Memorandum of Understanding: customer left UK data share business as usual
Published 5 January 2026
© Crown copyright 2026
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/customer-left-uk-data-share-business-as-usual-2025/memorandum-of-understanding-customer-left-uk-data-share-business-as-usual
This memorandum of understanding (MoU) between HM Revenue and Customs (HMRC) and the Home Office (HO) was agreed and implemented in 2025.
1. Participants to the MoU
HMRC is referred to as ‘participant 1’ and the Home Office (HO) as ‘participant 2’. Collectively, they are referred to as ‘the participants’.
1.1 HMRC
| Contact 1 | Contact 2 | |
|---|---|---|
| HMRC Directorate | Customer Service Group Benefits and Credits, Operational Performance Group (OPG) | Customer Service Group Benefits and Credits, Operational Performance Group (OPG) |
| Role | Operational Risk and Readiness Team | Operational Risk and Readiness Team |
This content has been withheld because of likely exemptions under s40(2) in the Freedom of Information Act (FOI) 2000.
1.2 HO
| Contact 1 | Contact 2 | |
|---|---|---|
| HO Directorate | HO data services and analytics | HO data services and analytics |
| Role | product manager | Universal Enrichment Services (UES) support |
This content has been withheld because of likely exemptions under s40(2) in the Freedom of Information Act (FOI) 2000.
2. Introduction
This MoU sets out the information sharing arrangements between ‘the participants’. For the context of this MoU, ‘information’ is defined as a collective set of data and facts that, when shared, will support ‘the participants’ in delivering the purpose of the data sharing activity described below.
Information will only be exchanged where it is lawful to do so. The relevant legal bases are detailed within this agreement. ‘Exchange’ covers all transfers of information between ‘the participants’, including where one participant has direct access to information or systems in the other.
This MoU is not intended to be legally binding. It documents the respective roles, processes, procedures and agreements reached between HMRC and HO. It does not remove or reduce existing legal obligations or responsibilities of each participant, for example, as controllers under the UK General Data Protection Regulation (UK GDPR).
A glossary of terms, definitions of abbreviations of this MoU are detailed in Annex A.
3. Purpose and benefits of the data sharing agreement
3.1 Describe the purpose of the MoU and HMRC’s view of why it is necessary and proportionate
Eligibility for Child Benefit (administered by HMRC) generally depends on the customer being resident in the United Kingdom. Child Benefit fraud and error occur when customers leave the UK (with no return within 12 weeks) without reporting this change in their residency status.
This content has been withheld because of likely exemptions under section 31(1)(a) in the Freedom of Information Act (FOI) 2000.
The purpose of this data sharing request is to match advanced passenger information (UK exit and entry) data from HO systems against Child Benefit data. A proof of concept, which was documented in a Data Usage Agreement (dated 12 October 2023), has shown that this can help identify customers who may be residing abroad without notifying HMRC. The data was transferred via the Secure Data Exchange Service (SDES), reference OD-14846 and ID-15717.
This request is to now move the data share from proof of concept (which was agreed through the Digital Economy Act Governance Board in November 2023) into Business as Usual (BAU).
Justification for moving the data share into BAU:
The proof of concept saw HMRC send a randomised sample of the Child Benefit customer base (200,000 customer records) to HO in February 2024, with HO returning over 4,000 matches (2%) when compared with UK exit and entry data.
Extrapolating these results from the proof of concept up to the full customer base suggests an estimated 1% of customers with an undeclared change in residency status. Recognising that fraud can persist for several years without intervention, we estimate that moving the data share into BAU could prevent future losses of approximately £350 million if worked over a 3 to 5-year period.
This benefits projection uses a conservative two-and-a-half-year multiplier for estimating future loss prevention potential.
HMRC are now in a position where we would like to introduce this data matching within its business as usual functions.
This content has been withheld because of likely exemptions under section 31(1)(a) in the Freedom of Information Act (FOI) 2000.
