HMRC Privacy Notice
Updated 9 October 2024
The purpose of this document
HMRC is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you in accordance with data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018.
We have a separate privacy notice which describes how we collect and use personal information about our staff in relation to their employment.
HMRC is a data controller. This means that we are responsible for deciding how we hold and use personal information about you. HMRC is also the data controller for the Valuation Office Agency (VOA), which includes Rent Officers as well as the Adjudicator’s Office.
In certain circumstances, when HMRC delivers services in partnership with another public authority, HMRC will be a joint data controller or processor with that public authority.
We are required under data protection legislation to notify you of the information contained in this privacy notice.
It is important that you read this notice, together with any other privacy notice that is provided on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using your information.
HMRC is a statutory body with statutory functions. In addition to our obligations under data protection laws, we also have a statutory duty of confidentiality which is set out in legislation in the Commissioners for Revenue and Customs Act 2005. HMRC will only disclose your information where we are legally allowed to do so.
The kind of information we hold about you
Personal data, or personal information, means any information about an individual from which that person can be identified directly or indirectly. It does not include data where the identity has been removed (anonymous data).
There are special categories of more sensitive personal data which require a higher level of protection.
We process data about:
- members of the public
- customers and clients
- businesses
- suppliers and service providers
- advisers, consultants and other professional experts
- complainants and enquirers
- agents and representatives
- relatives, children, guardians, dependants and associates
- offenders and suspected offenders
- employees
We collect, store and use certain categories of personal information about you such as:
- personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
- gender
- marital status and dependents
- National Insurance number
- bank account details
- information about your income
- information about your employment
- information about your business activities
- information about your domestic and business properties
- passport and driving licence information
We’ll also collect, store and use certain special categories of more sensitive personal information such as:
- biometric data, such as voice recognition data
- information about criminal convictions, allegations and offences, where relevant in relation to our functions
- health data where it is relevant to claims for Tax Credits or Universal Credits
- health data where it is relevant to our commitment in the HMRC Charter to give you extra support if you need it
How your personal information is collected
We collect personal information directly from you in circumstances such as:
- when you submit your Income Tax and other tax returns
- when you register with HMRC for VAT or other purposes
- when you claim tax credits or Child Benefit
- when you register for one of HMRC’s services
- when we enable you to access HMRC and other government services
- when you contact Valuation Office Agency about rating lists, valuation lists and valuation of property
- when you contact Rent Officers for the provision of valuations and other advice for Housing Benefit and Fair Rents
- when you apply for Tax-Free Childcare
- when you call the HMRC helpline, and we routinely record calls for our functions and for quality, training and security purposes
- whenever you contact us
We’ll also collect your personal information directly from third parties such as:
- your employer when they provide us with your information for Income Tax and National Insurance purposes
- other government departments and public authorities
- credit reference agencies
- banks and other financial institutions
- publicly available sources
- other people you do business with
- your agent or representative
- overseas tax authorities
How we use your information
We’ll only use your personal information when the law allows us to. Most commonly, we’ll use your personal information where:
- we need to comply with a legal obligation
- it’s necessary for the performance of a task carried out in the public interest or in the exercise of our official authority as a government department
- it’s necessary for the purposes of the prevention, investigation, detection or prosecution of criminal offences
HMRC has civil and criminal investigative powers. We routinely examine and obtain business records, which can contain personal data such as employee and customer data, so that we can carry out our functions as a government department.
In limited circumstances we’ll ask you for your consent to use your personal information, but your consent is not required if any laws require the information, and it is necessary for our functions as a government department.
If you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. We’ll have told you how to withdraw your consent when you provided it and you should follow that process.
Situations in which we’ll use your personal information
We need all the categories of information to enable us to comply with legal obligations and carry out our functions as a government department.
However, we’ll only collect and use your personal data when it is necessary to do so for the purposes of one or more of our functions, including when complying with legal obligations.
