HMRC accused of data breach as agents receive wrong penalty notices
Accountants have raised concerns over possible personal data breaches at HMRC after receiving late penalty notices for clients of other agents. Maddy Christopher and Tallula Brogan report.
Last week, AccountingWEB user Cholmes first reported receiving five late penalty notices from HMRC – with only one of the five regarding their clients. The remaining notices were addressed to two other firms.
The AWEB community has been reporting these incidents for the past week, with many unsure of what to do with the notices received. Some were hesitant to forward the notices to the correct agents in fear of potential data breaches.
Members who did approach HMRC with the issue have struggled with the assistance provided. When Cholmes got through to HMRC after being put on hold for 40 minutes, the helpline operator seemed “disinterested” and surprised that this member had even called:
“The only suggestion given was to return the penalty notices to HMRC,” Cholmes said. “When I asked why I had received them, I was told she didn't know and couldn't comment. No other suggestions offered nor any apologies offered.”
AccountingWEB member Blazefan also reportedly received six late filing penalty notices in a single envelope, only two of which were for their clients. The notices contained the name and address of the practices, the name of their clients, and the clients’ UTR.
Blazefan copied the incorrect notices and returned them to HMRC with a covering letter, and forwarded the copies to the correct accountancy practices: “I have not as yet received a response from HMRC, however the other practice has thanked me for forwarding them on.”
HMRC's agent forum has seen further complaints; ICAEW technical manager Caroline Miskin received a report from a member of the community who was sent six late filing penalty notices, five of which were sent in error.
AccountingWEB approached HMRC about the stories shared on Any Answers and the agent forum and was told:
“HMRC takes its responsibilities under UK GDPR very seriously. The vast majority of privacy notices will be issued and received correctly, but if any agents receive notices or any correspondence for wrong clients, we would ask that they notify HMRC to enable us to investigate why it happened and take appropriate action.”
It was then highlighted to HMRC that many agents are unable to get through to them or are not getting a sufficient response. The spokesperson could offer no additional information but confirmed that HMRC is aware and would be looking to contact the agents.
HMRC administration flaws
AccountingWEB member Paul Crowley decided against contacting HMRC, despite noting 12 client penalty errors: “[It] shows the system is broken. Waste of time contacting HMRC over missing items.”
It is not the first time HMRC has been linked with a personal data breach. In 2020, the tax department admitted to 26 separate instances, affecting nearly 20,000 individuals after being reported to the Information Commissioner’s Office (ICO).
SXGuy reiterated that this wasn’t a one-off error from HMRC. “It happens to me every year,” he commented. “As it has this year also.”
On the agent forum, Webb suggested faulty HMRC’s printing machines were behind the blunder and could need overhauling.
The episode also prompted Webb to question HMRC's claim that once a penalty notice has been ‘issued’ then it must have been received by the intended recipient. “You maybe cannot rely on 'our system posted the notice, and it was not returned, so the taxpayer must be presumed to have been validly served the notice' as proof of issue at tribunal," he said.
For example, Webb pointed to responses on the forum of agents destroying notices wrongly issued rather than "the more sensible option of returning to HMRC as incorrectly issued and/or sending a copy to the correct agent for reference".
What is going wrong?
VAT director Jason Croke blamed this incident and other recent frustrations on HMRC’s shift to remote working.
“I think HMRC staff aren't being managed very well by their managers, it feels like the wild west, don't worry about KPI's, quick responses, errors or even bothering to answer the phone, just blame Covid/WFH and that exonerates you for anything. If we all worked on that concept, we'd be out of business.”
He personally isn't expecting a response from HMRC: “They are, at present, utterly useless on every level on every tax.”
AccountingWEB user paul.benny speculated the error could be a fault with “the print routine or the envelope stuffer rather than a willful or careless error”, and advised agents either destroy or send the notices on to the correct recipient. Others suggest returning to HMRC.
Cybersecurity expert Bill Mew agrees with paul.benny’s assertion and cites three issues surrounding HMRC’s breach of data protection regulations:
"Technical issue: Whatever the problem with the print routine or the envelope stuffer is, it needs to be reported (to HMRC) and fixed fast. We need to know the full extent of the problem and have an idea of how many organisations/individuals may have been impacted and who they are.
"Regulatory issue: This is also a GDPR issue if information in the notices has been shared inappropriately. Again this needs to be reported (to the ICO) and as soon as you have any idea of who has been impacted they need to be made aware.
"Enforcement issue: We need to consider the impact of people NOT getting enforcement notices that HMRC is going to pursue. All action on enforcement needs to be suspended until reliability is restored and a reasonable expectation that the right people will have received the right enforcement notices."
Miskin told AccountingWEB that a case reported to her took advice from the ICO who confirmed that the correct approach is to report the matter to HMRC who have responsibility for any necessary reports to the ICO. Miskin encourages agents to report cases on the thread on the agent forum and directly to HMRC.