© Crown copyright 2021
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: firstname.lastname@example.org.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/data-protection-act-dpa-information-hm-revenue-and-customs-hold-about-you/data-protection-act-dpa-information-hm-revenue-and-customs-hold-about-you
The purpose of this document
HMRC is committed to protecting the privacy and security of your personal information. This privacy notice describes how we collect and use personal information about you in accordance with data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act (DPA) 2018.
We have a separate privacy notice which describes how we collect and use personal information about our staff in relation to their employment.
HMRC is a data controller. This means that we are responsible for deciding how we hold and use personal information about you. HMRC is also the data controller for the Valuation Office Agency (VOA), which includes Rent Officers as well as the Adjudicator’s Office.
In certain circumstances, when HMRC delivers services in partnership with another public authority, HMRC will be a joint data controller with that public authority.
We are required under data protection legislation to notify you of the information contained in this privacy notice.
It is important that you read this notice, together with any other privacy notice that is provided on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using your information.
HMRC is a statutory body with statutory functions and a statutory duty of confidentiality which are set out in legislation in the Commissioners for Revenue and Customs Act 2005. HMRC will only share your information with third parties where we are legally allowed to do so.
Data protection principles
We’ll comply with data protection law. This says that the personal information we hold about you must be:
Used lawfully, fairly and in a transparent way.
Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accurate and kept up to date.
Kept in a form that identifies you for only as long as necessary for the purposes we have told you about.
Coronavirus (COVID-19) and your personal information
The government has put in place a range of extra support and measures to help individuals and businesses affected by coronavirus.
HMRC are responsible for implementing many of these measures which may involve changes to the way that your personal information is processed by HMRC or your employer. HMRC may also be required to share your personal information with other government departments in order to help the government provide targeted support to individuals and businesses.
While some of these measures were carried out quickly due to the evolving nature of the situation, HMRC will always take appropriate account of the requirement to meet its data protection obligations, as set out in this Privacy Notice.
The Information Commissioner’s Office has published advice for individuals about how and when organisations can use your data during the coronavirus pandemic and how to keep your data safe in the Data protection and coronavirus information hub area of its website.
If you have any concerns about how HMRC is handling your personal information, you can email HMRC’s Data Protection Officer at: email@example.com.
The kind of information we hold about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are special categories of more sensitive personal data which require a higher level of protection.
We process data about:
- members of the public
- customers and clients
- suppliers and service providers
- advisers, consultants and other professional experts
- complainants and enquirers
- agents and representatives
- relatives, children, guardians, dependents and associates
- offenders and suspected offenders
We collect, store and use the certain categories of personal information about you such as:
- personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
- marital status and dependents
- National Insurance number
- bank account details
- information about your income
- information about your employment
- information about your business activities
- information about your domestic and business properties
- passport and driving licence information
We’ll also collect, store and use certain special categories of more sensitive personal information such as:
- biometric data, such as voice recognition data
- information about criminal convictions, allegations and offences, where relevant in relation to our functions
How your personal information is collected
We collect personal information directly from you in circumstances such as:
- when you submit your Income Tax and other tax returns
- when you register with HMRC for VAT or other purposes
- when you claim tax credits or Child Benefit
- when you register for one of HMRC’s services
- when we enable you to access HMRC and other government services
- when you contact VOA about rating lists, valuation lists and valuation of property
- when you contact Rent Officers for the provision of valuations and other advice for Housing Benefit and Fair Rents
- when you apply for Tax-Free Childcare
- whenever you contact us
We’ll also collect your personal information directly from third parties such as:
- your employer when they provide us with your information for Income Tax and National Insurance purposes
- other government departments and public authorities
- credit reference agencies
- banks and other financial institutions
- publicly available sources
- other people you do business with
- your agent or representative
- overseas tax authorities, where relevant and necessary
How we use your information
We’ll only use your personal information when the law allows us to. Most commonly, we’ll use your personal information where:
- we need to comply with a legal obligation
- it’s necessary for the performance of a task carried out in the public interest or in the exercise of our official authority as a government department
- it’s necessary for the purposes of the prevention, investigation, detection or prosecution of criminal offences
In limited circumstances we’ll ask you for your consent to use your personal information, but your consent is not required if any laws require the information.