3.2 What are the specific aims of the data sharing agreement?
To reduce Child Benefit fraud and error, preventing future losses to the Exchequer of approximately £350 million from the fraud investigations enabled by the data share (if worked over a 3 to 5 year period).
To support efforts required by the National Audit Office (NAO) for the lifting of their qualification of HMRC’s accounts due to fraud and error levels in Child Benefit.
3.3 How will the data being shared help achieve those aims?
The data will help to identify customers who may be continuing to receive Child Benefit incorrectly, as a result of leaving the UK (for a period of greater than 12 weeks), without having notified HMRC.
HMRC will use the data as part of their BAU compliance processes to investigate the suspected residence change and to terminate those awards where fraud and error is confirmed.
3.4 Describe the benefits that the participants hope to bring to individuals or society or the wider impact, such as reduction in fraud and debt, supports UK economy, benefits HMRC customers
The benefits from the related Child Benefit compliance activity are categorised as the ‘prevention of losses to the Exchequer’, which is in effect ‘protecting the public purse’.
Tackling fraud and error in the welfare system ensures that public money goes to the right people and ensure that the welfare system is sustainable.
Any savings from the compliance activity can be used to support wider government priorities, such as the government’s commitment to reduce child poverty.
4. Type of data being shared under this agreement
4.1 Does this MoU agreement involve the exchange of Personal Data?
Yes
5. Data Protection Impact Assessment (DPIA)
5.1 HMRC – DPIA completed
-
DPIA reference number: 15489
-
date registered: 11 July 2024
-
date last reviewed: 17 June 2025
5.2 HO – DPIA completed
-
DPIA reference number: HMRC11 - UES Child Benefit Abroad Fraud Data Sharing
-
date registered: 9 May 2025
-
date last reviewed: 9 May 2025
6. Relationships under UK GDPR in respect of any personal data being exchanged under this agreement
6.1 Status of HMRC under UK GDPR
HMRC will be disclosing personal data under this agreement.
Where personal data is being disclosed under this agreement, HMRC’s status will be a controller because HMRC separately determines the purpose and means of the processing of the personal data.
6.2 Status of HO under UK GDPR
HO will be receiving personal data under this agreement.
Where personal data is being received under this agreement, HO status will be a controller because they separately determine the purpose and means of the processing of the personal data after transfer.
7. Handling of personal data and security
Where participants bear the responsibility of a data controller, they must ensure that any personal data received pursuant to this MoU is handled and processed in accordance with the current 7 UK GDPR principles.
Additionally, as part of the government, HMRC and HO must process personal data in compliance with the mandatory requirements set out in HM Government Security Policy Framework guidance issued by the Cabinet Office when handling, transferring, storing, accessing or destroying information assets.
Participants must ensure effective measures are in place to protect personal data in their care and to manage potential or actual incidents of data loss. Such measures include, but are not limited to:
-
personal data should not be transferred or stored on any type of portable device unless absolutely necessary, and if so, it must be encrypted, and password protected to an agreed standard
-
participants will take steps to ensure that all staff involved in the data sharing activities are adequately trained and are aware of their responsibilities under the Data Protection Act 2018 (DPA), UK GDPR and this MoU
-
access to personal data received by participants pursuant to this MoU must be restricted to personnel on a legitimate need-to-know basis, and with security clearance at the appropriate level
-
participants will comply with the Government Security Classifications Policy, where applicable
8. Duration, frequency and volume of the data sharing
Date MoU comes into effect: 1 July 2025
Date by which MoU needs to be formally reviewed: 1 July 2026
Date MoU will cease to be valid: 31 December 2030
Frequency and volume of data being shared:
HMRC will share Child Benefit customer records with HO each week.
This content has been withheld because of likely exemptions under 31(1(a) in the Freedom of Information Act (FOI) 2000.
The Home Office will return resultant matches with their UK exit and entry data.
