HMRC Privacy Notice

Find out about HMRC's data protection policy and procedures.



The Data Protection Act 2018 requires organisations who process personal data to meet certain legal obligations.

These are contained within the Data Protection principles. HMRC is a data controller within the meaning of the act and process large volumes of personal data.

Published 18 May 2010
Last updated 19 August 2020 + show all updates
  1. The Data Protection Officer (DPO) appointed by HMRC has changed to Nicholas de Lacy-Brown, to oversee compliance with its data protection obligations.

  2. Information added about how coronavirus (COVID-19) measures may affect how personal information is collected, and sections on how to contact HMRC and the Information Commissioner’s Office updated.

  3. Guidance on when we may share your personal information with third parties has been updated.

  4. The 'Automatic Exchange of Information' link under the 'Data sharing' section has been updated to 'Automatic Exchange of Information Privacy Notice'.

  5. Guidance on how we use particularly sensitive personal information, when we may share your personal information with third parties and information about criminal convictions has been updated.

  6. Guidance has been updated about the kind of information we hold about you, situations in which we’ll use your personal information and when we may share your personal information with third parties. Information about transaction monitoring has been added.

  7. The guidance has been updated to show how you can make a complaint to HMRC, and to update the address of HMRC's Data Protection Officer.

  8. This guidance has been updated with information about the new General Data Protection Regulation (GDPR) 2018 and the Data Protection Act (DPA) 2018.

  9. Updated with information about how to make a subject access request.

  10. This guidance has been updated to explain how requests are made.

  11. First published.