HMRC sacks dozens of staff for snooping on taxpayers and accessing their records without permission
AX RUMBLE HMRC sacks dozens of staff for snooping on taxpayers and accessing their records without permission
Click to share on X/Twitter (Opens in new window)
Click to share on Facebook (Opens in new window)
HM Revenue and Customs has sacked dozens of workers after they spied on taxpayers and accessed their records without permission.
Fifty workers were let go last year for breaking data privacy rules.
Sign up for Scottish Sun
newsletter
Sign up
2
The HMRC says it takes the issue of data security 'extremely seriously'
Credit: Getty
Since 2022, a total of 354 employees have been disciplined for data security breaches, with 186 having been fired.
The tax office has admitted that some of those that were dismissed were found to have looked up taxpayers' confidential information.
HMRC holds a huge amount of personal data about taxpayers, including address, salaries and National Insurance numbers.
Staff are banned from looking up sensitive information unless they have a genuine business reason.
Despite that, a number of employees have been caught accessing personal details using HMRC's IT system.
Figures for 2024-25 indicate 96 staff were disciplined for data security breaches, with 50 of those later being dismissed.
The information was revealed to The Telegraph following a Freedom of Information request.
According to HMRC, that represents less than 0.1 percent of its almost 68,000 employees.
The figure is down from the previous year when 138 employees were disciplined and 68 were let go.
Those figures cover all data security breaches and not just employees searching for taxpayers' details.
HMRC using AI to scan social media for tax evasion investigations
These include things like making changes to records without authorisation, losing sensitive documents or not securely disposing of inadequately protected devices.
One employee was sacked in 2023 having sent the data of 100 people to his personal email address.
The employee was visiting a business as part of a compliance check and he emailed himself a PDF file which contained a list of staff members' details, which included their salaries and National Insurance numbers.
The file was later printed off for the meeting using his home computer, according to court documents.
The analytics team, which is responsible for highlighting data breaches, then flagged the incident to his line manager and the employee was dismissed for gross misconduct after an investigation was launched.
The case was taken to an employment tribunal with the former employee claiming he had not been thinking clearly at the time due to anxiety.
The tribunal though threw out his claim for wrongful dismissal.
A HMRC manager who was cited in the tribunal claimed data breaches had been on the rise since the pandemic due to remote working.
The line manager of the claimant wrote an email to staff reminding them never to send personal data outside the tax office's systems.
It said: 'There have been more incidents of this recently as we are working from home a lot more since Covid, but never send anything to your own private email address to print off that contains any personal or business data.'
Former HMRC inspectors said the importance of data security was drilled into employees from their very first day.
Ronnie Pannu, from the advice firm Pannu Tanu told the paper: 'When I was in HMRC, there was always a strong message from above that viewing a taxpayer's records where this was not necessary for a particular purpose was a serious issue which could have serious consequences for the individual concerned.'
John Hood, from the accountancy firm Moore Kingston Smith said: 'Any HMRC employee foolish enough to look up personal information that is not part of their usual responsibilities faces a ticking time bomb as most searches are tracked.
'As an additional security, some parts of the system are restricted so that only specifically authorised personnel can access them, such as the departments dealing with MPs and civil servants'.
All HMRC employees are given mandatory data security training and the government body limits access so workers can only look up customer record if it necessary for their specific role.
The tax office also tracks activity on its systems in order to deter record breaches and deter misuse.
Any employee who breaks the rules is investigated and faces having penalties imposed on them but each incident is dealt with on a case-by-case basis.
Ellen Milner, from the Chartered Institute of Taxation added that taxpayers must be able to trust that the private information they supply will not be leaked or supplied to criminals.
Any serious data breach must be reported to the Information Commissioner's Office.
There were six cases last year of employees changing customer records without permission.
Another two staff lost inadequately protected devices, according to the HMRC's annual report.
The HMRC is currently under mounting pressure to strengthen its data security as online criminal attacks become more sophisticated and it moves towards being a digital-first organisation.
In the past year some 100,000 taxpayers had been affected by phishing attacks.
Criminals used stolen credentials to access their accounts and claim rebates.
There was no financial loss to any individual and a number of arrests have been made.
It cost the taxpayer £47million though.
A spokesperson for HMRC said: 'Instances of improper access are extremely rare, and we take firm action when it does happen, helping prevent a recurrence.
'We take the security of customers' data extremely seriously and we have robust systems to ensure staff only access records when there is a legitimate business need.'
