HMRC accused of data breach as agents receive wrong penalty notices
Accountants have raised concerns over possible personal data breaches at HMRC after receiving late penalty notices for clients of other agents. Maddy Christopher and Tallula Brogan report.
You might also be interested in
Contributions from the AccountingWEB.co.uk editorial team.
Replies (30)
Please login or register to join the discussion.
I received one penalty notice which was correct and five for other firms which I returned to HMRC. Can't help thinking that if boot was on the other foot etc
This is not the first time this has happened with HMRC and won't be the last.
Worse one I experienced was receiving a copy of long and detailed enquiry letter, addressed to us, but relating to a well known celebrity.
Not only did it start off with "please find enclosed a copy of a letter issued to your client" e.g. it revealed their address, but it was clearly an enquiry which was only part way thereby revealing a lot of information.
We advised HMRC and posted it on to the celebrity making them aware HMRC had made the error and that they should forward it to their agent.
One rule for us it seems and another for larger bodies...........
There also seems a flaw in the advice from the ICO. If only the HMRC can report GDPR breaches, they are unlikely to do so since they don't even recognise the problem. Surely the ICO can start an investigation based on widespread reports from affected people? No other law relies on the perpetrator walking in and admitting they broke it.
That is good news
I have no worries about GDPR if I am the only person allowed to complain about me
WELL DONE ICO
A bit like Baldrick and the bullet with his name on
https://www.youtube.com/watch?v=y8wdynZ0iWg
Hey come on guys and gals, this is HMRC we are talking about. They are allowed to make any errors they want and get away with it. NFFP.
Tip of the iceberg. Yet another example of HMRC's creaking administration and countless mistakes which will , again , be simply washed over.
Despite GDPR issues and reports to the ICO , there is simply no accountability within this Government department. No buck stopping , no sackings , let alone any disciplinary actions.
The HMRC response sums it up - .......that it takes its UK GDPR responsibilities very seriously........the vast majority will be issued and received correctly......Meaningless comfort words and bastardised statistical expressions. , capped by the cop out word IF. ........ IF agents receive incorrect notices , to notify HMRC........... Substitute IF for WHEN would be their rightful admission of negligence.
Rather than firstly put their administrative house in order I guarantee there will be some new half baked proposals in the pipeline very soon, to wind up ''customers'', agents - and their own staff.
No Accountability? But but...the top HMRC execs abilities always seem to be taken into account when they retire...with mentions in the next New Year's honours list....Surely that means they all always do an excellent job...?!
They have also failed to update my agent address after I moved despite me telling them several times. I am not paying for mail redirection for eternity so they are now sending them to an address of some unknown person....I pointed out that this is a GDPR issue in my last letter but no response yet. I find it really scary!
More BS from HMRC. They'll just join the long queue of those blaming disruptions on Covid.
HMRC, like HM Government, love to keep busy with an expensive investigation into problems which often produce little other than they got it wrong!
So, what do HMRC put pre Covid issues down to?
They have yet to address the most basic of service, the obscene telephone waiting times which extend long before Covid. It is very rare for any telephone call I make to HMRC to involve less than a 30 minute waiting time, and that's the agent line!
The data protection issues extend beyond mail. I have received genuine generic emails with the email addresses of dozens of other recipients showing.
It is becoming very difficult to resolve issues in a timely manner and some not at all. Writing takes forever, emails too often come back with generic responses often referring you to the website and escalated matters via telephone calls often disappear and require chasing again and again.
HMRC, who's paying for all this?
“HMRC takes its responsibilities under UK GDPR very seriously. The vast majority of privacy notices will be issued and received correctly, but if any agents receive notices or any correspondence for wrong clients, we would ask that they notify HMRC to enable us to investigate why it happened and take appropriate action.”
Did they actually say privacy?
If so there is a certain irony that whoever within HMRC wrote that didn't even understand and / or couldn't even get that right.
When returning them, don't forget to include your invoice for time and costs. It may sound petty, but it's the only way to get them to improve, hit them where it hurts, in the pocket.
We had one, just put it in a window envelope and sent it on to the correct agent, ok so it cost us a stamp but why make a fuss?
The reason for the fuss is the "do as I say" not "do as I do" attitude from HMRC. they are allowed to make mistakes yet when we make mistakes it is not considered an error and the fines and penalties come out. Double standards.
Because not everyone will send it on to the correct agent - and, given the general level of ineptitude at HMRC, their system will mark the letter/notice as being issued (but with no concept of undelivered or 'delivered to wrong person').
Because trying to correct the original mistake (let alone cope with the fallout if you're the intended recipient who received nothing) is somewhere between time-consuming (for no fee) and coronary inducing.
Because it's a breach of GDPR.
Because ...
We had one, just put it in a window envelope and sent it on to the correct agent, ok so it cost us a stamp but why make a fuss?
Because it is clearly happening a great deal and is not isolated incidents that can be brushed off by HMRC.
Also because, as noted in the article, HMRC ALWAYS use the "we posted the notice to the taxpayer, and it wasn't returned, so they must be taken to have received and ignored it" at FTT, and far too many penalty appeals fail on that ground
At the beginning of 2021 I received a letter from the Investigations team that was meant for another firm and when I highlighted it to the inspector, he apologised but offered no explanation as to why it came to me (granted I did have an open investigation for a client with this inspector, but that's no excuse for sending the wrong firm the wrong letter). There does seem to be a general disinterest from HMRC in any privacy violations they're committing!
I too received 5 penalty notices - 1 for an ex-client that I disengaged from last year, and 2 each for two other agents (s0 4 in total) showing client names and a UTR/NINO.
I
I too received 5 penalty notices - 1 for an ex-client that I disengaged from last year, and 2 each for two other agents (s0 4 in total) showing client names and a UTR/NINO.