This content has been withheld because of likely exemptions under 31(1(a) in the Freedom of Information Act (FOI) 2000.
9. Legal considerations and basis to share data between ‘the participants’
HMRC has specific legislation within the Commissioners for Revenue and Customs Act 2005 which covers the confidentiality of information held by the department, when it is lawful to disclose that information and legal sanctions for wrongful disclosure. For HMRC, disclosure of information is precluded except in certain limited circumstances (broadly, for the purposes of its functions, where there is a legislative gateway or with customer consent). Unlawful disclosure relating to an identifiable person constitutes a criminal offence. The criminal sanction for unlawful disclosure is detailed at section 19 of the Commissioners for Revenue and Customs Act (CRCA) 2005.
Data can only be shared where there is a legal basis for the exchange and for the purposes described in this MoU as specified in the sections below. No data should be exchanged without a legal basis and all exchanges must comply with our legal obligations under both the DPA 2018 and Human Rights Act (HRA) 1998.
9.1 Relevant legal basis and bases for HMRC to disclose data
Under section 18 (1) of the CRCA 2005, HMRC is bound by a strict duty of confidentiality meaning that HMRC officers may not disclose information HMRC holds for its functions. However, HMRC information may be disclosed where one of the statutory exceptions in section 18 (2) CRCA 2005 apply or where disclosure is permitted under any other enactment pursuant to section 18 (3) CRCA 2005.
Any person who discloses HMRC information which identifies a taxpayer without a lawful basis to do so under either section 18 (2) or (3) of CRCA 2005 potentially commits a criminal offence of wrongful disclosure pursuant to section 19 CRCA 2005. A person found guilty of an offence may receive an unlimited fine, imprisonment of up to 2 years or both.
In this case, disclosure is permitted by virtue of Part 5, Chapter 4 of the Digital Economy Act (DEA) 2017 and section 56. This permits disclosure between specified persons for the purposes of acting in connection with fraud against a public authority.
Specified persons for the purposes of section 56 powers are set out in schedule 8 of DEA 2017 and include HO at paragraph 1 and HMRC at paragraph 14.
9.2 Relevant legal basis and bases for HO to disclose data
Common law power of the Secretary of State to transfer information (where the above do not apply).
10. Lawful basis under UK GDPR to process personal data
Personal data can only be processed (transferred, disclosed) where there is a valid lawful basis and bases as set out in article 6 of UK GDPR - see Information Commissioner’s Office (ICO) guidance
10.1 Relevant lawful basis for HMRC to process (share) personal data
The lawful basis for HMRC and HO is UK GDPR Article 6 (1)(e) processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller namely the exercise of a function of the Crown, a Minister of the Crown, or a government department (Data Protection Act 2018, section 8 (d)).
10.2 Relevant lawful basis for HO to process (share) personal data
The lawful basis for HMRC and Home Office is UK GDPR article 6(1)(e), processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, namely the exercise of a function of the Crown, a Minister of the Crown, or a government department (Data Protection Act 2018, section 8(d)).
11. Data to be shared and systems it will be derived from
11.1 Describe the types of data or data fields being shared and their source systems
HO hold passenger UK entry and exit data, known as advanced passenger information, which shows individuals who have left the UK and may not have returned.
The process is as follows:
- HMRC to extract customers from its Child Benefit adult customer data each week
This content has been withheld because of likely exemptions under 31(1)(a) in the Freedom of Information Act (FOI) 2000.