Situations in which we’ll use your personal information
We need all the categories of information to enable us to comply with legal obligations and carry out our functions as a government department.
However, we’ll only collect and use your personal data when it is necessary to do so for the purposes of one or more of our functions.
We’ll process your personal information when carrying out HMRC’s responsibilities in relation to:
- Income Tax
- Corporation Tax
- Capital Gains Tax
- Inheritance Tax
- Insurance Premium Tax
- Petroleum Revenue Tax
- environmental taxes
- land taxes
- stamp taxes
- Climate Change Levy
- Aggregates Levy
- Landfill Tax
- VAT, including import VAT
- Customs Duty
- excise duties
- Trade Statistics
- National Insurance contributions
- tax credits
- Child Benefit
- enforcement of the National Minimum Wage
- recovery of student loan repayments
- Gift Aid
- Tax-Free Childcare and 30 hours free childcare
- Coronavirus Job Retention Scheme
- Self-Employment Income Support Scheme
We’ll process your personal data when carrying out VOA’s responsibilities in relation to:
- rating and valuation lists for England and Wales
- valuation of property in England, Wales and Scotland, including for the purposes of taxes administered by HMRC and the provision of statutory and non-statutory property valuation services
- providing valuations and other advice for Housing Benefit and fair rents
We’ll also process your personal data in the following circumstances:
- when carrying out any of our lawful functions
- to check the data we hold about you is accurate and up to date
- to compare it against other information to help combat fraud and crime
- to check any entitlements or benefits that you may have
- to help us confirm your identity when you contact us or access our services
- to provide and improve services to you so that you can manage your tax and benefits
- to produce statistics
- to conduct research which benefits our functions
- to contact you in relation to our functions and activities
- to enable you to access our services and other government services
Read more about:
- HMRC’s functions and services
- VOA’s functions and activities
- the research which benefits our functions
In order to protect your data and our services HMRC operates transaction monitoring capabilities. This records how you connect to our systems, and what you do whilst you are on them. Read more information in our Transaction Monitoring Privacy Notice.
If you fail to provide personal information
If you fail to provide certain information when legally required to do so, you may be subject to penalties. We’ll tell you when you are legally obliged to provide information and the consequences of not doing so.
Change of purpose
When we obtain information for one of our functions under the Commissioners for Revenue and Customs Act 2005, we may use that information for our other functions.
We’ll therefore use your personal information for any of the purposes set out and if we reasonably consider that we need to do so.
How we use particularly sensitive personal information
Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
We will, if necessary, process special categories of personal information in the following circumstances:
- where we need to carry out our legal obligations and it is in line with our data protection policy
- where it is in line with our data protection policy, it is substantially in the public interest to do so and necessary for:
- performing our functions as a government department
- the prevention, investigation, detection or prosecution of criminal offences
- preventing or detecting unlawful acts
- where we have your explicit consent to do so - we do not require your explicit consent in some circumstances
Read the HMRC appropriate policy document to find out how HMRC processes particularly sensitive personal information.
Information about criminal convictions
We’ll only use information relating to criminal convictions or alleged criminal behaviour where the law allows us to do so. This can arise when it is necessary for us to carry out our official functions.
We’ll only collect information about criminal convictions or allegations of criminal behaviour where it is appropriate and where we are legally able to do so.
We’re allowed to use your personal information in this way where it is in line with our data protection policy.
Read the HMRC appropriate policy document to find out how HMRC processes information about criminal convictions.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:
- where we have notified you of the decision and given you 30 days to request a reconsideration or a new decision not based solely on automated processing
- in limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights
If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
You’ll not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we notify you.
We will, in some circumstances and where the law allows, share your data with third parties, including:
- third-party service providers
- other government departments
- public authorities and law enforcement agencies both in the UK and overseas
- overseas tax and customs authorities
- debt collection agencies
- credit reference agencies
- other financial institutions
- accredited processors and researchers
We’ll also share your data with other persons with your consent when you authorise us to do so, such as your agent and your software providers. We require third parties to respect the security of your data and to treat it in accordance with the law.
