HMRC GDPR Data Breach Compensation Claims Guide – How To Claim?

By Marlon Redding. Last Updated 2nd December 2022. How safe is your tax return? Who else knows your tax code? Could someone piece together your information and use it to steal money or worse, your entire identity? A data breach by HMRC is a serious and very real threat. Everyday cybersecurity is tested to the limits by hackers and online criminals trying organisations and companies for weak spots in their data security. HMRC is no different. With over ten million people now completing tax returns online and divulging a great deal of information in the process, perhaps you were victim to leaked data.

HMRC data breach compensation claims guide

HMRC data breach compensation claims guide

When your personal or financial information is unlawfully exposed it can end up on the internet where criminal gangs buy and sell it for fraudulent purposes.

New laws came into effect in 2018 to regulate and control data use. We explain how because of these changes, you now have better grounds than ever to initiate claims for compensation if you suffered damage stemming from a data breach.

If this has already happened to you, speak to our friendly team at Legal Helpline.

  • Call us on 0161 696 9685 to start today
  • Email or write to us at Legal Helpline
  • Use the ‘live support’ option bottom right for instant help

HMRC has a legal responsibility to protect your information from data breaches however it was caused. Whether it was outside hackers or human error within the department, if it has caused you financial or emotional suffering, we can help.

Select A Section

  1. A Guide On Compensation Claims For A Data Breach By HMRC
  2. What Is A Data Breach Claim Against HMRC?
  3. How The GDPR Affects Data Sharing With Third Parties
  4. Has HMRC Suffered A GDPR Or Data Protection Breach?
  5. Calculating Compensation Amounts For A Data Breach By HMRC
  6. Material And Non-Material Damages Awarded For Data Breaches
  7. How To Report A Government Department To The ICO
  8. No Win No Fee Compensation Claims For A Data Breach By HMRC
  9. Finding A Specialist Data Protection Solicitor
  10. How Data Breach Victims Could Get Compensation
  11. Contacting A Solicitor
  12. FAQs About Data Breach Claims
  13. Where Can I Learn More?

A Guide On Compensation Claims For A Data Breach By HMRC

In this guide, we want to offer you some practical help with starting a claim against HMRC for a data breach. Two significant pieces of legislation have changed the way that you can claim damages caused by a data breach. If you can demonstrate financial or emotional proof of harm as a consequence of HMRC’s failure to safeguard your data, you could have a claim.

Data breach lawyers can calculate damages like this to quite a degree of precision. Medical assessments can reveal the extent of the emotional damage caused by the sudden loss of money and our table below gives an insight into potential award amounts. The invasion of privacy and the dread and anxiety created by data vulnerability can directly cause all manner of serious illness like depression or PTSD (Post-traumatic stress disorder).

Statements and bills can provide a paper trail to prove the financial ruin a data breach can leave in its wake. At Legal Helpline we want to assist you in accessing this representation and repair the damage created by either the criminality or incompetence of another.

What Is A Data Breach Claim Against HMRC?

Before we look at how to evaluate your claim, it’s important to explain what we mean by an HMRC data protection breach. A new law called the General Data Protection Regulation (GDPR) was brought in to address the torrent of online data infringements that grew with the expansion of the internet.

Some companies and organisations were using the internet as an opportunity to gather information and exploit it without much regulation. This led to abuses, such as companies harvesting data and selling it on. Everything from spam emails to unsolicited text messages, cold-callers and phishing scams began to plague the inbox of laptops and computers in the country. GDPR sought to stem this new tide of misuse and abuse.

Our information has always been personal, whether it’s on or offline and GDPR merely formalised the ways that others can use it. Consent is now a fundamental part of data sharing and whilst there are examples where consent is not explicitly required, we are asked far more frequently whether we are happy for our personal information to be used in certain ways.

What is a breach exactly?

