Guidance

HMRC appropriate Policy document

Updated 7 June 2019

© Crown copyright 2019

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/hmrc-appropriate-policy-document/hmrc-appropriate-policy-document

1. Scope

This policy has been developed for HMRC to meet the requirement in the Data Protection Act (DPA) 2018 for an appropriate policy document which details the lawful basis and conditions for processing and safeguards we have put in place when we process special category data, criminal offence data, and sensitive data for law enforcement purposes.

This policy covers:

  • substantial public interest processing for HMRC’s statutory and corporate functions
  • employment, social security and social protection law for certain benefits and credits functions and processing for HR purposes
  • processing for archiving, research and statistical purposes
  • law enforcement processing

2. Definition of special category, sensitive and criminal offence data

Special category data (defined by Article 9 of the UK General Data Protection Regulation (UK GDPR)) and sensitive data (defined by section 35 of the DPA 2018) is personal data which reveals:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation

Article 10 UK GDPR applies to the processing of personal data relating to criminal convictions and offences or related security measures.

Section 11(2) of the DPA 2018 provides that criminal offence data includes data which relates to the alleged commission of offences and related proceedings and sentencing. Information about victims and witnesses of crime is also included in the scope of data relating to criminal convictions and offences.

3. Lawful basis for Processing

HMRC is a statutory body with statutory functions and a statutory duty of confidentiality which are set out in the Commissioners for Revenue and Customs Act 2005. As part of HMRC’s statutory and corporate functions, we process special category and criminal offence data under:

  • Article 6(a) of the UK GDPR (the data subject has given consent to the processing of his or her personal data for one or more specific purposes)
  • Article 6(b) of the UK GDPR (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract)
  • Article 6(c) of the UK GDPR (processing is necessary for compliance with a legal obligation to which HMRC is subject)
  • Article 6(e) of the UK GDPR (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in HMRC)

HMRC processes sensitive data when it is necessary for law enforcement purposes under section 35 of the DPA 2018.

The HMRC Privacy Notice has more information about HMRC’s data protection policy and procedures, including the kind of information we hold and what it is used for.

4. Conditions for processing special category data and criminal offence data

HMRC processes special category data under the following paragraphs of Article 9 of the UK GDPR:

  • paragraph 2(a) (the data subject has given explicit consent to the processing of those personal data for one or more specified purposes (e.g. for biometric voice authentication))
  • paragraph 2(b) (processing is necessary for the purposes of carrying out the obligations and exercising specific rights of HMRC or the data subject in the field of employment and social security and social protection law)
  • paragraph 2(g) (processing is necessary for reasons of substantial public interest)
  • paragraph 2(j) (processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1))

Article 10 of the UK GDPR permits processing of personal data relating to criminal convictions and offences under the control of official authority. It follows that HMRC may process criminal offence data under Article 10 of the UK GDPR when it is exercising official authority that enables it to do so. When processing is for HMRC statutory functions within the meaning set out in section 8 of the DPA 2018, including corporate functions, HMRC must meet one of the conditions in schedule 1 of the DPA 2018. HMRC may process criminal offence data under any of the schedule 1 conditions listed in this document with the exception of paragraph 8 (information in section 5 of this document), which is only applicable to special category data. HMRC may further process criminal offence data when the additional processing conditions relating to criminal offence data are met under DPA 2018, part 3 of schedule 1:

  • paragraph 32 (personal data in the public domain)
  • paragraph 33 (legal claims)
  • paragraph 36 (substantial public interest)

The above does not apply to law enforcement processing which is covered by section 8 of this policy.

5. Substantial public interest

Section 10(3) of the DPA 2018 sets out that in order for processing of special categories of personal data and criminal offence data to be necessary for reasons of substantial public interest under Article 9(2)(g) of the UK GDPR, that processing must meet one of the conditions set out in Part 2 of Schedule 1.

HMRC processes special category and criminal offence data in the performance of its statutory and corporate functions when the following conditions set out in the following paragraphs of Part 2 of Schedule 1 to the DPA 2018 are met:

  • paragraph 6 (Statutory etc and government purposes)
  • paragraph 8 (Equality of opportunity or treatment)
  • paragraph 10 (Preventing or detecting unlawful acts)
  • paragraph 12 (Regulatory requirements relating to unlawful acts and dishonesty etc)
  • paragraph 24 (Disclosure to elected representatives)

These conditions apply to HMRC’s statutory and corporate functions. All processing is for the first listed purpose and might also be for others, depending on the context.

Paragraph 36 of Schedule 1 removes the requirement for the processing of criminal offence data for the above purposes to be in the ‘substantial’ public interest.

