Editorial team AccountingWEB.co.uk
Share this content

HMRC accused of data breach as agents receive wrong penalty notices

Accountants have raised concerns over possible personal data breaches at HMRC after receiving late penalty notices for clients of other agents. Maddy Christopher and Tallula Brogan report.

26th Mar 2021
Editorial team AccountingWEB.co.uk
Share this content
Making Tax Digital

Last week, AccountingWEB user Cholmes first reported receiving five late penalty notices from HMRC – with only one of the five regarding their clients. The remaining notices were addressed to two other firms.

The AWEB community has been reporting these incidents for the past week, with many unsure of what to do with the notices received. Some were hesitant to forward the notices to the correct agents in fear of potential data breaches.

Members who did approach HMRC with the issue have struggled with the assistance provided. When Cholmes got through to HMRC after being put on hold for 40 minutes, the helpline operator seemed “disinterested” and surprised that this member had even called: 

“The only suggestion given was to return the penalty notices to HMRC,” Cholmes said. “When I asked why I had received them, I was told she didn't know and couldn't comment. No other suggestions offered nor any apologies offered.”

AccountingWEB member Blazefan also reportedly received six late filing penalty notices in a single envelope, only two of which were for their clients. The notices contained the name and address of the practices, the name of their clients, and the clients’ UTR.

Blazefan copied the incorrect notices and returned them to HMRC with a covering letter, and forwarded the copies to the correct accountancy practices: “I have not as yet received a response from HMRC, however the other practice has thanked me for forwarding them on.”

HMRC's agent forum has seen further complaints; ICAEW technical manager Caroline Miskin received a report from a member of the community who was sent six late filing penalty notices, five of which were sent in error.

HMRC’s response

AccountingWEB approached HMRC about the stories shared on Any Answers and the agent forum and was told: 

“HMRC takes its responsibilities under UK GDPR very seriously. The vast majority of privacy notices will be issued and received correctly, but if any agents receive notices or any correspondence for wrong clients, we would ask that they notify HMRC to enable us to investigate why it happened and take appropriate action.”

It was then highlighted to HMRC that many agents are unable to get through to them or are not getting a sufficient response. The spokesperson could offer no additional information but confirmed that HMRC is aware and would be looking to contact the agents.

HMRC administration flaws

AccountingWEB member Paul Crowley decided against contacting HMRC, despite noting 12 client penalty errors: “[It] shows the system is broken. Waste of time contacting HMRC over missing items.”

It is not the first time HMRC has been linked with a personal data breach. In 2020, the tax department admitted to 26 separate instances, affecting nearly 20,000 individuals after being reported to the Information Commissioner’s Office (ICO).

SXGuy reiterated that this wasn’t a one-off error from HMRC. “It happens to me every year,” he commented. “As it has this year also.”

On the agent forum, Webb suggested faulty HMRC’s printing machines were behind the blunder and could need overhauling.

The episode also prompted Webb to question HMRC's claim that once a penalty notice has been ‘issued’ then it must have been received by the intended recipient. “You maybe cannot rely on 'our system posted the notice, and it was not returned, so the taxpayer must be presumed to have been validly served the notice' as proof of issue at tribunal," he said. 

For example, Webb pointed to responses on the forum of agents destroying notices wrongly issued rather than "the more sensible option of returning to HMRC as incorrectly issued and/or sending a copy to the correct agent for reference". 

What is going wrong?

VAT director Jason Croke blamed this incident and other recent frustrations on HMRC’s shift to remote working. 

“I think HMRC staff aren't being managed very well by their managers, it feels like the wild west, don't worry about KPI's, quick responses, errors or even bothering to answer the phone, just blame Covid/WFH and that exonerates you for anything. If we all worked on that concept, we'd be out of business.”

He personally isn't expecting a response from HMRC: “They are, at present, utterly useless on every level on every tax.”

AccountingWEB user paul.benny speculated the error could be a fault with “the print routine or the envelope stuffer rather than a willful or careless error”, and advised agents either destroy or send the notices on to the correct recipient. Others suggest returning to HMRC.