-
this information will be sourced from a monthly extract of Child Benefit customers received by the Benefits and Credits analysts
-
the data is passed to Home Office via SDES
-
HO match this information against their arrivals and exits data to establish those customers who have left the UK without return within a specific period
-
HO return the matches via SDES
-
HMRC use the data to initiate enquiries, to substantiate the identified risk
The data supplied to HO from Child Benefit will be:
-
customer National Insurance number
-
customer name
-
customer date of birth
-
customer addresses and postcode
The data returned by Home Office will be:
-
passenger National Insurance number
-
passenger name
-
passenger date of birth
-
date left the UK
-
date returned to UK (where applicable)
-
customer addresses and postcode
-
destination
HO will:
-
on receipt move the information into a secure folder with the appropriate restricted access
-
only allow access to that information by the team carrying out the matching
-
ensure that staff handle this data in line with the approved secure transfer method agreed by both departments and within HO data security instructions
-
will only store the information for as long as it takes to complete the matching. HO will then securely destroy the data within 3 months of receipt
-
match the data to HO data sets
-
in response provide HMRC with confirmation that the individual matches a record held by HO
-
supply the above data fields
-
this will be provided in a Microsoft Excel Comma-Separated Values format transferred by SDES from and to agreed contact points
-
not onward disclose HMRC data to a third party without prior written consent from Benefits and Credits
The Home Office will match the Child Benefit records against their UK exit and re-entry data.
This content has been withheld because of likely exemptions under section 31(1)(a) in the Freedom of Information Act (FOI) 2000.
11.2 What is the government security classification for the data being shared?
Official - sensitive
11.3 Is there any special category data, sensitive data or criminal offence data being shared?
No
12. How the data will be shared
Data will be shared both ways via SDES under reference ID-23180 and OD-23239.
12.1 Will direct (or browser) access to HMRC systems be granted?
No
13. Accuracy of the data being shared
Before sharing data, both participants must take all reasonable steps to ensure that the data being shared is both accurate and up to date.
The exporting department will ensure that data integrity meets their own department’s standards, unless more rigorous or higher standards are set out and agreed at the requirements stage.
Participants will notify each other of any inaccuracies of the data as they are identified.
14. Retention and destruction of data
14.1 State how long the data will be retained for by each participant and what their arrangements are for secure storage, and disposal or destruction of data
HMRC will:
- only store the information for the duration of the matching exercise
This content has been withheld because of likely exemptions under section 31(1)(a) in the Freedom of Information Act (FOI) 2000.
- HO returned data will be received through SDES
This content has been withheld because of likely exemptions under section 31(1)(a) in the Freedom of Information Act (FOI) 2000.
-
records of completed investigations are to be retained as per BAU retention rules (6 years plus 1)
-
data will be deleted using HMRC deletion functions
This content has been withheld because of likely exemptions under section 31(1)(a) in the Freedom of Information Act (FOI) 2000.
This process was audited by HMRC Security in November 2024 with them agreeing this be extremely secure.
HO will:
-
on receipt move the information into a secure folder with the appropriate restricted access
-
only allow access to that information by the team carrying out the matching
-
only store the information for as long as it takes to complete the matching. HO will then securely destroy the data within 3 months of receipt
14.2 State what access controls each participant will have in place to ensure access to the data will only be provided to authorised personnel with the appropriate security clearance
HMRC will:
- handle the data from SDES within a secure environment
This content has been withheld because of likely exemptions under section 31(1)(a) in the Freedom of Information Act (FOI) 2000.
- all analysts are vetted to security cleared
This content has been withheld because of likely exemptions under section 31(1)(a) in the Freedom of Information Act (FOI) 2000.
HO will:
-
on receipt move the information into a secure folder with the appropriate restricted access
-
only allow access to that information by the team carrying out the matching
-
ensure that staff handle this data in line with the approved secure transfer method agreed by both departments and within HO data security instructions
-
will only store the information for as long as it takes to complete the matching. HO will then securely destroy the data within 3 months of receipt
-
match the data to HO data sets
15. Onward disclosure to third parties
15.1 HO agrees to seek permission from HMRC before any onward disclosure of information to a third party and will only disclose any information if permission is granted.
15.2 Where permission for onward disclosure is granted by HMRC, describe how the onward transfer of information from HO to the third party will be handled, if allowed, under the legal basis
There is no requirement for onward sharing.
While there is scope in the future to request permission for onward sharing, there are no plans or expectations that any such request will be made.
