Guidance

Open Banking Privacy Notice

Published 23 March 2021

The purpose of this document

This privacy notice describes how HMRC uses your personal information when you use Open Banking to make a payment. When you choose ‘pay by bank account’ to pay HMRC, you are using Open Banking.

This policy only relates to the Open Banking payment initiation process. It does not relate to other payment methods, such as when you pay by bank transfer or credit or debit card.

You should read the HMRC Privacy Notice alongside this privacy notice.

What Open Banking is

This is a new payment method where you safely transfer money to us directly from your bank account, through an authorised third-party provider.

You only use this payment method when you choose ‘pay by bank account’ to pay HMRC.

Open Banking is a safe way to pay and is regulated by the Financial Conduct Authority (FCA).

Who Ecospend are

Ecospend are the third-party provider for this new payment method and are an authorised payment institution regulated by the FCA. You can find further information about them, including their FCA Registration number, on the Ecospend website.

Why we collect your personal data

To allow HMRC to collect the payment, we will pass the following information about you to Ecospend:

  • your payment reference number
  • the amount you want to pay
  • your Unique Tax Reference (UTR) — this may be included as part of your payment reference number, but it will not be shared for any other reason

This will only be passed on with your permission. No other information about you will be shared with Ecospend.

How we share your data

We share your data with Ecospend using an API (Application Programming Interface). This is a secure way to share details without having to reveal any of your information to anyone other than Ecospend and your bank.

How we use your data

Ecospend will use your data to make a payment request to your bank. They will fill in the payment reference and amount, so that you do not have to input these.

You need to sign in to your online banking or mobile app to approve your payment. Your bank will then action the payment request.

Your password and sign in details will only be shared with your bank.

If you do not want to share your data using Open Banking

You do not have to use Open Banking and share your data with Ecospend to make a payment. You can choose another way to pay HMRC.

By selecting ‘approve this payment’ you are consenting to this policy and giving your permission to be transferred to your bank to make the payment.

You will be redirected to your bank or building society to securely sign in and approve the payment.

The security of your data with third-party service providers

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We only permit them to process your personal data:

  • for specified purposes and in accordance with our instructions
  • with our agreement

How your data is stored safely

The data is stored in an encrypted format and certain fields, such as the payment reference, are further encrypted.

Our third-party service providers will only process your personal information on our instructions or with our agreement, and where they have agreed to:

  • treat the information confidentially
  • keep it secure

You can read more about the measures we have put in place to keep your information secure in the HMRC Privacy Notice.

How long we keep your data

Ecospend retains payment transaction data for 5 years in accordance with payment legislation, including The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

Your rights

You can read about your rights in the HMRC Privacy Notice.

Contact HMRC or make a complaint

You can contact us if you have questions about this privacy notice or want to make a complaint.

Changes to this privacy notice

We keep our privacy notices under regular review.

If we make changes to this notice, we’ll update the date at the top of this page. Changes will apply to you and your data from that date.