Cybersecurity expert Bill Mew agrees with paul.benny’s assertion and cites three issues surrounding HMRC’s breach of data protection regulations: 

  • "Technical issue: Whatever the problem with the print routine or the envelope stuffer is, it needs to be reported (to HMRC) and fixed fast. We need to know the full extent of the problem and have an idea of how many organisations/individuals may have been impacted and who they are.

  • "Regulatory issue: This is also a GDPR issue if information in the notices has been shared inappropriately. Again this needs to be reported (to the ICO) and as soon as you have any idea of who has been impacted they need to be made aware.

  • "Enforcement issue: We need to consider the impact of people NOT getting enforcement notices that HMRC is going to pursue. All action on enforcement needs to be suspended until reliability is restored and a reasonable expectation that the right people will have received the right enforcement notices."

Miskin told AccountingWEB that a case reported to her took advice from the ICO who confirmed that the correct approach is to report the matter to HMRC who have responsibility for any necessary reports to the ICO. Miskin encourages agents to report cases on the thread on the agent forum and directly to HMRC.

HMRC is also directing agents to government guidance on HMRC's privacy notice, including an email address to which reports can be made: [email protected].

Replies (29)

Please login or register to join the discussion.

avatar
By Alanpryan
26th Mar 2021 09:48

I received one penalty notice which was correct and five for other firms which I returned to HMRC. Can't help thinking that if boot was on the other foot etc

Thanks (4)
avatar
By youngloch
26th Mar 2021 09:53

This is not the first time this has happened with HMRC and won't be the last.

Worse one I experienced was receiving a copy of long and detailed enquiry letter, addressed to us, but relating to a well known celebrity.

Not only did it start off with "please find enclosed a copy of a letter issued to your client" e.g. it revealed their address, but it was clearly an enquiry which was only part way thereby revealing a lot of information.

We advised HMRC and posted it on to the celebrity making them aware HMRC had made the error and that they should forward it to their agent.

One rule for us it seems and another for larger bodies...........

Thanks (3)
avatar
By prospera
26th Mar 2021 10:00

There also seems a flaw in the advice from the ICO. If only the HMRC can report GDPR breaches, they are unlikely to do so since they don't even recognise the problem. Surely the ICO can start an investigation based on widespread reports from affected people? No other law relies on the perpetrator walking in and admitting they broke it.

Thanks (6)
Replying to prospera:
avatar
By Paul Crowley
26th Mar 2021 16:30

That is good news
I have no worries about GDPR if I am the only person allowed to complain about me
WELL DONE ICO

A bit like Baldrick and the bullet with his name on
https://www.youtube.com/watch?v=y8wdynZ0iWg

Thanks (3)
avatar
By johnjenkins
26th Mar 2021 10:07

Hey come on guys and gals, this is HMRC we are talking about. They are allowed to make any errors they want and get away with it. NFFP.

Thanks (2)
avatar
By Mr J Andrews
26th Mar 2021 10:23

Tip of the iceberg. Yet another example of HMRC's creaking administration and countless mistakes which will , again , be simply washed over.
Despite GDPR issues and reports to the ICO , there is simply no accountability within this Government department. No buck stopping , no sackings , let alone any disciplinary actions.
The HMRC response sums it up - .......that it takes its UK GDPR responsibilities very seriously........the vast majority will be issued and received correctly......Meaningless comfort words and bastardised statistical expressions. , capped by the cop out word IF. ........ IF agents receive incorrect notices , to notify HMRC........... Substitute IF for WHEN would be their rightful admission of negligence.
Rather than firstly put their administrative house in order I guarantee there will be some new half baked proposals in the pipeline very soon, to wind up ''customers'', agents - and their own staff.

Thanks (4)
Replying to Mr J Andrews:
avatar
By djtax
29th Mar 2021 11:07

No Accountability? But but...the top HMRC execs abilities always seem to be taken into account when they retire...with mentions in the next New Year's honours list....Surely that means they all always do an excellent job...?!