16. Role of each participant to the MoU
16.1 Role of HMRC
The following is the minimum expected of HMRC:
-
identify the appropriate data required from HMRC IT systems and records
-
provide the data to HO in Excel format transferred securely by SDES from and to agreed contact points
-
only allow access to that data by the team requiring it
-
ensure that staff handle this data in line with the approved secure transfer method agreed by both departments and within HMRC data security instructions
-
only store the data for as long as there is a business need to do so
-
move, process and destroy data securely, in line with the principles set out in the government Security Policy Framework issued by the Cabinet Office when handling, transferring, storing, accessing or destroying information
-
comply with the requirements in the framework, and in particular prepare for and respond to security incidents and report any data losses, wrongful disclosures or breaches of security relating to information
16.2 Role of HO
The following is expected of HO:
-
identify the appropriate data required from HMRC
-
only use the information for purposes that are in accordance with the legal basis under which it was received
-
only hold the data for as long as there is a business need to do so
-
ensure that only people who have a genuine business need to see the data will have access to it
-
on receipt, store data received securely and in accordance with the prevailing central government standards, for example in secure premises and on secure IT systems
-
move, process and destroy data securely, in line with the principles set out in government Security Policy Framework, issued by the Cabinet Office when handling, transferring, storing, accessing or destroying information
-
comply with the requirements in the government Security Policy Framework and in particular prepare for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
-
if HO adheres to a different set of security standards, they must inform HMRC what these standards are below and comply with any additional security requirements specified by HMRC
-
seek permission from HMRC before onward disclosing information to a third party
-
seek permission from HMRC if you are considering offshoring any of the personal data shared under this agreement
-
mark information assets with the appropriate government security classification and apply the baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out Government Security Classifications, issued by the Cabinet Office, and as a minimum the top level controls framework to the government security classification
-
where applicable, send the data in Excel format via secure SDES agreed by both departments under the protective marking ‘Official / Official-Sensitive’
16.3 If HO adheres to different security standards, please state what these standards are here
Not applicable
17. Monitoring and reviewing arrangements
This MoU relates to a regular exchange that must be reviewed annually to assess whether the MoU is still accurate and fit for purpose.
Reviews outside of the proposed review period can be called by representatives of either participant. Any changes needed as a result of that review may be agreed in writing and appended in this document at the formal review date.
Technical changes necessary to improve the efficiency of the exchange that do not change the overarching purpose can be made without the requirement to review the MoU formerly during its life cycle, but must be incorporated at the formal review stage.
A record of all reviews will be created and retained by each participant.
Appendix 2 outlines the contacts for amendments to the MoU. Appendix 1 sets out the document control, and the version history of the MoU.
18. Assurance arrangements
HMRC has a duty of care to assure any data that is passed on to others. Processes covered by this MoU will be subject to annual reviews from the date of sign off. HMRC may also choose to introduce ad hoc reviews.
Assurance will be provided by the annual completion of a certificate of review and assurance. The assurance processes should include checking that any information sharing is achieving its objectives, in line with this MoU, and that the security arrangements are appropriate given the risks.
HO agrees to provide HMRC with a signed certificate of review and assurance within the time limits specified upon request.
HMRC reserves the right to review the agreed risk management, controls, and governance in respect of this specific agreement.
19. Security beaches, security incidents or loss or unauthorised disclosure of data
The designated points of contact are responsible for notifying the other participant in writing in the event of loss or unauthorised disclosures of information within 24 hours of the event.
The designated points of contact will discuss and agree the next steps relating to the incident, taking specialist advise where appropriate. Such arrangements will include, but will not be limited to, containment of the incident and mitigation of any ongoing risk, recovery of the information, and notifying the ICO and the data subjects. The arrangements may vary in each case, depending on the sensitivity of the information and the nature of the loss or unauthorised disclosure.
