If you’re the victim of a data breach caused by your employer, you may suffer mental distress or financial harm. We have put this guide together to explain what you may need to know about making employee data breach claims against HMRC—if they employ you. After all, if HMRC breaches the General Data Protection Regulation (GDPR), enshrined in UK law in the form of the Data Protection Act 2018, you could have the right to claim such compensation if you can prove their failings.
What Data Protection Rights Do HMRC Employees Have?
You may already be aware of the Information Commissioner’s Office (ICO), which enforces data protection law in the UK. It could investigate an employee data breach of GDPR. If it finds that an HMRC data breach has violated legislation, it could issue enforcement action, which could include hefty fines. While you could report an HMRC data protection breach to the ICO, and ask them to investigate, you do not have to do so to make a claim.
No matter whether the data breach you were the victim of related to a malicious act, such as a cyberattack, virus, or hacking, or whether it was due to an employee’s error or mismanagement of your data, this guide could answer your questions.
However, we recognise that you might have questions specific to your case. If you would like to chat with us about your case, you can click the Live Chat button on this page at any time, or alternatively, click the banner below. We would be happy to help.
Select A Section
- What Is The GDPR?
- Is HMRC Employee Data Protected By The GDPR?
- What Are The Main GDPR Principles?
- Types Of Employee Data Which Is Protected By The GDPR
- What Is A GDPR Data Breach By An Employer?
- How Could HMRC Breach Employees Data Privacy?
- What Is An Employee Data Breach Claim Against HMRC?
- Should Employers Obtain Consent To Sharing Of Employees Personal Information
- What Action Should Employers Take If Employee Data Is Breached?
- What Is The Information Commissioner’s Office?
- Guidelines From The ICO How To Protect Employee Data
- How To Report A GDPR Data Breach By Your Employer
- Calculating Compensation For An Employee Data Breach Claim Against HMRC?
- Make A No Win No Fee Employee Data Breach Claim Against HMRC
- Resources For Data Protection Claims
- GDPR – FAQs For Government Employees
The General Data Protection Regulation, or GDPR for short, is the strictest, most wide-reaching data security and protection law in the world. The UK has enshrined its application of GDPR into the Data Protection Act 2018.
GDPR is designed to protect the personal information of data subjects from those who collect, process and store it. Employers who process the personal information of their employees must abide by GDPR too, as must many other organisations. Whether you work for HMRC at border control, the Valuation Office Agency, in the adjudicator’s office or elsewhere in the organisation, they must take steps to protect your personal information.
This does not just include protecting data held on computer systems and networks from phishing attacks, ransomware or data theft. It also means protecting information in filing cabinets and notebooks, as well as other documents.
If HMRC breaches your personal data, you could suffer emotional and financial harm. If you can prove this has happened to you, you could make employee data breach claims against HMRC.
During the course of your employment, your employer would collect, store and process your personal information. They would need certain pieces of data to fulfil your contract with them. This could include your name, address, e-mail address, and even your medical information. They could also collect financial information so they could pay you.
They may even have very sensitive information about you, such as any sick leave, bereavements, and disciplinary information, for example. GDPR demands the protection of such personal information.
Just like any other employer, if HMRC breaches data protection laws, the ICO could hold it to account. So could those who have suffered emotional or financial harm because of an HMRC breach of data protection. Employees of HMRC, like those who work for other organisations, have certain data rights under GDPR.
- A right to access their personal data
- The right to have inaccurate data corrected
- A right for organisations to inform them about the collection of their data and how they will use it
- The right to object to an organisation storing, collecting and processing their data
- A right to the erasure of their data
- The right to restrict certain processing of their data
- Rights that relate to profiling and automated decision making
- A right to portability of their data
- The right to restrict their data being processed
If you can prove that an employee information data breach infringes on your rights, data breach claims against HM Revenue and Customs could be justified for the harm the breach causes you. This could include psychological harm as well as financial harm.
There are certain principles that underpin every aspect of GDPR. These are:
- Accountability – organisations must demonstrate that they are GDPR compliant.
- Limitation of storage – organisations should only keep data for the minimum time needed for its purpose.
- Minimisation of data – an organisation should collect and process the minimum data needed for its purpose.
- Limitation of purpose – organisations should specify the purposes for processing information and should limit their processing to that purpose.
- Transparency, fairness and lawfulness – organisations should process data on a lawful basis and should inform data subjects fully about the use of their data.
- Accuracy – organisations must ensure data is accurate and kept up to date.
- Confidentiality and integrity – Organisations must ensure the security of personal data. Where it is necessary for them to do so, organisations should use anonymised systems.
You can find out more about these principles by visiting the ICO website.
As we mentioned earlier, HMRC must protect your personal data. But what is personal data, and what data could HMRC hold on you?
The ICO defines personal data as being information that could be used to identify a natural living person. This includes data that could identify you on its own, or if someone combines it with other information. Examples include:
- Personal information such as your date of birth, address, name, contact details, e-mail address
- Financial information such as your bank details
- Medical information such as sick record or details of conditions you suffer from
- Employee information such as your disciplinary record
HMRC must ensure they protect data that is held on computers, cloud-based databases and while being transferred through a virtual private network (VPN), for example. They must also protect data in notebooks and filing cabinets from being breached. A failure to do so could cause you harm.