We’ll process your personal information when carrying out HMRC’s responsibilities in relation to:
- Income Tax
- Corporation Tax
- Capital Gains Tax
- Inheritance Tax
- Insurance Premium Tax
- Petroleum Revenue Tax
- environmental taxes
- land taxes
- stamp taxes
- Climate Change Levy
- Aggregates Levy
- Landfill Tax
- VAT, including import VAT
- Customs Duty and procedures
- excise duties
- Trade Statistics
- National Insurance contributions
- tax credits
- Child Benefit
- enforcement of the National Minimum Wage
- recovery of student loan repayments
- Gift Aid
- Tax-Free Childcare and 30 hours free childcare
- COVID-19 schemes
- Cost of Living Payments
We’ll process your personal data when carrying out Valuation Office Agency responsibilities in relation to:
- rating and valuation lists for England and Wales
- valuation of property in England, Wales and Scotland, including for the purposes of taxes administered by HMRC and the provision of statutory and non-statutory property valuation services
- providing valuations and other advice for Housing Benefit and fair rents
We may also process your personal data in the following circumstances:
- when carrying out any of our lawful functions
- to check the data we hold about you is accurate and up to date
- to compare it against other information to help combat fraud and crime
- to check any entitlements or benefits that you may have
- to help us confirm your identity when you contact us or access our services
- to provide and improve services to you so that you can manage your tax and benefits
- to produce statistics
- to conduct research which benefits our functions
- to contact you in relation to our functions and activities
- to enable you to access our services and other government services, including the use of GOV.UK One Login to verify your identity
- to test whether an IT system or process is functioning correctly in an effective manner before it goes live
Read more about:
- HMRC’s functions and services
- Valuation Office Agency’s functions and activities
- the research which benefits our functions
Transaction monitoring and cookies
In order to protect your data and our services HMRC operates transaction monitoring capabilities. This records how you connect to our systems, and what you do whilst you are on them. Read more information in our transaction monitoring privacy notice.
You can read more about how we use cookies on the GOV.UK cookies page and the HMRC cookies page.
Artificial Intelligence, analytics and machine learning
HMRC will only use Artificial Intelligence (AI), including analytics and machine learning where the law allows us for the purposes of the assessment or collection of a tax or duty, or the prevention or detection of crime. AI helps us learn more about large amounts of data, improve our customer services and prevent and respond to non-compliance amongst our customers.
When buying or developing and deploying systems that involve AI and processing personal data, HMRC complies with our data protection, security, and ethical professional standards. HMRC’s use of AI does not replace human judgement when collecting taxes or determining benefits, and our customer services processes always involve human agents.
If you fail to provide personal information
If you fail to provide certain information when legally required to do so, you may be subject to penalties. We’ll tell you when you are legally obliged to provide information and the consequences of not doing so.
Change of purpose
When we get information for one of our functions under the Commissioners for Revenue and Customs Act 2005, we may use that information for our other functions.
We’ll therefore use your personal information for any of the purposes set out if we reasonably consider that we need to do so.
How we use particularly sensitive personal information
Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
We will, if necessary, process special categories of personal information in the following circumstances:
- where we need to carry out our legal obligations and it is in line with our data protection policy
- where it is in line with our data protection policy, it is substantially in the public interest to do so and necessary for:
- performing our functions as a government department
- the prevention, investigation, detection or prosecution of criminal offences
- preventing or detecting unlawful acts
- where we have your explicit consent to do so — we do not require your explicit consent in some circumstances
Read the HMRC appropriate policy document to find out how HMRC processes particularly sensitive personal information.
Information about criminal convictions
We’ll only collect or use information relating to criminal convictions or alleged criminal behaviour where the law allows us to do so. This can arise when it is necessary for us to carry out our official functions, where it is appropriate and where we are legally able to do so.
Read the HMRC appropriate policy document to find out how HMRC processes information about criminal convictions.
Data sharing
We will, in some circumstances and where the law allows, share your data with third parties, including:
- third-party service providers
- other government departments
- public authorities and law enforcement agencies both in the UK and overseas
- EU institutions
- overseas tax and customs authorities
- debt collection agencies
- credit reference agencies
- banks
- other financial institutions
- accredited processors and researchers
We’ll also share your data with other persons with your consent when you authorise us to do so, such as your agent and your software providers. We expect third party software providers to respect the security of your data and to treat it in accordance with the law.
We will in some circumstances transfer your personal information outside the UK. If we do, we’ll seek to make sure a similar degree of protection in respect of your personal information.