Thanks (1)
avatar
By wd2016
26th Mar 2021 10:24

They have also failed to update my agent address after I moved despite me telling them several times. I am not paying for mail redirection for eternity so they are now sending them to an address of some unknown person....I pointed out that this is a GDPR issue in my last letter but no response yet. I find it really scary!

Thanks (0)
avatar
By Ammie
26th Mar 2021 10:56

More BS from HMRC. They'll just join the long queue of those blaming disruptions on Covid.

HMRC, like HM Government, love to keep busy with an expensive investigation into problems which often produce little other than they got it wrong!

So, what do HMRC put pre Covid issues down to?

They have yet to address the most basic of service, the obscene telephone waiting times which extend long before Covid. It is very rare for any telephone call I make to HMRC to involve less than a 30 minute waiting time, and that's the agent line!

The data protection issues extend beyond mail. I have received genuine generic emails with the email addresses of dozens of other recipients showing.

It is becoming very difficult to resolve issues in a timely manner and some not at all. Writing takes forever, emails too often come back with generic responses often referring you to the website and escalated matters via telephone calls often disappear and require chasing again and again.

HMRC, who's paying for all this?

Thanks (0)
Replying to Ammie:
avatar
By 4b4
26th Mar 2021 13:37

'Who's paying for it?' - Our bloody clients!

Thanks (0)
avatar
By Wanderer
26th Mar 2021 11:06

“HMRC takes its responsibilities under UK GDPR very seriously. The vast majority of privacy notices will be issued and received correctly, but if any agents receive notices or any correspondence for wrong clients, we would ask that they notify HMRC to enable us to investigate why it happened and take appropriate action.”
Did they actually say privacy?
If so there is a certain irony that whoever within HMRC wrote that didn't even understand and / or couldn't even get that right.

Thanks (3)
By Nebs
26th Mar 2021 11:07

When returning them, don't forget to include your invoice for time and costs. It may sound petty, but it's the only way to get them to improve, hit them where it hurts, in the pocket.

Thanks (0)
Replying to Nebs:
avatar
By johnjenkins
26th Mar 2021 11:12

I like that. "hit them where it hurts" OUR pockets.

Thanks (1)
avatar
By towat
26th Mar 2021 11:41

We had one, just put it in a window envelope and sent it on to the correct agent, ok so it cost us a stamp but why make a fuss?

Thanks (0)
Replying to towat:
avatar
By johnjenkins
26th Mar 2021 12:10

The reason for the fuss is the "do as I say" not "do as I do" attitude from HMRC. they are allowed to make mistakes yet when we make mistakes it is not considered an error and the fines and penalties come out. Double standards.

Thanks (2)
Replying to towat:
avatar
By Hugo Fair
26th Mar 2021 12:41

Because not everyone will send it on to the correct agent - and, given the general level of ineptitude at HMRC, their system will mark the letter/notice as being issued (but with no concept of undelivered or 'delivered to wrong person').
Because trying to correct the original mistake (let alone cope with the fallout if you're the intended recipient who received nothing) is somewhere between time-consuming (for no fee) and coronary inducing.
Because it's a breach of GDPR.
Because ...

Thanks (3)
Replying to towat:
By Paul D Utherone
26th Mar 2021 14:56

towat wrote:

We had one, just put it in a window envelope and sent it on to the correct agent, ok so it cost us a stamp but why make a fuss?


Because it is clearly happening a great deal and is not isolated incidents that can be brushed off by HMRC.

Also because, as noted in the article, HMRC ALWAYS use the "we posted the notice to the taxpayer, and it wasn't returned, so they must be taken to have received and ignored it" at FTT, and far too many penalty appeals fail on that ground

Thanks (2)
avatar
By teeaccounts
26th Mar 2021 12:12

At the beginning of 2021 I received a letter from the Investigations team that was meant for another firm and when I highlighted it to the inspector, he apologised but offered no explanation as to why it came to me (granted I did have an open investigation for a client with this inspector, but that's no excuse for sending the wrong firm the wrong letter). There does seem to be a general disinterest from HMRC in any privacy violations they're committing!

Thanks (1)
avatar
By sumo69
26th Mar 2021 13:56

I too received 5 penalty notices - 1 for an ex-client that I disengaged from last year, and 2 each for two other agents (s0 4 in total) showing client names and a UTR/NINO.