If you can prove that this has happened to you, you could make a data breach claim against HMRC. We would be happy to answer any questions you might have about data breach claims involving violations of employee data.
The ICO defines a personal data breach as a data security incident. The incident in question could relate to personal data being:
- Unlawfully accessed, or accessed without authorisation
- Subject to unlawful or unauthorised transmission, destruction, storage, processing, alteration or disclosure
HMRC data protection breaches could happen in a number of different ways. A few examples include:
- Human resources (HR) staff discussing your personal medical information with a manager in earshot of your colleagues
- A file containing your payment information, including your bank details, being left open on top of a filing cabinet for all to see
- A successful phishing attack that leads to the unlawful access of your name, address and contact details
If you’re not sure whether an employee data breach of GDPR could justify a claim, we could help. Simply click the Live Chat button to chat with us.
If you’re wondering if HMRC breaches of data protection laws have happened before, you may be interested to learn that in their 2019/20 annual report, HMRC detail that they have experienced data breaches. Examples include:
- 20/05/2019 – a data incident occurred that potentially affected 18,864 16-year-olds when National Insurance Number letters were sent out with incorrect details.
- 26/07/2019 – paperwork relating to a member of staff was left on a train.
- 14/02/2020 – a fraudulent cyber attack caused a breach of name, contact details, ID data and payroll scheme data of 64 employees.
Whether the HMRC data breach you were affected by related to a similar incident to the above, or in another type of incident, it could affect you in different ways.
Employee data breach claims against HMRC may not totally resolve the harm you’ve suffered, particularly when it comes to any psychological damage you’ve experienced. However, it could go some way towards helping you move forward after a data protection breach.
Section 168 of the Data Protection Act 2018 allow those who suffer material and non-material harm from a data breach the right to claim compensation. To prove employee data breach claims against HM Revenue and customs, you would need to evidence that:
- HMRC had breached your data and that they were responsible for the breach
- You’d suffered material or non-material damage as a result
You would not be able to make employee data breach claims against HMRC if you had not suffered some type of damage because of the data breach. To learn more, simply get in touch with us via the details in the image below.
Sharing personal information without consent could, in some cases, lead to employee data breach claims against HMRC if consequential mental or financial damage can be proved.
However, sharing personal information without consent may be lawful in some circumstances. Organisations can share personal information without your consent if they have a valid reason for it. Valid reasons include:
- To fulfil a legal obligation
- In order to fulfil a contract
- If there are legitimate interests
- For public interest tasks
- If there are vital interests in doing so, such as to protect a life
If HMRC shares your personal information without your consent, and without a valid reason, a lawyer could help you claim compensation for the harm such a breach has caused you.
If an HMRC breach of data protection occurs, the organisation has legal obligations to fulfil. Should the breach risk freedoms or rights of data subjects, the organisation must report a breach to the ICO within 72 hrs. If they do not do so, they must have a valid excuse for a delay in reporting the breach. The breach report must include:
- The nature/type of breach
- How many records and data subjects could be affected
- The prospective consequences of the breach
- Any action/planned action to rectify the situation
- Who the ICO should contact in respect to the breach
The organisation must also inform affected data subjects of the breach if their rights and freedoms could be at risk without undue delay. Should an employee data breach not risk freedoms or rights, the organisation does not have a legal obligation to report it to the ICO. They must, however, keep data breach records.
The Information Commissioner’s Office upholds the rights of data subjects in the UK. It enforces various pieces of legislation including the Privacy and Electronic Communications Regulations and the Investigatory Powers Act 2016. In addition to this, it enforces the Data Protection Act 2018 and GDPR.
It could investigate HMRC data protection breaches, and could take enforcement action. This could include fining HMRC. Under GDPR, the ICO could issue a fine for infringements of up to 4% of the organisations global turnover, or £17.5m, whichever is the higher amount. This is for the most serious breaches.
Can The ICO Issue Data Breach Compensation?
The ICO does not have the power to issue compensation for an employee information data breach. If you want to make employee data breach claims against HMRC, you could write to the organisation and request an investigation.
If you’re not happy with the response you receive, you could get in touch with a data breach solicitor. They could assist you in making a claim against HMRC.
Guidance from the ICO on how to protect data can be found in its Employment Practices Code. It offers guidance on workplace monitoring, health records and employee records, as well as recruitment data.
Stressed within the code is the guidance that GDPR does not only apply to current employees. Organisations must protect the data of:
- Former and current contractors
- Successful and unsuccessful applicants
- Agency workers
- Former and current employees
- Previous applicants
- Casual workers
You do not have to be currently working for HMRC for them to breach your data. You could make employee data breach claims against HMRC whichever of these categories you fall into.
If you’ve had your data exposed, or breached in another way, and have suffered material or non-material damage, the ICO recommend that you report the breach to your employer. As a data controller, they should work with you to resolve issues surrounding data breaches.
You could approach them by sending a letter or e-mail, including the following details:
- How you think they’ve breached your data – include details such as whether ransomware, spyware, phishing attacks, employee errors or other incidents have caused the breach.