The Information Commissioner’s Office (ICO) is an independent regulator set up to enforce GDPR rules across the board. They can issue penalties and fines to any organisation, company or individual that they feel have breached the GDPR rules. ICO fines can be in the multi-millions and represent a potent warning to companies to handle data properly. They can also help you.

The ICO define a breach as the accidental or deliberate loss, copying, alteration, destruction or unauthorised sharing of data in a way that could damage the data subject either economically, socially or reputationally. Clearly, HMRC data breaches are especially worrying as a great deal of information is stored in one place. Consider for a moment what they need to keep on file about you:

  • Name and address
  • Date of birth
  • National Insurance number
  • Marital status and details of children (Tax credits)
  • Immigration status
  • Occupation and salary
  • Bank details

This would be a treasure trove for cybercriminals to get into. HMRC know this and do their level best to protect hackers from getting anywhere near to your details. However, breaches can sometimes be the result of human error amongst staff.

An organisation of the size and complexity of HMRC would have the most robust software defences against malware, viruses, and other forms of cyber assault on their security. Breaches could still happen, however, and as the victim, you could easily suffer in prolonged and profound ways.

How The GDPR Affects Data Sharing With Third Parties

We share our data every day. Each time we visit a website, shop online or consent to cookies we are giving permission for other agencies to gather and use details about us. Once this approval has been given, as long as the data use stays within agreed terms and conditions, there may not be a legal requirement to request our permission again. So it’s important to take a moment and consider what those terms are.

The ICO has identified seven core principles for the correct use of our data:

  • Lawfulness, fairness and transparency – are the reasons for collecting the data fair, legal and obvious?
  • Purpose limitation – are there clear limits to data collection reasons?
  • Data minimisation – will they collect only the minimum amount of data for that task?
  • Accuracy –  is it correct data?
  • Storage limitation – how long will the data be kept for? Why?
  • Integrity and confidentiality (security) – is everyone aware of their responsibilities with this information?
  • Accountability – if there is a problem, will it be addressed correctly?

It’s important to note that any serious data breach discovered must be reported to you and the ICO within 72 hours. This is a legal requirement. In some instances, the organisation in question may not know there has been a data breach and you may hear about it from other affected parties, social media or news outlets. Either way, HMRC should act promptly to rectify it once discovered.

On the whole, it’s in everyone’s interest to identify and address a data protection breach as quickly as possible. We will discuss what you can do if they do not address the problem in the next few sections.

Has HMRC Suffered A GDPR Or Data Protection Breach?

There are three main groups involved in data-sharing:

  • Controllers – those who possess the information in the first place. In this instance, it would be HMRC who legally oblige you to give this data for tax collection purposes.
  • Processors – the people or company tasked with using the information for expressly stated purposes. They may also be responsible for the storage and processing of data and can be an inside department or outside company.
  • Third parties are the ‘end users’ of this data. Again, these recipients may only take and utilise this information within strictly governed parameters now thanks to GDPR.

What specific scenarios might cause an HMRC breach of data protection?  We have established that HMRC has a legal obligation to handle our data carefully. Furthermore, human error accounts for some data breach problems as well as hacking. So how could HMRC suffer a data breach?

  • Sensitive information can be lost or stolen from laptops, smartphones and other portals of data. Screens can be left open for passing people to view.
  • Transportation and storage can expose hard copies of information to exposure
  • Insufficient software security or firewall updates makes it easier for hackers
  • Casual conversational disclosures between colleagues or the public
  • Incorrect details being posted to customers

That’s what could happen in theory, but what about the reality?

During 2019-20, a string of 11 separate personal data breaches may have affected over 20,000 people when PAYE details were leaked and NI numbers were distributed to the wrong people. These incidents were promptly reported to the ICO and steps were taken within HMRC to ensure this would not happen again.

Read more in HMRC’s annual report here.

Calculating Compensation Amounts For A Data Breach By HMRC

Perhaps you were one of those affected in the data breach discussed above? What can you do?

