HMRC Privacy Notice

Find out about HMRC's data protection policy and procedures.



The Data Protection Act 2018 requires organisations who process personal data to meet certain legal obligations.

These are contained within the Data Protection principles. HMRC is a data controller within the meaning of the act and process large volumes of personal data.

Published 18 May 2010
Last updated 6 April 2023 + show all updates
  1. Department for International Trade (DIT) has now changed to the Department for Business and Trade (DBT).

  2. When we may share your personal information with third parties now includes Education and Skills Funding Agency for apprentice levy and Department for Education for policy development and evaluation of training or education and the Department for International Trade, including the UK Export Support Service and Trade Remedies Authority, in support of their trade purposes and activities.

  3. The sections about when we may share your personal information with third parties, how to complain to HMRC have been updated. Sections about data protection principles, coronavirus (COVID-19) and your personal information, automated decision making, the security of your data with third party service providers, rights of access, correction, erasure and restriction, right to withdraw consent, fees required and contacting the Information Commissioner’s Office (ICO) have been removed.

  4. The section 'Contact HMRC or make a complaint' has been updated with the name of the interim Data Protection Officer and the process to follow when making a complaint.

  5. The list of third parties we may share your personal information with has been updated.

  6. Information about what personal data we make publicly available and share with accredited processors and researchers has been updated.

  7. Guidance on when HMRC may share your personal information with third parties has been updated to include the Border Flow Service.

  8. The Data Protection Officer (DPO) appointed by HMRC has changed to Nicholas de Lacy-Brown, to oversee compliance with its data protection obligations.

  9. Information added about how coronavirus (COVID-19) measures may affect how personal information is collected, and sections on how to contact HMRC and the Information Commissioner’s Office updated.

  10. Guidance on when we may share your personal information with third parties has been updated.

  11. The 'Automatic Exchange of Information' link under the 'Data sharing' section has been updated to 'Automatic Exchange of Information Privacy Notice'.

  12. Guidance on how we use particularly sensitive personal information, when we may share your personal information with third parties and information about criminal convictions has been updated.

  13. Guidance has been updated about the kind of information we hold about you, situations in which we’ll use your personal information and when we may share your personal information with third parties. Information about transaction monitoring has been added.

  14. The guidance has been updated to show how you can make a complaint to HMRC, and to update the address of HMRC's Data Protection Officer.

  15. This guidance has been updated with information about the new General Data Protection Regulation (GDPR) 2018 and the Data Protection Act (DPA) 2018.

  16. Updated with information about how to make a subject access request.

  17. This guidance has been updated to explain how requests are made.

  18. First published.