The aim of this article is to explain the actions you could take after suffering an HMRC data breach and how to claim compensation. The HMRC is part of the government and retains a wide swath of personal data. It is bound by the data protection legislation called the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR). These laws establish how the public’s personal data must be legally processed.
Cybercrime and external hackers aren’t always responsible for data breaches. Often, simple human error can cause a security incident, so our guide will examine how an HMRC data breach might occur. In addition to this, we will detail what evidence you could use to support a claim for data breach compensation if you decide to sue.
Time limits for starting a claim are explained, and we close the guide by exploring how a data breach solicitor can assist you through the process. We also offer a no-obligation consultation with our advisors. If they determine that your HMRC data breach claim is eligible and you want to learn more about how to sue for data breach, they can connect you to expert legal representation from our panel solicitors:
- Call on 0800 408 7827 to discuss your personal data breach claim.
- Reach out and contact us online to get started.
- Start the conversation through the talk window option below.
Browse Our Guide
- What Is An HMRC Data Breach Claim?
- How Could An HMRC Data Breach Happen?
- What Do I Need To Make A Data Breach Claim?
- How Much Compensation For A Data Breach?
- How Long Do I Have To Claim For HMRC Data Breaches?
- How Can Data Breach Solicitors Help Me Claim?
- More Resources About Claiming For A Data Breach
What Is An HMRC Data Breach Claim?
A data breach is a security incident that compromises the availability, confidentiality and integrity of someone’s personal data. Personal data describes any piece of information that, on its own or when used in conjunction with other details, might suggest or disclose your identity.
In addition to this, there are other personal details which require more stringent care when being processed. We detail the types of information HMRC needs to collect and store like this in the section below.
To have a claim for damages following a data breach, you must meet the following eligibility criteria:
- The HMRC had a duty to protect the personal data they kept about you.
- They failed to properly comply with data laws, which led to a breach of personal data.
- This caused you harm, either financially, psychologically or both.
What Personal Information Does the HMRC Collect?
His Majesty’s Revenue and Customs (HMRC) collects the personal data of all tax-paying individuals in the UK. The personal data it collects also overlaps with details about national insurance, state benefits and customs on goods as part of its work to collect revenue. As such, HMRC potentially holds details about most people living in the United Kingdom.
Data about the following groups is routinely processed:
- Information about members of the public.
- Employee information.
The type of information gathered can include:
- Personal contact information (name, address, email and mobile).
- Gender information.
- Marital status and details on dependants.
- Bank account information.
- National Insurance numbers.
- Passport and driving license information.
- Employment and income information.
- Details on business activities and both domestic and business properties.
HMRC may also collect and store biometric data (such as voice recognition), health data and religious information (as relevant). Sensitive data such as this is known as special category data, and it must be processed with an enhanced level of care.
How Could An HMRC Data Breach Happen?
The Information Commissioners Office (ICO) is the independent regulator for data rights for UK citizens. They describe two groups that process personal data called controllers and processors. The controller is the one who sets out the reason for data collection and use. The processor then works on their behalf with the information. Processing could be done within the HMRC, but it can be carried out by separate agencies as well. Both controllers and processors must abide by DPA and UK GDPR laws when processing data.
Regardless of whether it’s a case of accidental human error or a deliberate data attack, wrongful conduct by those responsible for your data might prompt a security incident and be a breach of duty.
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised access or disclosure of personal data. Some examples of how HMRC data breaches might occur are as follows:
- Staff in the HMRC office send the personal data of a client to an incorrect home address or email address (despite having their correct details), allowing others to access the information.
- The IT defences within the HMRC office were not kept up to date which enabled cyber criminals to access the personal data of citizens and staff more easily.
- The card payment details of a citizen were not destroyed correctly and put in a normal bin.
- A tax demand was sent to the wrong person, causing them significant distress and anxiety.
- HMRC staff divulged personal information over the phone to unauthorised parties, which led to a threat to a client’s personal safety.
There can be a number of other scenarios in which an HMRC data breach could happen, and employees could sue their employer for a data breach. Call our advisory team to discuss your case.
What Do I Need To Make A Data Breach Claim?
Compensation claims for personal data breaches require evidence that shows how HMRC failed to comply with data protection laws in a way that left you harmed. Therefore, it’s important to keep hold of any of the following:
- Any correspondence about the data breach incident from HMRC.
- Statements and credit reports that reveal financial harm you suffered.
- Medical proof or a counsellor’s report about your mental state after the data breach.
- Wage slips proving you were unable to work because of the stress and as a result, lost earnings.