20. Subject access request
In the event that a subject access request (SAR) is received by either participant, they will issue a formal response on the information that they hold following their internal procedures for responding to the request within the statutory timescales. There is no statutory requirement to redirect SARs or provide details of the other participant in the response. However, each participant will notify the other if a SAR is received in respect of any personal data shared under this agreement.
Full details of data subject’s rights in relation to processing of personal information can be found in each participant’s privacy notice as well as ICO guidance, using the following links:
21. Freedom of Information Act 2000
Both participants are subject to the requirements of the Freedom of Information Act 2000 and shall assist and co-operate with each other to enable each organisation to comply with their information disclosure obligations.
In the event of one participant receiving an Freedom of Information (FOI) request that involves disclosing information that has been provided by the other participant, the organisation in question will notify the other to allow it the opportunity to make representations on the potential impact of disclosure.
All HMRC FoI requests must be notified to the foi.team@hmrc.gov.uk
22. Issues, disputes and resolution
Any issues or disputes that arise as a result of the exchange covered by this MoU must be directed to the relevant contact points. Each participant will be responsible for escalating the issue as necessary within their given management structure.
Where a problem arises, it should be reported as soon as possible. Should the problem be of an urgent nature, it must be reported by phone immediately to the designated business as usual contact, and followed up in writing the same day. If the problem is not of an urgent nature it can be reported in writing within 24 hours of the problem occurring.
23. Costs
Funding has been agreed using the Customer Service Group cost centre, and a purchase order has been raised and provided to the Home Office.
24. Termination
This MoU may be terminated by giving 3 months’ notice by either participant.
Both participants to this MoU reserve the right to terminate this MoU within 3 months notice in the following circumstances:
-
by reason of cost, resources or other factors beyond the control of HMRC or HO
-
if any material change occurs which, in the opinion of HMRC and HO, following negotiation significantly impairs the value of the data sharing arrangement in meeting their respective objectives
In the event of a significant security breach or other serious breach of the terms of this MoU by either participant, the MoU will be terminated or suspended immediately without notice.
In the event of a failure to cooperate in a review of this MoU or provide assurance, the agreement may be terminated or suspended without notice.
25. Signatories
25.1 HMRC
This content has been withheld because of likely exemptions under 40(2) in the Freedom of Information Act (FOI) 2000.
| date | 24 June 2025 |
|---|---|
| position | HMRC Grade 6 Child Benefit process and data owner |
This content has been withheld because of likely exemptions under 40(2) in the Freedom of Information Act (FOI) 2000.
25.2 HO
This content has been withheld because of likely exemptions under 40(2) in the Freedom of Information Act (FOI) 2000.
| print name | Andy Gregory |
|---|---|
| date | 18 June 2025 |
| position | Deputy Director, data services and analytics |
This content has been withheld because of likely exemptions under 40(2) in the Freedom of Information Act (FOI) 2000.
26. Appendices and Annexes
26.1 Appendix 1 - document control
Document control personnel
| key personnel | organisation |
|---|---|
| author | HMRC and HO |
| approver | HMRC and HO |
| review control | HMRC and HO |
This content has been withheld because of likely exemptions under 40(2) in the Freedom of Information Act (FOI) 2000.
Version history
| Version | Date | Summary of changes | Changes marked | |
|---|---|---|---|---|
| 0.7 | 4 April 2025 | initial draft shared for DEA board agreement | Not applicable | |
| 0.8 | 29 May 2025 | revised version accounting for DEA board amendment requests | Yes | |
| 1.0 | 26 June 2025 | final version, with a small number of remaining comments accounted for and now signed by both parties, all content also moved into recently updated MoU template | No |
26.2 Appendix 2 - business contacts
Business as usual contacts for HMRC
This content has been withheld because of likely exemptions under 40(2) in the Freedom of Information Act (FOI) 2000.
