Taxing issue: HMRC flayed for data governance failures

taxHM Revenue & Customs (HMRC) has found itself in the dock after new figures reveal it reported almost a dozen serious personal data breaches to the Information Commissioner’s Office during the most recent financial year, hitting more than 23,000 people.

According to an analysis by legal firm Griffin Law, one incident alone affected 18,864 consumers, while the 11 incidents, which took place over the course of 2019/20, affected a grand total of 23,173 people.

The law firm has branded HMRC “breathtakingly incompetent”, with hundreds of customers yet to be informed about at least one incident.

Griffin Law principle Donal Blaney said: “Taxpayers have a right to expect their sensitive personal data to kept secure by the taxman, the ICO should immediately investigate HMRC for these breaches and hold them to account.”

The most serious, which occurred in May 2019, regarded National Insurance number letters relating to 16-year-olds being sent with incorrect details, affecting the nearly 19,000 individuals. The data involved spelling mistakes, previous birth names, children now adopted, as well as transgender children.

Among the incidents was also a fraudulent attack in February 2020, which resulted in 64 employees’ details being obtained from three PAYE schemes. The personal details of 573 people, including name, contact details and ID data, were exposed as a result. These people, however, have not yet been contacted as the incident is still under investigation.

HMRC said in its latest annual report: “We deal with millions of customers every year and tens of millions of paper and electronic interactions. We take the issue of data security extremely seriously and continually look to improve the security of customer information.

“We investigate and analyse all security incidents to understand and reduce security and information risk. We actively learn and act on our incidents. For example, by making changes to business processes relating to post moving throughout HMRC and undertaking assurance work with third-party service providers to ensure that agreed processes are being carried out.”

Even so, it seems that the ICO has its own issues. According to a recent Freedom of Information request, the regulator itself suffered 48 personal data breaches by employees during the past financial year. However, in a classic case of the ICO marketing its own homework, none of these incidents was deemed serious enough for further investigation.

Related stories
Marriott hammers down GDPR fine from £99m to £18m
Will they never learn? Top travel websites ‘full of holes’
Law firm pounces on EasyJet breach with £18bn claim
EasyJet rocked as data breach hits 9 million customers
ICO and Irish DPC ‘among the worst GDPR enforcers’
Deceptive data processing sparks biggest GDPR fines
BA ‘humiliates’ ICO by slashing £183m fine to £20m
Germans issue 27th GDPR fine as H&M is hit for €35m