ICO. The ICO recommends doing this within three months of your last correspondence.
If you wish to make a claim, you can gather evidence of how the breach affected you and evidence that proves the data breach.
This can be:
- Emails: (And similar correspondence) An example being emails from the organisation acknowledging their part in the breach and what personal data was involved.
- Financial Records: If your information was used to steal money from you, maintain records of this as proof of your financial losses.
- Medical Records: If you suffered mental harm, such as stress from the breach, medical records of your diagnosis can act as evidence in a claim. A data breach solicitor can help you arrange an independent medical assessment to provide a report.
Our advisers can discuss your situation with you and inform you of the steps you can take to start a claim for a HMRC data breach.
How Long Do I Have To Start A Data Breach Claim?
As well as ensuring you meet the eligibility criteria for starting a data breach claim, you need to make sure you have enough time to start your case. There is usually a time limit applied to starting a data breach compensation claim. The amount of time you’ll have will depend on the type of organisation your claim is made against. Following a data breach, you’ll usually need to start your claim within one year if it’s against a public body. Alternatively, you will have six years to start legal proceedings.
You can contact our advisors online or on the phone today if you would like to speak to them about your eligibility to claim data breach compensation.
Compensation in data breach claims can come in two forms.
The first head is material damages. This is intended to compensate you for any financial losses you may have suffered because of the breach.
Financial losses can include:
- Theft: If your exposed personal information was used to steal money from you
- Loss Of Income: If the breach affected your ability to work e.g. if wrong tax information led to you losing out on work
- Costs towards treatment: If you had required help or counselling not available on the NHS, for example
The second head is non-material damages. This is intended for psychological injuries you have suffered because of the breach. The award would be to compensate you for the distress the breach caused you.
The Judicial College Guidelines (JCG) contains award brackets for psychological injuries. The JCG is typically referred to when assessing compensation amounts in claims. We’ve included a table below to show you potential awards.
Injury Notes Award
Severe Psychological Damage A person's ability to function in life was severely affected £54,830 to £115,730
Moderately Severe Psychological Damage Injuries similar to above, but with a more optimistic prognosis for recovery £19,070 to £54,830
Moderate Psychological Damage The person is recovering well after initial struggles to cope with life £5,860 to £19,070
Less Severe Psychological Damage Person's ability to perform daily activities was affected for a time £1,540 to £5,860
Severe PTSD Psychological injury that leaves the person unable to function £59,860 to £100,670
Moderately Severe PTSD Injuries similar to above, but with a better prognosis £23,150 to £59,860
Moderate PTSD Where the person initially showed signs of PTSD but is now mostly recovered £8,180 to £23,150
Less Severe PTSD The person will have more or less recovered within two years £3,950 to £8,180
The ruling in the Court of Appeal case of Vidal-Hall and others v Google Inc  means you can seek either compensation independently. You do not need to have suffered financial harm to make a claim for suffering mental harm. You can also seek compensation for both forms of damage.
Our advisers can give you more information about the compensation you could be awarded in your claim. Why not reach out to them, for a free consultation about your situation?
A No Win No Fee solicitor could help you make your claim.
This is a solicitor working on an agreement to only charge you a fee on the condition that your claim was successful. There would be no upfront lawyer’s fee or ongoing lawyer fees. If you are awarded compensation, their fee would come as a success fee; a percentage of the awarded compensation. This percentage is capped by law. If your claim fails, you would not have to pay the success fee at all.
A solicitor from our panel could represent you if you have evidence of a valid HMRC data breach claim. To inquire about speaking to one, reach out to one of our advisers now by:
Further Guidance On Dealing With A Data Breach
We’ve included additional links you might find helpful. Including:
ICO: The ICO’s guide to taking your case to court and claiming compensation.
HMRC: HMRC’s privacy notice detailing how they use information about you
GOV: The government’s guide to making a subject access request to the HMRC.
Thank you for reading our guide to dealing with an HMRC data breach. We offer guides on other topics such as:
Checked by HT