Justice Minister responds to concerns over contingency payments and data breach
The Ministry of Justice has confirmed it is awaiting clarification from HMRC on the tax treatment of contingency payments made following the Legal Aid Agency cyber-attack, while ruling out a compensation scheme for additional administrative burdens faced by providers.
In a letter dated 5 February 2026 to Andy Slaughter MP, Chair of the Justice Committee, Justice Minister Sarah Sackman responded to a series of questions concerning the fallout from the cyber incident affecting the Legal Aid Agency.
Addressing concerns about the VAT and tax status of payments made under the LAA contingency scheme, the minister confirmed that officials are engaging closely with HMRC. She said the department had emphasised the urgency of achieving clarity for legal aid firms and would update Parliament and the sector once a definitive position is reached. Guidance, including that relating to VAT treatment, will be aligned and communicated once confirmed.
On the financial impact of the system outage, Sackman stated that no assessment has yet been made of additional billable casework time directly attributable to the disruption. She explained that civil legal aid claims are often submitted over extended periods, sometimes months or years, and that the relevant data from the outage period will not be available for some time.
The LAA continues to process civil casework applications and bills, including work carried out during the outage. Providers who believe they incurred additional billable costs may submit claims through the standard billing process set out in the Costs Assessment Guidance. Digital systems resumed in December.
The minister also addressed whether the MoJ or LAA would introduce a proactive compensation scheme for non-billable administrative time. She acknowledged that some providers had raised concerns about additional burdens during contingency operations but confirmed there are no current plans to establish a compensation scheme. Instead, individual providers may seek redress through the LAA complaints procedure. The department has extended the Average Payment Scheme for civil certificated work and temporarily suspended certain activities, including audits, to ease pressures.
Turning to data protection concerns, Sackman said the department recognises its obligations under Article 34 of UK GDPR. A public notification was issued via GOV.UK, once the malicious nature of the threat was identified. She stated that this was considered an effective method of notifying potentially affected individuals, given the scale of the attack and the risks linked to historic data.
The Information Commissioner’s Office has been informed of the department’s approach, and further action may be taken if analysis identifies individuals facing heightened risk.