I

Thanks (0)
avatar
By sumo69
26th Mar 2021 14:09

See below

Thanks (0)
Replying to sumo69:
avatar
By johnjenkins
26th Mar 2021 14:09

Make your mind up. Did you get 5 or 10 notices?

Thanks (0)
avatar
By sumo69
26th Mar 2021 14:08

I too received 5 penalty notices - 1 for an ex-client that I disengaged from last year, and 2 each for two other agents (s0 4 in total) showing client names and a UTR/NINO.

I intend to e-mail HMRC on the address in the article as well as my local MP to ask him to make enquiries due to the GDPR breaches and the fact HMRC will record these letters as successfully delivered.

Thanks (1)
By Paul D Utherone
26th Mar 2021 15:00

As noted there is a thread on the HMRC Agent Forum, and it is worth joining up to the forum, if you can, to report issues like this. Because it seems to be a fairly small set of agents engaged there HMRC's response is often "this is an isolated issue" or "there is no evidence that this is a general issue" and problems do not receive the attention that they perhaps should.

Thanks (0)
Replying to Paul D Utherone:
avatar
By timothyvogel
29th Mar 2021 08:25

DO NOT JOIN THE FORUM
They have a track record of then including your email as a cc on an email sent to everyone in the group, publishing everyone's email to everyone. Another GDPR breach. They have done it once t me, and I have a record of a second time as well. Their response, when I complained, was "this is an isolated incident and should not happen". Darn right it should not, but that is not the same as will not happen.

Thanks (0)
Replying to timothyvogel:
By Paul D Utherone
29th Mar 2021 11:46

Fair enough. It's a view. Maybe join with a 'burner' email address - can't remember if that's possible or not - but if it is then the "it's not a widespread issue" response to issues raised might reduce with a deluge of evidence

Thanks (0)
avatar
By timothyvogel
26th Mar 2021 15:15

give the fiasco of HMRC sending everyone's personal emails to all members of the HMRC feedback group a couple of months ago I am somewhat unsurprised. This is the same HMRC who have told the Information Commissioner and a treasure Minister that the ty can not change our legal name on their system due to "software settings".
Anyone thinking data accuracy or security matters to HMRC is sadly mistaken. They are more concerned with processes being followed than the reliability of the process
I well recall several years ago looking round an empty office as a potential new location and finding 2 boxes of taxpayers files in the old post room, it was the closed local Tax office and they had failed to clear the postroom. I have several times received through the post copies of old tax returns for my clients and on more than one occasion received copies of return from other taxpayers either instead of or as well as my client.
I have a letter on file from them saying that the fact that they have recorded the totally wrong employer as my employer "does not matter" and so "there is no need to amend it". That error came about because they had confused me with a similar named person

Thanks (0)
avatar
By tedbuck
26th Mar 2021 15:51

Sack the bloke at the top and employ someone with absolutely no connection with the Civil Service as it's their attitude that is the problem - you only have to look at the way they waste our money - they are incompetent at best and stupid at worst.
Look at the blunders PHE has made since Covid - millions wasted, Look at the PFI fisaco and the ongoing cost of overpaying for everything. The list is endless and comes from using people whose experience of the real world is gained from the media rather than experience in real jobs.

Thanks (0)
By Paul D Utherone
26th Mar 2021 19:21

Latest from HMRC:
"An investigation is underway and if this incident meets the ICO threshold we will inform them. It has been added to the HMRC data breach log."

Thanks (1)
Replying to Paul D Utherone:
avatar
By Hugo Fair
26th Mar 2021 19:49

Yes Minister is alive and kicking!
Which 'this incident'? And what 'ICO threshold'?
It's seems clear to me that many notifiable events have taken place - see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-t...

Also I was under the impression that informing the ICO is a key part of the legal responsibilities of the 'body that has breached' and is relevant to mitigation of any consequential penalties ... but does not remove the ability of the ICO to open an investigation of its own (based on evidence supplied by 3rd-parties)?

Thanks (2)