Question to the HM Treasury:

To ask the Chancellor of the Exchequer, how many (a) disciplinary actions and (b) dismissals of HMRC officials have there been for unauthorised access to personal data since 1 July 2024.

HMRC takes the security of customer data extremely seriously. Its Systems Audit and Data Analyst (SADA) team have robust systems in place to monitor staff use of systems and to identify any unauthorised access.

When staff are inducted, HMRC gives them clear guidance and information on the use of corporate systems. There are clear processes and policies published that remind staff of their continuing obligations. HMRC also provides annual mandatory learning for all its staff on data security to remind them of their obligations.

HMRC take unauthorised access and the protection of customer data very seriously. When a case of unauthorised access is identified, it is automatically investigated as potential gross misconduct, which means it could lead to the employee’s dismissal (a single offence can result in dismissal).

Since 1^st July 24 to 15^th October 2025 there have 81 cases concluded with a case category of unauthorised access. This has resulted in:

22 resignations

52 dismissals

6 final written warning

1 first written warning