When we may share your personal information with third parties
We’ll share your personal information with third parties where:
- required or allowed by law
- it is in the public interest to do so
- you authorise us to do so
- it is necessary for the performance of our functions as a government department or a function of the Crown, another government department or another public authority
This includes:
- the Department for Work and Pensions, for social security and child support purposes
- the Home Office, for immigration and customs purposes
- the Cabinet Office, for the Border Flow Service to analyse the flow of goods and people across the border
- the Office for National Statistics, for statistical purposes
- Local Authorities, for housing benefit, Council Tax and Business rates purposes
- the Security and Intelligence Services, for their functions
- the Department for Business and Trade, for National Minimum Wage and National Living Wage purposes
- the Department for Energy Security and Net Zero, for energy efficiency and support schemes
- Education and Skills Funding Agency for apprentice levy and Department for Education for policy development and evaluation of training or education
- the Student Loan Company, for collection of student loans
- Department for Business and Trade, including the UK Export Support Service and Trade Remedies Authority, in support of their trade purposes and activities
- public bodies in Scotland, Wales and Northern Ireland for relevant functions
- overseas tax authorities, for tax purposes
- Automatic Exchange of Information agreements between the UK and other countries to help stop tax evasion
- overseas customs authorities, for customs purposes
- the courts, on production of a valid court order, and tribunals
- your agent or legal representative
- UK and EU institutions, such as the obligation to share information received from parcel carriers pursuant to the terms of the EU-UK Withdrawal Agreement
- HM Courts and Tribunal Service, the Scottish Courts and Tribunals Service and Northern Ireland Courts and Tribunal Service, for help with fees, applications and debt recovery purposes, including fraud prevention and detection
- Legal Aid Agency for legal aid application and assurance purposes
- COVID-19 schemes — HMRC may need to share your personal information with other government departments
- sharing personal data under the public service delivery, debt and fraud powers set out in the Digital Economy Act 2017, including publishing associated documentation under the Statutory Code of Practice
Personal data shared with third parties may be onwardly disclosed to other third parties for specific purposes where there is a lawful basis and subject to HMRCs authority. For example, DWP may disclose information obtained from HMRC to Local Authorities for certain social security, welfare and council tax purposes.
We’ll share your personal information with the police and other law enforcement agencies where it’s necessary to do so for the prevention, investigation, detection or prosecution of criminal offences, and trading standards and other regulatory authorities when it is necessary for the purposes of their regulatory functions.
This will, in some circumstances, involve sharing special categories of personal data and, where relevant, data about criminal convictions or allegations.
We’ll also share your personal information for research purposes with processors of data who will ‘deidentify’ the data before making it available to a researcher in a secure processing environment to undertake a project.
The processors, researchers, secure processing environment and project are accredited by the UK Statistics Authority. Find out more about the Research Accreditation Panel on the UK Statistics Authority website.
We’ll also share your non-financial VAT registration information with credit reference agencies and financial institutions to promote economic growth through improved credit scoring.
Further information about who HMRC and Valuation Office Agency shares information with and in what circumstances can be found in our Information Disclosure Guide.
Use of third-party service providers
We use or work with contractors and other third-party service providers who will process personal data on our behalf.
Those third parties are usually our data processors and can only process your personal data on our instructions or with our agreement.
Transfer of information outside the UK
HMRC is the UK’s tax and customs authority. When relevant and necessary we’ll transfer the personal information we collect about you outside the UK for those purposes, to act in accordance with international treaties and agreements, and for law enforcement purposes.
When we do so we’ll make sure that we’ll meet our obligations under the UK GDPR and DPA 2018.
Personal data which we make publicly available
HMRC publishes personal data for the following reasons:
- it is a proportionate measure
- it supports our functions
- it is a legal requirement
- for the prevention and detection of crime
HMRC also allows certain categories of personal data to be searchable on public registers. These publicly available registers contain public and personal data. They include:
- VAT Registration data and VIES VAT number validation on the European Commission website for Northern Ireland businesses
- businesses and sites registered for Aggregates Levy
- details of deliberate tax defaulters
- named tax avoidance schemes, promoters, enablers and suppliers
- claimants under the Coronavirus Job Retention Scheme
The Valuation Office Agency will also publish details of domestic or business properties when there is a legal requirement to make this information accessible to any member of the public.
Annual reports are published for purposes of transparency. They contain personal information about:
- HMRC and Valuation Office Agency Executive Committee members remuneration and pension benefits
- non-executive board members remuneration
Find more information about the HMRC publication scheme.
Data security
We have put in place measures to protect the security of your information.
Our third-party service providers will only process your personal information on our instructions or with our agreement, and where they have agreed to treat the information confidentially and to keep it secure.
