3 days ago
HMRC sacks dozens of staff for snooping on taxpayers
Have you worked or do you work at HMRC? Tell us about a data breach in confidence at: money@ Information that needs a higher level of security can be submitted here. Please see our Privacy Notice.
HM Revenue and Customs sacked 50 workers last year for breaking data privacy rules and snooping on taxpayers' records.
In total, 354 tax employees have been disciplined for data security breaches since 2022, of whom 186 have been fired, The Telegraph can reveal. The tax office admitted that some were dismissed for looking up taxpayers' confidential information.
HMRC holds a vast amount of sensitive data such as addresses, salaries and National Insurance numbers.
Staff are forbidden from looking up these details unless they have a genuine business reason. Despite the warnings, a number of employees have been caught accessing unauthorised accounts using HMRC's IT systems.
In 2024-25, 96 staff were disciplined for data security breaches, of whom 50 were later dismissed, according to data obtained by The Telegraph via a Freedom of Information request.
HMRC said this represented less than 0.1pc of its nearly 68,000 staff.
The numbers have fallen since last year when 138 employees were disciplined, and 68 were given the sack.
The figures covered all data security breaches and not just staff searching for taxpayers' records. Other examples of data breaches include making changes to records without authorisation, losing sensitive documents or failing to securely dispose of inadequately protected devices.
In one incident in 2023, an employee was sacked from HMRC after sending the data of 100 individuals to his personal email address.
According to court documents, the staff member was visiting a business as part of a compliance check when he emailed himself a PDF containing a list of staff members' details – including their salaries and National Insurance numbers – and printed it off for the meeting using his home computer.
The incident was flagged to his line manager by the analytics team responsible for identifying data breaches and he was dismissed for gross misconduct following an investigation.
The worker took HMRC to an employment tribunal, arguing he had not been thinking straight at the time due to anxiety. However, the tribunal dismissed his claim for wrongful dismissal.
Data breaches like this have been on the rise since the pandemic because of remote working, according to one HMRC manager cited in the tribunal.
In an email reminding staff never to send personal data outside the tax office's systems, the line manager of the claimant wrote: 'There have been more incidents of this recently as we are working from home a lot more since Covid, but never send anything to your own private email address to print off that contains any personal or business data.'
Former HMRC inspectors said the importance of data security was drilled into employees from day one.
Ronnie Pannu, of advice firm Pannu Tanu, said: 'When I was in HMRC, there was always a strong message from above that viewing a taxpayer's records where this was not necessary for a particular purpose was a serious issue which could have serious consequences for the individual concerned.'
John Hood, of accountants firm Moore Kingston Smith, said: 'Any HMRC employee foolish enough to look up personal information that is not part of their usual responsibilities faces a ticking time bomb as most searches are tracked.
'As an additional security, some parts of the system are restricted so that only specifically authorised personnel can access them, such as the departments dealing with MPs and civil servants.'
All staff receive mandatory training on data security, and HMRC restricts access so workers can only look up customer records if this is needed for their specific role. In addition, the tax office tracks staff activity on its systems to deter misuse and record breaches.
Employees who break the rules are investigated and will face penalties, with each incident considered on a case-by-case basis.
Ellen Milner, of the trade body the Chartered Institute of Taxation, said: 'Taxpayers have to be able to trust that the private information they provide to HMRC will not be leaked, supplied to criminals or used for any purpose other than that for which it was provided, and in accordance with the law.
'That is why HMRC treats unauthorised access to records and data so seriously, and it is good to see that where breaches happen, HMRC will act.'
On the social network, Reddit, users who claim to work at the Civil Service say they have seen new recruits at HMRC and the Department of Work and Pensions (DWP) fired after looking up their own records or those of friends and celebrities out of curiosity.
In 2021, an administrative officer was sacked from DWP after looking up her neighbour's address using Searchlight, a database containing information about almost everyone in the country.
According to the court documents, DWP workers are explicitly told not to look up themselves, families or celebrities. A DWP employee present at the tribunal described it as 'the number one rule' impressed upon everyone who joined the department.
Serious data breaches must be reported to the Information Commissioner's Office. HMRC's annual report shows that there were six incidents last year of employees changing customer records without permission, and two of staff losing inadequately protected devices.
HMRC is under growing pressure to strengthen its data security as criminal attacks grow more sophisticated and as it shifts towards becoming a digital-first organisation.
It recently emerged that 100,000 taxpayers had been affected by phishing attacks in the past year. Criminals used stolen credentials to access taxpayers' accounts and claim significant sums in rebates. There was no loss to the individuals, who have since been contacted, and a number of arrests were made – but the cost to the taxpayer was £47m.
A spokesman for HMRC said: 'Instances of improper access are extremely rare, and we take firm action when it does happen, helping prevent a recurrence.
'We take the security of customers' data extremely seriously and we have robust systems to ensure staff only access records when there is a legitimate business need.'