| Contact | Responsibility | |
|---|---|---|
| operational queries | ||
| information policy and disclosure | ccp.disclosure@hmrc.gov.uk | legal issues |
| review and amendments to MoU | ||
| security and information business partner | customerservicessecurityincidents@hmrc.gov.uk | security incidents |
| information rights unit | informationrightsunit@hmrc.gov.uk | subject access requests (SARs) |
| solicitors office and legal services - FOI team | foi.team@hmrc.gov.uk | freedom of information |
| HMRC Office of the data protection office | 7834189@internal.hmrc.gov.uk | advice on data protection issues - UK GDPR, DPA 2018 |
This content has been withheld because of likely exemptions under 40(2) in the Freedom of Information Act (FOI) 2000.
Business as usual contacts for HO
This content has been withheld because of likely exemptions under 40(2) in the Freedom of Information Act (FOI) 2000.
| Contact | Responsibility | |
|---|---|---|
| Chirag Lathia business analyst, data services and analytics, digital data and technology | operational queries | |
| Stephen Quick head of operational data compliance, data services and analytics, digital data and technology | legal issues | |
| Isra Hussain head of data sharing and protocols team, data services and analytics, digital data and technology | review and amendments to MoU | |
| HO security | HOSecurity-DataIncidents@homeoffice.gsi.gov.uk | security incidents |
| subject access request unit | info.access@homeoffice.gov.uk | subject access requests (SARs) |
| knowledge and information management unit | info.access@homeoffice.gov.uk | freedom of information |
26.3 Annex A - Glossary of terms and abbreviations
| Definition | Interpretation | |
|---|---|---|
| Ad hoc transfer | is defined as being bulk data with a protective marking of restricted or above and the transfer is part of a pilot or project with a definitive end date | |
| Date controller | has the meaning set out in Article 4 UK GDPR or, in respect of processing of personal data for a law enforcement purpose to which Part 3 of the Data Protection Act 2018 applies, the meaning in that Part if different | |
| Date processor | has the meaning set out in Article 4 UK GDPR or, in respect of processing of personal data for a law enforcement purpose to which Part 3 of the Data Protection Act 2018 applies, the meaning in that Part if different | |
| Date protection legislation | means the General Data Protection Regulation, the UK GDPR, the Data Protection Act 2018 and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner | |
| Direct access | covers an information sharing instance where the receiving department accesses the Information via direct, or browser, access to the source system rather than as an extracted information transfer. This agreement will require specific terms and conditions ensuring that access is appropriate and correctly applied, managed and recorded | |
| FoIA | means the Freedom of Information Act 2000 and any subordinate legislation made under this Act together with any guidance and/or codes of practice issued by the information commissioner or ministry of justice in relation to such legislation | |
| Granting access | the governance and authority surrounding the authorisation of a person to have access to a system | |
| Human Rights Act 1998 | an Act to give further effect to rights and freedoms guaranteed under the European Convention on human rights. Public authorities like HMRC must follow the act | |
| Information Asset Owner (IAO) | means the individual within a directorate, normally the director, responsible for ensuring that information is handled and managed appropriately | |
| Law | means any applicable law, statute, bye-law, regulation, order, regulatory policy, guidance or industry code, rule of court or directives or requirements of any regulatory body, delegated or subordinate legislation or notice of any regulatory body | |
| Provisioning Access | the technical channels through which access is made possible, including the request tools associated with this | |
| Public sector body | this will generally be another government department (OGD) but could be another public sector body (e.g. Local Authority). Information sharing with a private sector body with which HMRC has a commercial relationship needs to be covered by a commercial contract, not a memorandum of understanding | |
| Regulatory bodies | means those government departments and regulatory statutory and other entities, committees and bodies which, whether under statute, rules, regulations, codes of practice or otherwise, are entitled to regulate, investigate, or influence matters dealt with in this agreement and “regulatory body” shall be construed accordingly | |
| Senior information risk owner (SIRO) | provides high level assurance of compliance with HMRC’s Information Asset data protection obligations. |