There was a change in the law after a landmark case called Vidal-Hall v Google. In the past, it was necessary to have suffered financial damage to seek compensation for emotional harm. But since Vidal-Hall, it’s now possible to seek compensation for either or both forms of damage.

So, if the data breach resulted in causing you mental damage, such as distress, anxiety or depression, the table below gives you an idea of what different forms of mental damage could attract in compensation:

InjuryEffectsSuggested Award
Psychiatric Damage - SevereSevere problems that affect many areas of daily and social life.£54,830 to £115,730
Psychiatric Damage - Moderately SevereSignificant problems with daily life. But, there is a more optimistic prognosis.£19,070 to £54,830
Psychiatric Damage - ModerateMarked improvement shave been made, despite having struggles with various problems.£5,860 to £19,070
Psychiatric Damage - Less SevereThe effect on daily activities and sleep will be taken into account. £1,540 to £5,860
PTSD - SevereInability to function the same as pre-trauma due to permanent effects.£59,860 to £100,670
PTSD - Moderately SevereRecovery is possible with help from a professional, but the person will still likely suffer for the foreseeable future.£23,150 to £59,860
PTSD - ModerateLargely recovered with any persisting symptoms not being majorly disabling.£8,180 to £23,150
PTSD - Less SevereA full recovery is made within 2 years, with only minor problems persisting after this.£3,950 to £8,180

These figures come from the Judicial College Guidelines, a publication that outlines the potential values of different types of injuries. Because of Vidal-Hall, you could claim for the data breach if it affected your mental health in any of the following ways:

  • Anxiety and panic attacks
  • Depression
  • PTSD
  • Suicidal thoughts/self-harm
  • Damage to personal relationships

Therefore, any loss of amenity and pleasure to life could be grounds to sue. Speak to our team now to learn more about your rights if you’ve fallen victim to an HMRC data breach.

Material Damages Awarded For Data Breaches

In addition to the mental damage, material damages can be calculated by looking at the financial impact. Data breaches can cause severe disruption in the lives of those they impact. There may be consequences that you have not even thought of. When making a claim, it’s important to calculate fully the long-term repercussions as well as the immediate ones.

With financial fraud, there can often be charges and penalties that come in weeks or months after the initial theft. You may still be liable for these in the eyes of the bank. It’s essential to track all statements and bills that arose from trying to cope with matters such as:

  • Sudden loss of money
  • Credit run up in your name
  • Damage to your business reputation
  • Credit score damage

It’s vital to recoup these amounts properly and estimate an accurate compensation figure to claim for. A data breach solicitor can help with this.

You are perfectly free to sue HMRC yourself. Anyone can start a claim for compensation. It simply makes more sense to work with a data breach lawyer who has the requisite level of experience and skill in calculating the effects. We explain further down how a No Win No Fee data breach solicitor from our panel can help with this at no upfront cost to you.

It’s worth thinking about working with them. Data breach cases can be lengthy and complex, to say nothing of the daunting prospect of trying to sue HMRC on your own. Call our team now for instant advice on how to proceed.

How To Report A Government Department To The ICO

The ICO does not pay compensation to those affected by a data breach but its involvement can lend great weight to a claim. If you discover a data breach and think HMRC is responsible, there is a step by step course of action to follow which can greatly improve your chances of being fairly considered for damages:

  • Firstly, write to HMRC and tell them that you believe them to be responsible for a data breach that involves you. The ICO provides two useful document templates for making a complaint to the organisation and raising a concern with them.
  • In certain cases, HMRC may offer to compensate you directly for provable losses caused by their data breach. You are free to accept or reject this offer. However, it’s worth getting legal advice before accepting in case the offer doesn’t fully account for the damage done.
  • If you hear nothing meaningful back from HMRC within a three-month time frame, you can report the breach to the ICO who may or may not take up an investigation.
  • During this time, you can begin to compile proof of your financial and emotional damage. As stated, this can be in the form of paper documents and medical evidence which a No Win No Fee data breach lawyer from our panel can help arrange.
  • Make a decision to privately sue HMRC. If you have evidence that demonstrates harm as a result of their data breach, speak to Legal Helpline about connecting with a data breach lawyer from our panel today.

