George Bull

Written by: George Bull

George Bull

Senior Tax Partner

HMRC's aged IT systems put taxpayer data at risk

HMRC’s Annual Report and Accounts 2020 to 2021 summarises HMRC’s performance, including its vision, objectives, commitments, risks and outcomes. As HMRC develops into an increasingly data-driven organisation, it’s informative to see what the report has to say about data and how it is used by the tax authorities.

To put this in context, data is mentioned on 101 of the report’s 382 pages. That’s hardly surprising because, to quote the report, “Making Tax Digital is at the heart of our plans to build a trusted, modern tax system”. To achieve its purpose of collecting the money to pay for the UK’s public support services and to give financial support to people, every year HMRC collects more data from taxpayers, and from a wide range of other sources including financial institutions, other third parties and the tax authorities in other countries. 

HMRC is one of the largest guardians of customer personal data in the UK. The sheer quantity of data available to HMRC raises two significant concerns. First, how safe is that data in HMRC’s hands?  Second, how effective is HMRC in linking data to taxpayers so that the correct amount of tax is collected efficiently and effectively, in accordance with HMRC’s values of professionalism, integrity, respect and innovation? 

Data protection

With organisations large and small subject to an onslaught of cyber-attacks, it would be unrealistic to expect HMRC to have an unblemished record in protecting taxpayer data. This report confirms that view: during 2020/21 the personal data of 3,011 taxpayers was compromised. Unless you were one of the 3,011 affected taxpayers, at first glance this appears to be a very creditable performance in protecting data. Unfortunately, HMRC itself identifies data protection as one of the main strategic risks which it faces, rated “Red”. 

In its report, HMRC explains that its compliance with data protection legislation is hampered by the age of its IT systems, many of which are in need of modernisation. HMRC is commendably candid in explaining that it needs more resources to meet its data protection obligations and is accelerating its investment to meet those obligations. Although some additional funding has been approved for this purpose, it is clear from the report that substantially more resources are required to significantly reduce the data protection risk. 

A major cyber-attack or other data compliance failure by HMRC would result in:

  • loss of trust;
  • exposing taxpayers to harm by compromising the confidentiality, integrity and availability of their data;
  • compromised commercial relationships; and
  • adverse impact on the UK’s right to exchange data internationally.

To an outsider, it is almost incomprehensible that this risk is allowed to remain at Red when the stakes are so high. HMRC rightly takes pride in its role in providing financial support to taxpayers during the pandemic. If the pandemic has taught us anything, it should be clear that, sooner or later, the biggest and most glaring risks have the potential to become a reality, with devastating consequences. We call on the Chancellor to adequately fund HMRC’s data protection as a matter of urgency.

Data matching

Whether partially completing tax returns to make life easier for self-assessment taxpayers, clamping down on tax fraud or separating people who can’t pay their taxes from people who won’t pay, HMRC uses its CONNECT system to cross-match billions of pieces of data. At its best, this reduces burdens on taxpayers, helping pay the right amount of tax on time and with the minimum amount of effort. At worst, when this cross-matching makes mistakes, life can become a nightmare for the affected taxpayer. We have seen cases where errors made by HMRC in linking PAYE data to the wrong taxpayer has resulted in benefits being denied, even though the taxpayer was entitled to them. For many honest taxpayers, it is almost impossible to spot errors in cross-matching by HMRC. Even if the error is identified, HMRC simply does not have enough people in the right roles to resolve it quickly.

Reducing the error rate in cross-matching, ensuring that AI systems such as CONNECT learn rapidly from their mistakes, and providing immediate, real-time remedies for affected taxpayers are currently the subject of dialogue between HMRC and the professional bodies. It’s too early to predict how that dialogue will end but systems changes and a dedicated fault-fixing service seem to be the likely solution. If HMRC wishes to maintain public confidence in its digital-by-default services, then it must be able to correct errors without delay. Taxpayers and benefit claimants who are the unwitting victims of cross-matching errors cannot be left suspended in a void.

Add comments

Related services

Share your thoughts

*These fields are mandatory