We will in some circumstances transfer your personal information outside the UK. If we do, we’ll seek to make sure a similar degree of protection in respect of your personal information.
When we may share your personal information with third parties
We’ll share your personal information with third parties where:
- required or allowed by law
- it is in the public interest to do so
- you authorise us to do so
- it is necessary for the performance of our functions as a government department or a function of the Crown, another government department or another public authority
- the Department of Work and Pensions, for social security and child support purposes
- the Home Office, for immigration and customs purposes
- the Cabinet Office, for the Border Flow Service to analyse the flow of goods and people across the border
- the Office for National Statistics, for statistical purposes
- Local Authorities, for housing benefit, Council Tax and Business rates purposes
- the Security and Intelligence Services, for their functions
- the Department for Business, Energy & Industrial Strategy, for National Minimum Wage and National Living Wage purposes
- the Student Loan Company, for collection of student loans
- public bodies in Scotland, Wales and Northern Ireland for relevant functions
- overseas tax authorities, for tax purposes
- Automatic Exchange of Information agreements between the UK and other countries to help stop tax evasion
- overseas customs authorities, for customs purposes
- the courts, on production of a valid court order, and tribunals
- your agent or legal representative
- UK and EU institutions
- HM Courts and Tribunal Service, and Northern Ireland Courts and Tribunal Service, for help with fees, applications and debt recovery purposes, including fraud prevention and detection
- Legal Aid Agency for legal aid application and assurance purposes
Personal data shared with third parties may be onwardly disclosed to other third parties for specific purposes where there is a lawful basis and subject to HMRCs authority. For example, DWP may disclose information obtained from HMRC to Local Authorities for certain social security, welfare and council tax purposes.
We’ll share your personal information with the police and other law enforcement agencies where it’s necessary to do so for the prevention, investigation, detection or prosecution of criminal offences, and trading standards and other regulatory authorities when it is necessary for the purposes of their regulatory functions.
This will, in some circumstances, involve sharing special categories of personal data and, where relevant, data about criminal convictions or allegations.
We’ll also share your personal information for research purposes with processors of data who will ‘deidentify’ the data before making it available to a researcher in an secure processing environment to undertake a project.
The processors, researchers, secure processing environment and project will be accredited by the UK Statistics Authority.
We’ll also share your non-financial VAT registration information with credit reference agencies and financial institutions to promote economic growth through improved credit scoring.
Further information about who HMRC and VOA shares information with and in what circumstances can be found in our Information Disclosure Guide.
Use of third-party service providers
We use or work with contractors and other third-party service providers who will process personal data on our behalf.
Those third parties are usually our data processors and can only process your personal data on our instructions or with our agreement.
The security of your data with third-party service providers
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies.
We do not allow our third-party service providers to use your personal data for their own or other purposes.
We only permit them to process your personal data for specified purposes and in accordance with our instructions or with our agreement.
Transfer of information outside the UK
HMRC is the UK’s tax and customs authority. When relevant and necessary we’ll transfer the personal information we collect about you outside the UK for those purposes and other law enforcement purposes.
When we do so we’ll make sure that we’ll meet our obligations under the UK GDPR and DPA 2018.
Personal data which we make publicly available
HMRC publishes personal data for the following reasons:
- it is a proportionate measure
- it supports our functions
- it is a legal requirement
- for the prevention and detection of crime
HMRC also allows certain categories of personal data to be searchable on public registers. These publicly available registers contain public and personal data. They include:
- VAT Registration data and VIES VAT number validation for Northern Ireland businesses
- businesses and sites registered for Aggregates Levy
- details of deliberate tax defaulters
- claimants under the Coronavirus job retention scheme
The VOA will also publish details of domestic or business properties when there is a legal requirement to make this information accessible to any member of the public.
Annual reports are published for purposes of transparency. They contain personal information about:
- HMRC and VOA Executive Committee members remuneration and pension benefits
- non-executive board members remuneration
Find more information about the HMRC publication scheme.
We have put in place measures to protect the security of your information.
Our third-party service providers will only process your personal information on our instructions or with our agreement, and where they have agreed to treat the information confidentially and to keep it secure.