We treat the security of your data very seriously. We have strict security standards, and all our staff and other people who process personal data on our behalf get regular training about how to keep information safe.
We have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about you.
In addition, we limit access to your personal information to those persons, or agents who have a business or legal need to do so.
We have taken measures to make sure an adequate level of security for personal information processed via our website.
We have put in place procedures to deal with any suspected data security breach and will notify you and the regulator of a suspected breach where we are legally required to do so.
Data retention
How long we’ll use your information
We aim to retain your personal information for only as long as it is necessary for us to do so for the purposes for which we are using it and in line with our published records management and retention and disposal policy.
In some circumstances we’ll anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you.
Your responsibility to inform us of changes
It is important that the personal information we hold about you is accurate and current. You need to keep us informed if your personal contact information changes.
Data Protection information rights
Under certain circumstances, by law you have the right to:
- be provided information about the collection and use of your personal data
- request access to your personal information (commonly known as a subject access request) — this enables you to know what personal information we hold about you and to check that we are lawfully processing it — if you wish to do so you should follow HMRC’s subject access request guidance or Valuation Office Agency’s guidance
- request correction of the personal information that we hold about you — this enables you to ask HMRC to correct any incomplete or inaccurate information we hold about you
- request erasure of your personal information — this enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it — this does not apply where we are legally obliged to process your personal information or where the processing is necessary for performing our functions — you also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing
- object to processing of your personal information where you have grounds to object which relate to your particular situation, in which case we will stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms
- request the restriction of processing of your personal information — this enables you to ask us to suspend the processing of personal information about you, for example if you want to establish its accuracy or the reason for processing it
By law, we do not have to comply with the exercise of your rights where they are likely to prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of a tax or duty or an imposition of a similar nature.
We can also restrict those rights when we are conducting a criminal investigation and it is a necessary and proportionate measure to avoid obstructing an official or legal inquiry, investigation or procedure, or avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we are allowed under the law to charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we can refuse to comply with the request in such circumstances.
Automated decision-making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in any of the following circumstances:
-
where HMRC is authorised by law under our statutory powers — this includes where it is necessary and proportionate for the purposes of the assessment and collection of taxes or duties or determining benefits and credits — for instance, in some circumstances HMRC uses automated processing to generate penalties and changes to notices of coding
-
if it is necessary to enter into or perform a contract with you
-
in limited circumstances, with your explicit consent
If you are subject to an automated decision, we have appropriate measures in place to safeguard your rights. You will be notified in writing at the time, including the reasons for the decision and any associated consequences. You will have 30 days to request a reconsideration or a new decision not based solely on automated processing. Where appropriate you should provide additional information relevant to your circumstances and HMRC will inform you in writing of the reviewed decision.
If we make an automated decision based on any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
What we need from you
As part of our security measures, we sometimes need to ask for specific personal information from you to help us confirm your identity and validate your right to access the information, or to exercise any of your rights.
You can continue to contact HMRC to change your address and personal details, or for other purposes relating to your specific concerns. You can also contact Valuation Office Agency.
Contact HMRC or make a complaint
Data protection Officer
HMRC has appointed Data Protection Officer (DPO), to oversee compliance with its data protection obligations.
You can read more about how the DPO handles your personal information in our Office of the Data Protection Officer Privacy Notice.
Complain to HMRC
If you want to complain about how HMRC has handled your personal information, you should follow the HMRC complaint process.
You need to state the business area relating to your complaint. The complaint will enter a process for formal consideration and assessment.
If you consider that the data protection matters have not been fully resolved by HMRC’s complaints process, you can ask the Office of the Data Protection Office to review your concerns. Email them at: advice.dpa@hmrc.gov.uk. You can also use one of the postal addresses published at make a complaint about HMRC, and mark it for the attention of the Data Protection Officer.
If you’re not happy with HMRC’s resolution to the complaint you can submit your complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
You can contact the Information Commissioner on the Information Commissioner’s website, which has more information about data protection and your rights.
If you have any questions about this privacy notice or how HMRC handles your personal information, email the Data Protection Officer at: advice.dpa@hmrc.gov.uk.
Changes to the privacy notice
We keep our privacy notices under regular review. If there are any changes we will update this page to tell you, for example, about any new uses of personal data.
Check this page to make sure you are aware of what information we collect, how we use it and the circumstances we may share it with other organisations.
From time to time, we may also tell you in other ways about the processing of your personal data.