Call to discuss if you have questions.
How Much Compensation For A Data Breach?
Should you make a successful data breach compensation claim against HMRC, you could be awarded compensation for your material and non-material damage.
Non-material damage refers to the mental distress generated by the HMRC data breach. Knowing that personal details are compromised can create significant worry, anxiety and stress. It might even give rise to depression or trigger a trauma reaction bad enough to be diagnosed as Post Traumatic Stress Disorder (PTSD).
The legal professionals whose job is to calculate an amount for your non-material damage often refer to available psychiatrists’ and counsellors’ reports. They compare these findings with the award bracket entries in publications such as the Judicial College Guidelines (JCG).
This document provides award bracket guideline amounts for psychological injuries according to their severity. To illustrate, you’ll find an excerpt from the JCG below.
Compensation Guidelines
Harm Type | How Severe? | Guideline Amounts |
---|---|---|
Severe psychological injury and material damage payments for lost earnings and other financial losses. | Severe | Up to £500,000 plus. |
Psychological Harm of a General Nature | (a) Severe | £66,920 up to £141,240 |
(b) Moderately Severe | £23,270 up to £66,920 | |
(c) Moderate | £7,150 up to £23,270 | |
(d) Less Severe | £1,880 up to £7,150 | |
PTSD (Post-traumatic Stress Disorder). | (a) Severe | £73,050 up to £122,850 |
(b) Moderately Severe | £28,250 up to £73,050 | |
(c) Moderate | £9,980 up to £28,250 | |
(d) Less Severe | £4,820 up to £9,980 |
Please be aware that the award bracket amounts are intended purely as guidelines. Also, the first entry in our table does not come from the JCG.
To obtain a more accurate idea of what you could be owed in compensation for non-material damage, connect with our advisory team by phone, email or through the talk window below.
Can I Claim For Material Damage After A Data Breach?
Material damage reflects how the HMRC data breach caused you financial harm. As per our example above in the evidence section, you may have needed time away from work to deal with the stress prompted by the data breach. Wage slips showing this drop or loss in income are evidence in your claim.
Or there may be proof of other negative monetary impacts to put forward under material damage, such as the cost of re-establishing privacy on laptops and smartphones. Or needing to relocate home to avoid a threat to your safety. Keep all evidence of losses, and a solicitor from our panel could help you potentially claim them.
How Long Do I Have To Claim For HMRC Data Breaches?
Typically, as stated in the Limitation Act 1980, there are up to 6 years in which to start a compensation claim for data breaches for material damage and potentially with 3 years if it included non-material damage. If you’d like guidance on understanding when this might start in your case, please access free guidance from our team on the number above.
How Can Data Breach Solicitors Help Me Claim?
If you feel daunted at the prospect of starting a claim for an HMRC data breach claim on your own, see if a solicitor from our panel can help. They bring a wealth of expertise in handling data breach compensation claims. It carries no obligation to see if they can do all the legwork, such as collecting evidence, calculating actual losses and dealing with the defendant or court correspondence.
Furthermore, they can offer these services through a No Win No Fee contract. Typically, a Conditional Fee Agreement (CFA) is used, which extends the following benefits:
- A claim starts without the need for any upfront fees for the solicitors.
- No ongoing fees for solicitors’ work apply throughout the data breach claims process.
- No fees apply for completed work by the solicitors if the claim fails.
- An HMRC data breach claim that settles positively for you needs a small success fee to be paid. This is a percentage of the compensation, and it is subject to a legal limit.
- Because of this, you can confidently expect to receive most of the compensation.
If this sounds interesting, speak to our team. Data breach No Win No Fee solicitors might be able to step in and handle your claim for HMRC data breach compensation today. Allow our advisors to take you through a brief call to find out how strong your claim is. If it’s eligible and you want to go ahead, they could connect you to a data breach solicitor from our panel. Discover more when you:
- Call on 0800 408 7827 to discuss your personal data breach claim.
- Why not contact us online to get started?
- Start the conversation through the talk window option below.
More Resources About Claiming For A Data Breach
- In addition to this, read about a bank data breach claim.
- Also here is information on how to sue a post office for a data breach.
- Lastly, if you need to sue the NHS for a data breach, read here.
External links to help
- Read about the penalties the ICO have issued.
- More information from GOV.UK on the Data Protection Act.
- Advice on how to stay safe online here from the National Cyber Security Centre (NCSC).
We appreciate your time and interest in this guide about how to sue for an HMRC data breach via a No Win No Fee claim. Please direct any questions or concerns about how to claim data breach compensation to our advisors at the contact points above.