We treat the security of your data very seriously. We have strict security standards, and all our staff and other people who process personal data on our behalf get regular training about how to keep information safe.
We have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about you.
In addition, we limit access to your personal information to those persons, or agents who have a business or legal need to do so.
We have taken measures to make sure an adequate level of security for personal information processed via our website.
We have put in place procedures to deal with any suspected data security breach and will notify you and the regulator of a suspected breach where we are legally required to do so.
How long we’ll use your information
We aim to retain your personal information for only as long as it is necessary for us to do so for the purposes for which we are using it and in line with our published records management and retention and disposal policy.
In some circumstances we’ll anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notice to you.
Rights of access, correction, erasure, and restriction
You have a number of rights in relation to the processing of your personal information by HMRC.
Your responsibility to inform us of changes
It is important that the personal information we hold about you is accurate and current. You need to keep us informed if your personal contact information changes.
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- request access to your personal information (commonly known as a subject access request) - this enables you to know what personal information we hold about you and to check that we are lawfully processing it. If you wish to do so you should follow HMRC’s subject access request guidance or VOA’s guidance
- request correction of the personal information that we hold about you - this enables you to have any incomplete or inaccurate information we hold about you corrected
- request erasure of your personal information - this enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. This does not apply where we are legally obliged to process your personal information or where the processing is necessary for performing our functions. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing
- object to processing of your personal information where you have grounds to object which relate to your particular situation, in which case we will stop processing the personal data unless we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms
- request the restriction of processing of your personal information - this enables you to ask us to suspend the processing of personal information about you, for example if you want to establish its accuracy or the reason for processing it
We do not have to comply with your requests to the extent that they are likely to prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of a tax or duty or an imposition of a similar nature.
We can also restrict those rights when we are conducting a criminal investigation and it is a necessary and proportionate measure to avoid obstructing an official or legal inquiry, investigation or procedure, or avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we are allowed under the law to charge a reasonable fee if your request for access is manifestly unfounded or excessive.
Alternatively, we can refuse to comply with the request in such circumstances.
What we need from you
We sometimes need to request specific information from you to help us confirm your identity and make sure your right to access the information (or to exercise any of your other rights).
This is another appropriate security measure to make sure that your personal information is not disclosed to any person who has no right to receive it.
When HMRC will respond to a request
We’ll act upon the request without undue delay and at the latest within one month of receipt. We may extend the time to respond by a further 2 months if the request is complex or we have received a number of requests from the same person.
However, in those circumstances we will let you know without undue delay and within one month of receiving your request and explain why the extension is necessary.
If you wish to exercise your rights in connection with personal information, other than to make a subject access request, you should contact HMRC’s Data Protection Officer.
Right to withdraw consent
We usually process personal data because we are required to do so by law, because it’s necessary for the purposes of our functions as a government department.
In the limited circumstances where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.
We’ll have told you how to withdraw your consent when you provided it and you should follow that process. If not, contact HMRC’s Data Protection Officer specifying how and when you provided your consent, and for what purpose.
Once we’ve received notification that you have withdrawn your consent, we’ll no longer process your information for the purpose or purposes you originally agreed to, unless we have another legal basis for doing so in law.
Contact HMRC or make a complaint
HMRC has appointed a Data Protection Officer (DPO), Nicholas de Lacy-Brown, to oversee compliance with its data protection obligations.
If you have any questions about this privacy notice or how HMRC handles your personal information, email the DPO at: firstname.lastname@example.org.
You can read more about how the DPO handles your personal information in our Office of the Data Protection Officer Privacy Notice.
You should follow the existing complaints process if you want to complain about HMRC.
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Contact the ICO
You can contact the Information Commissioner on the Information Commissioner’s website.
The Information Commissioner’s website has more information about data protection and your rights.
Changes to the privacy notice
We keep our privacy notices under regular review. If there are any changes we will update this page to tell you, for example, about any new uses of personal data.
Check this page to make sure you are aware of what information we collect, how we use it and the circumstances we may share it with other organisations.
From time to time, we may also tell you in other ways about the processing of your personal data.
This privacy notice was last updated on 10 May 2021.