Dozens of HMRC staff sacked for snooping on taxpayers’ private records since 2022
Dozens of HMRC staff have been sacked for breaking data privacy rules since 2022, with more than 186 fired for snooping on taxpayers’ confidential information.
In total, the tax office disciplined more than 354 tax employees for data breaches, admitting that some had to be sacked for looking up taxpayers’ private data.
HM Revenue and Customs holds a huge amount of sensitive personal information on British taxpayers – including home addresses, salaries, tax records and National Insurance numbers.
HMRC rules make clear that staff are banned from checking records unless there is a genuine work-related reason.
But figures obtained by The Telegraph under Freedom of Information laws reveal that 50 employees were dismissed in the past year alone after being caught accessing information without authorisation.
In total, 96 staff faced disciplinary action for data breaches between 2024 and 2025, and since 2022 the tally has reached 354 cases – with more than half of those ending in dismissal.
In 2023–24, 138 HMRC employees were disciplined, with 68 sacked – higher than last year’s total. HMRC stresses that overall numbers remain low, affecting less than 0.1% of the department’s 68,000 staff.
Former inspectors say the message is drummed in from day one: looking up a record without good reason is considered gross misconduct.
Ronnie Pannu, of advice firm Pannu Tanu, told the newspaper: “When I was in HMRC, there was always a strong message from above that viewing a taxpayer’s records where this was not necessary for a particular purpose was a serious issue which could have serious consequences for the individual concerned.”
John Hood, of accountants firm Moore Kingston Smith, said: “Any HMRC employee foolish enough to look up personal information that is not part of their usual responsibilities faces a ticking time bomb as most searches are tracked.
“As an additional security, some parts of the system are restricted so that only specifically authorised personnel can access them, such as the departments dealing with MPs and civil servants.”
In one striking case, an employee was sacked in 2023 after emailing himself a PDF containing the personal details of 100 people so he could print it at home for a meeting, according to court documents.
The file contained the names, salaries and National Insurance numbers of staff members.
HMRC’s analytics team flagged the breach, and the man was dismissed for gross misconduct. He later took his case to an employment tribunal, claiming anxiety had clouded his judgment, but judges ruled his sacking was justified.
One HMRC manager cited in the tribunal said data breaches have been on the rise since the pandemic, partly because of remote working.
In an email reminding staff never to send personal data outside the HMRC’s IT system, the claimant’s line manager wrote: “There have been more incidents of this recently as we are working from home a lot more since Covid, but never send anything to your own private email address to print off that contains any personal or business data.”
HMRC says all staff receive mandatory training on data security, and system use is restricted so that employees can only look up private data if they need it for their role.
Workers caught breaking the rules face an investigation and disciplinary action on a case-by-case basis.
Ellen Milner, of the trade body the Chartered Institute of Taxation, said: “Taxpayers have to be able to trust that the private information they provide to HMRC will not be leaked, supplied to criminals or used for any purpose other than that for which it was provided, and in accordance with the law.
“That is why HMRC treats unauthorised access to records and data so seriously, and it is good to see that where breaches happen, HMRC will act.”
Data breaches must be reported to the Information Commissioner’s Office, and HMRC’s own annual report recorded six incidents last year where staff altered records without permission, and two cases where inadequately protected devices were lost.
A spokesman for HMRC said: “Instances of improper access are extremely rare, and we take firm action when it does happen, helping prevent a recurrence.
“We take the security of customers’ data extremely seriously and we have robust systems to ensure staff only access records when there is a legitimate business need.”
Read more similar news:
Comments:
comments powered by Disqus