If you were considering how to report a data breach by HMRC, follow these steps or contact our team for further guidance.

No Win No Fee Compensation Claims For A Data Breach By HMRC

How much do you actually know about using a data breach lawyer on a No Win No Fee basis? It may be an expression you’ve heard before but associate it with car accident claims or slips and trips in the workplace. No Win No Fee agreements or Conditional Fee Agreements (CFA’s) are an excellent way for many people to access legal representation quickly and easily. You could do the same.

When you hire a data breach lawyer this way, there are no fees to pay upfront. With none to pay as your case develops and still nothing to pay if your claim for compensation fails, this offers an entirely financially beneficial opportunity for you to seek justice for the damage you have suffered.

Furthermore, your No Win No Fee lawyer has a committed interest in winning your case as they take a small, capped percentage at the end as their fee. This guarantees that they will give your case their full attention and strive to reach the highest possible award on your behalf. It also ensures that whatever the outcome amount, you receive the bulk of the compensation.

Finding A Specialist Data Protection Solicitor

If HMRC breaches data protection laws and you can prove that you have suffered financial or mental damage, you could seek legal advice. Simply get in touch with Legal Helpline and we could introduce you to our panel of specialist solicitors.

The law firm that is local to you may be excellent, but what experience do they have in data breach cases? Also, Google searches can generate such a volume of options as to leave you more confused than ever.

Allow us to bring the expertise to you. Call our team for a free initial consultation. We could connect you with a data breach solicitor from our panel who truly understands every aspect of how this lapse in due care on the part of HMRC resulted in exposing your personal data to risk. And turned your life upside-down.

How Data Breach Victims Could Get Compensation

In summary, if you have suffered damage to your finances or health because of an avoidable data breach on the part of HMRC, you can refer to this checklist as a course of action:

  • Complain to HMRC in writing
  • Wait no longer than 3 months for a meaningful response
  • Report the breach to the ICO if you receive an unsatisfactory response
  • Collect evidence of your financial and health impacts
  • Contact Legal Helpline to connect with a No Win No Fee lawyer

Contacting A Solicitor

If you’re ready to start your claim why not get in touch now? You can speak to our friendly advisors by:

  • Calling on 0161 696 9685
  • Emailing or writing to us at Legal Helpline
  • Using the ‘live support’ option, bottom right of this screen

FAQs About Data Breach Claims

In this section, we’ve provided answers to some questions we often get asked about data breach claims.

How much compensation can you get for a data breach?

All data breach claims are different. No two cases are the same, so how much compensation you will get in a data breach claim can only be estimated on an individual basis.

Successful data protection breach compensation claim awards are influenced by several factors, such as whether you suffered psychological injuries because of the breach.

If an HMRC data breach were to occur that affected your personal information, call our team of advisors.

What constitutes a breach of data protection?


  • Loss
  • Destruction
  • Alteration
  • Copying
  • Unauthorised sharing
  • Theft

of personal information that could harm that person, either financially or emotionally.

What can I do if my personal data is breached?

Follow the steps above or call our team at Legal Helpline. The law now supports your right to seek compensation for mental damage in its own right. Don’t disregard the very real impact of data theft. If you can prove what you’ve suffered through medical evidence, make a claim and recover the losses you’ve endured.

Where Can I Learn More?

As well as the information in this article, you can also refer to the highlighted text for more resources. In addition to this, we are happy to answer any queries you may have about HMRC data protection breach claims. We also have a guide on bank data breach claims, and another on medical data breach claims.

For further reading about HMRC and what they are doing to protect your private information, please refer to their annual report. More information is available from Victim Support after a data breach, and you can read more about protecting your data in the future.

Thank you for reading our guide on what to do if you fall victim to a data breach by HMRC.


Guide by JJW

Edited by REB