It comes after the HMRC revealed it uses AI to spy on workers' social media posts as part of a tax crackdown.
The tax authority has been using the technology to look at internet posts that might provide evidence of cheating tax bills,
An HMRC spokesperson has insisted the tools are only being used for social media monitoring in criminal investigations and it won't affect the average taxpayer.
They said there are "robust safeguards in place" and it's believed that social media monitoring has been used for a number of years.
But concerns have been raised about whether the technology could be used more widely in future.
HMRC also looks at workers's financial records, spending habits and tax returns to look for evidence of cheating.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Scottish Sun
6 hours ago
- Scottish Sun
HMRC sacks dozens of staff for snooping on taxpayers and accessing their records without permission
One employee was sacked in 2023 having sent the data of 100 people to his personal email address AX RUMBLE HMRC sacks dozens of staff for snooping on taxpayers and accessing their records without permission Click to share on X/Twitter (Opens in new window) Click to share on Facebook (Opens in new window) HM Revenue and Customs has sacked dozens of workers after they spied on taxpayers and accessed their records without permission. Fifty workers were let go last year for breaking data privacy rules. Sign up for Scottish Sun newsletter Sign up 2 The HMRC says it takes the issue of data security 'extremely seriously' Credit: Getty Since 2022, a total of 354 employees have been disciplined for data security breaches, with 186 having been fired. The tax office has admitted that some of those that were dismissed were found to have looked up taxpayers' confidential information. HMRC holds a huge amount of personal data about taxpayers, including address, salaries and National Insurance numbers. Staff are banned from looking up sensitive information unless they have a genuine business reason. Despite that, a number of employees have been caught accessing personal details using HMRC's IT system. Figures for 2024-25 indicate 96 staff were disciplined for data security breaches, with 50 of those later being dismissed. The information was revealed to The Telegraph following a Freedom of Information request. According to HMRC, that represents less than 0.1 percent of its almost 68,000 employees. The figure is down from the previous year when 138 employees were disciplined and 68 were let go. Those figures cover all data security breaches and not just employees searching for taxpayers' details. HMRC using AI to scan social media for tax evasion investigations These include things like making changes to records without authorisation, losing sensitive documents or not securely disposing of inadequately protected devices. One employee was sacked in 2023 having sent the data of 100 people to his personal email address. The employee was visiting a business as part of a compliance check and he emailed himself a PDF file which contained a list of staff members' details, which included their salaries and National Insurance numbers. The file was later printed off for the meeting using his home computer, according to court documents. The analytics team, which is responsible for highlighting data breaches, then flagged the incident to his line manager and the employee was dismissed for gross misconduct after an investigation was launched. The case was taken to an employment tribunal with the former employee claiming he had not been thinking clearly at the time due to anxiety. The tribunal though threw out his claim for wrongful dismissal. A HMRC manager who was cited in the tribunal claimed data breaches had been on the rise since the pandemic due to remote working. The line manager of the claimant wrote an email to staff reminding them never to send personal data outside the tax office's systems. It said: 'There have been more incidents of this recently as we are working from home a lot more since Covid, but never send anything to your own private email address to print off that contains any personal or business data.' Former HMRC inspectors said the importance of data security was drilled into employees from their very first day. Ronnie Pannu, from the advice firm Pannu Tanu told the paper: 'When I was in HMRC, there was always a strong message from above that viewing a taxpayer's records where this was not necessary for a particular purpose was a serious issue which could have serious consequences for the individual concerned.' John Hood, from the accountancy firm Moore Kingston Smith said: 'Any HMRC employee foolish enough to look up personal information that is not part of their usual responsibilities faces a ticking time bomb as most searches are tracked. 'As an additional security, some parts of the system are restricted so that only specifically authorised personnel can access them, such as the departments dealing with MPs and civil servants'. All HMRC employees are given mandatory data security training and the government body limits access so workers can only look up customer record if it necessary for their specific role. The tax office also tracks activity on its systems in order to deter record breaches and deter misuse. Any employee who breaks the rules is investigated and faces having penalties imposed on them but each incident is dealt with on a case-by-case basis. Ellen Milner, from the Chartered Institute of Taxation added that taxpayers must be able to trust that the private information they supply will not be leaked or supplied to criminals. Any serious data breach must be reported to the Information Commissioner's Office. There were six cases last year of employees changing customer records without permission. Another two staff lost inadequately protected devices, according to the HMRC's annual report. The HMRC is currently under mounting pressure to strengthen its data security as online criminal attacks become more sophisticated and it moves towards being a digital-first organisation. In the past year some 100,000 taxpayers had been affected by phishing attacks. Criminals used stolen credentials to access their accounts and claim rebates. There was no financial loss to any individual and a number of arrests have been made. It cost the taxpayer £47million though. A spokesperson for HMRC said: 'Instances of improper access are extremely rare, and we take firm action when it does happen, helping prevent a recurrence. 'We take the security of customers' data extremely seriously and we have robust systems to ensure staff only access records when there is a legitimate business need.' It comes after the HMRC revealed it uses AI to spy on workers' social media posts as part of a tax crackdown. The tax authority has been using the technology to look at internet posts that might provide evidence of cheating tax bills, An HMRC spokesperson has insisted the tools are only being used for social media monitoring in criminal investigations and it won't affect the average taxpayer. They said there are "robust safeguards in place" and it's believed that social media monitoring has been used for a number of years. But concerns have been raised about whether the technology could be used more widely in future. HMRC also looks at workers's financial records, spending habits and tax returns to look for evidence of cheating.