- How the breach affects you – you could include details of any financial harm, a privacy violation, reputational damage or even psychological effects.
- What you would like them to do about it – you might want to ask them to investigate and pay you compensation.
Should they not respond to your satisfaction, you could escalate your concerns to the ICO, who could further investigate. If you don’t hear from HMRC with a meaningful response for three months, you could opt to get help from a data breach lawyer. If you have valid grounds to pursue compensation, they could launch a claim against HMRC for you.
GDPR and the Data Protection Act 2018 allows victims of a breach of data protection to claim for non-material and material harm.
Material harm includes the financial costs of a data breach. These could relate to identity fraud, or theft, for example. In terms of non-material harm, this could include distress, anxiety, and depression.
This is because an important legal precedent set in 2015 could allow victims of data breaches to claim for psychological and psychiatric damage. In Vidal-Hall and others v Google Inc , the Court of Appeal decided that it was no longer necessary for data breach victims to have suffered financial damage in order to claim for the mental impact. This opened the door for people to claim for either form of damage.
To prove that your mental distress was caused by the data breach, you would need to undergo an independent assessment with a medical professional. They would examine you and produce a report that confirmed your injuries and prognosis.
Courts and lawyers could use this report, alongside a publication called the Judicial College Guidelines, to work out an appropriate compensation level for the damage inflicted.
The Judicial College Guidelines
The table below is made up of figures from the Judicial College Guidelines, 2019 edition. It could give you a rough insight into how much compensation could be appropriate for a psychological injury.
|Injury||Approximate Guideline Compensation Bracket||How Severe?|
|Cases involving general psychological injury||£51,460 to £108,620||Severe|
|PTSD/Post-traumatic stress injury||£56,180 to £94,470||Severe|
|PTSD/Post-traumatic stress injury||£21,730 to £56,180||Moderately severe|
|Cases involving general psychological injury||£17,900 to £51,460||Moderately severe|
|PTSD/Post-traumatic stress injury||£7,680 to £21,730||Moderate|
|Cases involving general psychological injury||£5,500 to £17,900||Moderate|
|PTSD/Post-traumatic stress injury||Up to £7,680||Less severe|
|Cases involving general psychological injury||Up to £5,500||Less severe|
If you’re not sure what bracket your injury would fall into, or you’d like further insight into compensation payouts for employee data breach claims against HMRC, click the live chat button or the image a little further down.
A No Win No Fee HMRC data breach claim would ensure that you didn’t have to pay upfront for your legal fees. If you work with a No Win No Fee data breach lawyer, they would take the payment of a success fee (a small, legally capped percentage of your payout/award) at the end of your claim, deducting it from your payout.
The process would usually work as follows:
- You’d sign a Conditional Fee Agreement (formal title of a No Win No Fee agreement) which would agree on the level of the success fee and that would only be payable if you get compensation.
- Your lawyer would negotiate with HMRC and their representatives for compensation. This might involve going through the courts, although many claims settle out of court.
- If your compensation award comes through, your solicitor deducts the agreed fee and you benefit from the rest
- If there is no successful outcome, you would not be responsible for any of the fees your lawyer has incurred pursuing your case.
To talk to us about making No Win No Fee employee data breach claims against HMRC, why not fill out the contact form or use Live Chat to message us?
Alternatively, you could reach out to Legal Expert, whose details you’ll find below. They could conduct an assessment to see if you could claim.
We hope you’ve found the information in this guide useful. You may also find the below guides and websites provide you with useful information.
How Long Should Organisations Take To Respond? – The ICO provides guidance on how long organisations could have to respond to a complaint or request.
Action The ICO Has Taken – You can find out when and how the ICO has acted to protect the rights of data subjects here.
Data Breach Statistics – Although there are no specific employee data breach statistics on the ICO website, you can read which sectors have been affected by data breaches here.
Know Your Rights As An Agency Worker – We explain agency workers’ rights in this guide.
NHS Data Breach Claims – If you’re considering claiming for an NHS data breach, this guide could be useful.
General Guidance On Employer Breach Claims – You can find some general guidance here.
Who Do I Need To Report The Data Breach To?
If you are the victim of a data breach, you should first direct your report to the organisation that breached your data. If they don’t respond satisfactorily, then you could go on to report them to the ICO. However, you don’t have to contact the ICO if you are making employee data breach claims against HMRC.
Are There Time Limits To Start A Claim?
You would usually have 1 year to claim for a breach of your human rights. For general data breach claims, you could have 6 years to claim from the date you obtained knowledge of the breach.
How Long Could A Claim Take?
Depending on the complexities of your claim, this could differ. As part of the data breach claims process, the organisation would likely conduct their own investigation, and it may take some time to negotiate a settlement. If, however, the liable party admits fault right away and offers you compensation, this could be a relatively quick process.
Does The ICO Need To Have Taken Action For Me To Claim?
The ICO does not have to have taken any action to investigate the organisation for you to make employee data breach claims against HMRC.
Thanks for reading our guide to employee data breach claims against HMRC.
Guide by SJ
Edited by BER