I intend to e-mail HMRC on the address in the article as well as my local MP to ask him to make enquiries due to the GDPR breaches and the fact HMRC will record these letters as successfully delivered.
As noted there is a thread on the HMRC Agent Forum, and it is worth joining up to the forum, if you can, to report issues like this. Because it seems to be a fairly small set of agents engaged there HMRC's response is often "this is an isolated issue" or "there is no evidence that this is a general issue" and problems do not receive the attention that they perhaps should.
DO NOT JOIN THE FORUM
They have a track record of then including your email as a cc on an email sent to everyone in the group, publishing everyone's email to everyone. Another GDPR breach. They have done it once t me, and I have a record of a second time as well. Their response, when I complained, was "this is an isolated incident and should not happen". Darn right it should not, but that is not the same as will not happen.
Fair enough. It's a view. Maybe join with a 'burner' email address - can't remember if that's possible or not - but if it is then the "it's not a widespread issue" response to issues raised might reduce with a deluge of evidence
give the fiasco of HMRC sending everyone's personal emails to all members of the HMRC feedback group a couple of months ago I am somewhat unsurprised. This is the same HMRC who have told the Information Commissioner and a treasure Minister that the ty can not change our legal name on their system due to "software settings".
Anyone thinking data accuracy or security matters to HMRC is sadly mistaken. They are more concerned with processes being followed than the reliability of the process
I well recall several years ago looking round an empty office as a potential new location and finding 2 boxes of taxpayers files in the old post room, it was the closed local Tax office and they had failed to clear the postroom. I have several times received through the post copies of old tax returns for my clients and on more than one occasion received copies of return from other taxpayers either instead of or as well as my client.
I have a letter on file from them saying that the fact that they have recorded the totally wrong employer as my employer "does not matter" and so "there is no need to amend it". That error came about because they had confused me with a similar named person
Sack the bloke at the top and employ someone with absolutely no connection with the Civil Service as it's their attitude that is the problem - you only have to look at the way they waste our money - they are incompetent at best and stupid at worst.
Look at the blunders PHE has made since Covid - millions wasted, Look at the PFI fisaco and the ongoing cost of overpaying for everything. The list is endless and comes from using people whose experience of the real world is gained from the media rather than experience in real jobs.
Latest from HMRC:
"An investigation is underway and if this incident meets the ICO threshold we will inform them. It has been added to the HMRC data breach log."
Yes Minister is alive and kicking!
Which 'this incident'? And what 'ICO threshold'?
It's seems clear to me that many notifiable events have taken place - see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-t...
Also I was under the impression that informing the ICO is a key part of the legal responsibilities of the 'body that has breached' and is relevant to mitigation of any consequential penalties ... but does not remove the ability of the ICO to open an investigation of its own (based on evidence supplied by 3rd-parties)?
HMRC's four Updates on the thread on the Agent Forum culminating with yesterday's:
Update 4: HMRC Admin 11 - 23/04/2021
Dear Agents,
We sincerely apologise for the recent security breach and recognise that this is not in line with our Charter standards. We take all aspects of protecting data very seriously so there has been a lot of activity to understand this incident and mitigate future risks. We have received the following report on what happened and what action has been taken as a result:
Background & Recap:
We became aware of an issue with SA326D Penalty Notices 23rd March.
We identified that this was down to a software problem with the underlying cause of this issue linked to testing. The issue is limited only to SA326Ds bulk run.
What do we understand now about impacts?
We know that the majority of agents received the correct information and following extraction of data from the affected files we believe the total affected number to be just above 32k.
• the total number of taxpayers impacted is 32,075
• 18,496 UTRs/taxpayers notices went to the wrong agent
• 13,579 UTRs/Taxpayers went to the correct agent
• 15,459 agents received incorrect envelopes (getting a wrong letter or they don’t know that their letter went to another agent)
• two taxpayers have received a copy that contains 5 Agent copies in total for other taxpayers
We re-issued the copy notices to agents.
Communications:
• We have issued guidance to Personal Tax Operations and Agent Helpline colleagues
• We have posted updates to Agent Forum and informed Accounting Web
Security:
We have been assured following the data interrogation carried out by IT colleagues that the total number of incorrect notices sent to Agents is just over 18k.
We are holding an after-action review to understand what went wrong and how we can make sure it doesn’t happen again.
Any notices that have not already been securely destroyed should be returned to:
SA326D
Central Mail Unit
S1250
Benton Park View
Longbenton
Newcastle
NE98 1ZZ
Update 3: HMRC Admin 14 - 08/04/2021
We have looked into this and can confirm that there was a problem with some letters, we have sorted this and will reissue the letters from the 24 April 2021.
In line with data security protocols we have reported this to the ICO and will give an update on this matter at the Representative Bodies Steering Group on the 12 April 2021.
We will post further updates as soon as we get them.
Update 2: HMRC Admin 14 - 26/03/2021
An investigation is underway and if this incident meets the ICO threshold we will inform them. It has been added to the HMRC data breach log.
Update 1: HMRC Admin 14 - 25/03/2021
We are enclosing the link for Guidance on HMRC Privacy Notice.
https://www.gov.uk/government/publications/data-protection-act-dpa-infor...
If you have any concerns about how HMRC is handling your personal information, you can email HMRC’s Data Protection Officer at: [email protected].
HMRC Admin 14 - 25/03/2021
Thank you for all your comments.
HMRC takes its responsibilities under UK GDPR very seriously. The vast majority of letters will be issued and received correctly, but if any agents receive notices or any correspondence for wrong clients, we would ask that they notify HMRC to enable us to investigate why it happened and take appropriate action.
We will close this thread in five days.