The Sun
6 hours ago
- The Sun
HMRC sacks dozens of staff for snooping on taxpayers and accessing their records without permission
HM Revenue and Customs has sacked dozens of workers after they spied on taxpayers and accessed their records without permission. Fifty workers were let go last year for breaking data privacy rules. Since 2022, a total of 354 employees have been disciplined for data security breaches, with 186 having been fired. The tax office has admitted that some of those that were dismissed were found to have looked up taxpayers' confidential information. HMRC holds a huge amount of personal data about taxpayers, including address, salaries and National Insurance numbers. Staff are banned from looking up sensitive information unless they have a genuine business reason. Despite that, a number of employees have been caught accessing personal details using HMRC's IT system. Figures for 2024-25 indicate 96 staff were disciplined for data security breaches, with 50 of those later being dismissed. The information was revealed to The Telegraph following a Freedom of Information request. According to HMRC, that represents less than 0.1 percent of its almost 68,000 employees. The figure is down from the previous year when 138 employees were disciplined and 68 were let go. Those figures cover all data security breaches and not just employees searching for taxpayers' details. HMRC using AI to scan social media for tax evasion investigations These include things like making changes to records without authorisation, losing sensitive documents or not securely disposing of inadequately protected devices. One employee was sacked in 2023 having sent the data of 100 people to his personal email address. The employee was visiting a business as part of a compliance check and he emailed himself a PDF file which contained a list of staff members' details, which included their salaries and National Insurance numbers. The file was later printed off for the meeting using his home computer, according to court documents. The analytics team, which is responsible for highlighting data breaches, then flagged the incident to his line manager and the employee was dismissed for gross misconduct after an investigation was launched. The case was taken to an employment tribunal with the former employee claiming he had not been thinking clearly at the time due to anxiety. The tribunal though threw out his claim for wrongful dismissal. A HMRC manager who was cited in the tribunal claimed data breaches had been on the rise since the pandemic due to remote working. The line manager of the claimant wrote an email to staff reminding them never to send personal data outside the tax office's systems. It said: 'There have been more incidents of this recently as we are working from home a lot more since Covid, but never send anything to your own private email address to print off that contains any personal or business data.' Former HMRC inspectors said the importance of data security was drilled into employees from their very first day. Ronnie Pannu, from the advice firm Pannu Tanu told the paper: 'When I was in HMRC, there was always a strong message from above that viewing a taxpayer's records where this was not necessary for a particular purpose was a serious issue which could have serious consequences for the individual concerned.' John Hood, from the accountancy firm Moore Kingston Smith said: 'Any HMRC employee foolish enough to look up personal information that is not part of their usual responsibilities faces a ticking time bomb as most searches are tracked. 'As an additional security, some parts of the system are restricted so that only specifically authorised personnel can access them, such as the departments dealing with MPs and civil servants'. All HMRC employees are given mandatory data security training and the government body limits access so workers can only look up customer record if it necessary for their specific role. The tax office also tracks activity on its systems in order to deter record breaches and deter misuse. Any employee who breaks the rules is investigated and faces having penalties imposed on them but each incident is dealt with on a case-by-case basis. Ellen Milner, from the Chartered Institute of Taxation added that taxpayers must be able to trust that the private information they supply will not be leaked or supplied to criminals. Any serious data breach must be reported to the Information Commissioner's Office. There were six cases last year of employees changing customer records without permission. Another two staff lost inadequately protected devices, according to the HMRC's annual report. The HMRC is currently under mounting pressure to strengthen its data security as online criminal attacks become more sophisticated and it moves towards being a digital-first organisation. In the past year some 100,000 taxpayers had been affected by phishing attacks. Criminals used stolen credentials to access their accounts and claim rebates. There was no financial loss to any individual and a number of arrests have been made. It cost the taxpayer £47million though. A spokesperson for HMRC said: 'Instances of improper access are extremely rare, and we take firm action when it does happen, helping prevent a recurrence. 'We take the security of customers' data extremely seriously and we have robust systems to ensure staff only access records when there is a legitimate business need.' It comes after the HMRC revealed it uses AI to spy on workers' social media posts as part of a tax crackdown. The tax authority has been using the technology to look at internet posts that might provide evidence of cheating tax bills, An HMRC spokesperson has insisted the tools are only being used for social media monitoring in criminal investigations and it won't affect the average taxpayer. They said there are "robust safeguards in place" and it's believed that social media monitoring has been used for a number of years. But concerns have been raised about whether the technology could be used more widely in future. HMRC also looks at workers's financial records, spending habits and tax returns to look for evidence of cheating. 2
Wales Online
10 hours ago
- Wales Online
Council accused of 'throwing money like confetti' to 'gag' staff who leave
Council accused of 'throwing money like confetti' to 'gag' staff who leave Figures show just how much was spent on staff non-disclosure agreements Plaid Cymru's Caerphilly group leader Lindsay Whittle is among the critics of the council's NDA use (Image: Plaid Cymru) A Welsh council has been accused of "gagging" former employees and treating money like 'confetti' after figures showed it spent more than £800,000 last year on staff non-disclosure agreements (NDAs). Caerphilly council signed as many NDAs with staff leaving its employment in 2024/25 as the other four councils in Gwent combined. The council has long had a comparatively high use of NDAs, which over the past five years has cost it more than £2.7million. Critics have questioned the motives, suggesting they could be used to "cover up" issues or "stifle" whistleblowers. Caerphilly council challenged those claims and described the use of NDAs as "common practice" between employers and employees. For our free daily briefing on the biggest issues facing the nation, sign up to the Wales Matters newsletter . In 2023/24 the council signed 41 NDAs for a total cost of around £784,000. It signed fewer agreements last year, but a total of 32 NDAs added up to more than £832,000. A Freedom of Information request by the Local Democracy Reporting Service showed that over the past five years Caerphilly has signed 150 NDAs with departing employees – while, elsewhere in the Gwent region, Newport signed 62, Blaenau Gwent signed 40, Torfaen signed 18 and Monmouthshire signed 17. Article continues below Councillor Nigel Dix, who leads Caerphilly council's independent group, called the use of NDAs "absolutely wrong" and said they should be "banned in the public sector". "Somebody leaves their employment and they are gagged, basically," he said. "It smacks of a cover-up and that is unacceptable." Mr Dix also said he was concerned about a lack of democratic oversight, and accused the council of "throwing money around like it's confetti". Concerns were also raised by the council's Plaid Cymru group leader, councillor Lindsay Whittle, who said the council should "explain in detail" its use of NDAs. "The widespread use of the so-called gagging orders worries me," he said. "What type of information is so confidential that former staff have to be gagged from speaking about them? "Are these NDAs being used as a way of covering up matters within the workings of the council which may be in the public interest?" A Caerphilly council spokesman said: "These types of settlements are not 'gagging orders', they are agreements that are common practice and are used by many employers to facilitate a mutual termination between an employer and employee." On the comparative figures, the spokesman said: "Caerphilly is one of the largest councils in Wales. Therefore, you would expect these figures to be higher than other smaller local authorities." However, population comparisons show Caerphilly's use of NDAs is higher than other authorities. The most recent Welsh figures show Newport's population is more than 90% of Caerphilly county's, yet Caerphilly council's use of NDAs is more than double that of Newport in the last five years. "As front-line services have been cut back, paying out such sums to ex-staff shows a complete lack of priorities and principle, and stifles any attempts by staff who want to 'whistle-blow,'" said one Caerphilly resident and taxpayer. "There's a widespread belief that people are being gagged not to spill the beans on some of the council's gaffes." The council spokesman, however, said NDAs "are only used when a robust business case has been completed to demonstrate their requirement and are, by their nature, designed to minimise the financial impact on the council". Article continues below He added: 'We will continue to carefully monitor the use of such agreements going forward.'