6. Employment, social security and social protection law

Section 10(2) of the DPA 2018 sets out that in order for processing of special categories of personal data to be necessary for the purposes of carrying out the obligations and exercising specific rights of HMRC or of the data subject in the field of employment, social security and social protection law under Article 9(2)(b) of the UK GDPR, that processing must meet one of the conditions set out in Part 1 of Schedule 1.

HMRC processes special category data for HR purposes when the condition set out in paragraph 1 of Part 1 of Schedule 1 to the DPA 2018 is met. This condition may apply to HMRC’s benefits and credits functions and to processing for HR purposes.

7. Archiving purposes in the public interest

Under Article 9(2)(j) of the UK GDPR, HMRC may process special category data where it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on UK and EU or EU member state law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject. We may also process criminal offence data for these purposes under the DPA 2018.

Under section 10(2) of the DPA 2018, HMRC may process special category data and criminal offence data for the purposes of archiving, research and statistics when a condition of Part 1 of Schedule 1 to the DPA 2018 is met.

8. Law enforcement processing

Section 31 of the DPA 2018 defines the law enforcement purposes as the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. HMRC is listed as a competent authority for the purposes of law enforcement in paragraph 1 of Schedule 7 to the DPA 2018 and does not rely on the consent of the data subject to process sensitive data.

Section 35(5) of the DPA 2018 sets out that where processing sensitive data is strictly required for law enforcement purposes, HMRC must meet at least one of the conditions in Schedule 8. HMRC processes sensitive data for the law enforcement purposes when the conditions set out in the following paragraphs of Schedule 8 to the DPA 2018 are met:

  • paragraph 1 (Statutory etc purposes)
  • paragraph 3 (Protecting individual’s vital interests)
  • paragraph 5 (Personal data already in the public domain)
  • paragraph 6 (Legal claims)
  • paragraph 8 (Preventing fraud)
  • paragraph 9 (Archiving etc)

All processing is for the first listed purpose and might also be for others dependent on the context.

9. HMRCs compliance with the data protection principles

In accordance with the accountability principle, HMRC maintains records of processing activities under Article 30 of the UK GDPR and section 61 of the DPA 2018. We carry out data protection impact assessments where appropriate in accordance with Articles 35 and 36 of the UK GDPR and section 64 of the DPA 2018 for law enforcement processing to ensure data protection by design and default.

HMRC follows the data protection principles set out in Article 5 of the UK GDPR, and Part 3, Chapter 2 of the DPA 2018 for law enforcement processing, as follows:

9.1 Lawfulness, fairness and transparency

We are the UK’s tax administration. We make sure that the money is available to fund the UK’s public services and we also help families and individuals with targeted financial support.

Sections 5 to 9 of the Commissioners for Revenue and Customs Act 2005 sets out HMRC’s functions.

Sections 17 to 22 of that Act sets out the way in which HMRC may use the information it holds. We provide clear, transparent information to all those who provide personal data to us in the HMRC Personal Information Charter and the HMRC Privacy Notice. We publish an internal Staff Data Privacy Notice.

9.2 Purpose limitation

HMRC does not process personal data for purposes that are incompatible with the purposes for which it is collected. When we process personal data to fulfil our statutory functions, we do so in accordance with section 17(1) of the Commissioners for Revenue and Customs Act 2005, which sets out that information acquired by HMRC in connection with a function may be used in connection with any other function.

When we share special category data, sensitive data or criminal offence data with another controller, processor or jurisdiction, we will ensure that the data transfers are compliant with relevant laws and regulations and use appropriate international treaties, data sharing agreements and contracts.

9.3 Data minimisation

We collect personal data that is adequate, relevant and limited to the relevant purposes for which it is processed. We ensure that the information we process is necessary for and proportionate to our purposes.

9.4 Accuracy

Personal data shall be accurate and, where necessary, kept up to date. Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay.

9.5 Storage limitation

HMRC retains special category data, criminal offence data and sensitive data for law enforcement processing in accordance with the HMRC Records Management, retention and disposal policy, published on GOV.UK. These categories of personal data may be retained for longer than HMRC’s default standard retention period if required by statutory, regulatory, legal or security reasons.

9.6 Integrity and confidentiality

We have put in place appropriate technical, physical and managerial procedures to safeguard and secure the information we collect about individuals. We have strict security standards, and all our staff and other people who process personal data on our behalf get regular training about how to keep information safe. We limit access to your personal information to those employees, or third parties who have a business or legal need to access it.

Third parties or contractors that HMRC engages will only process your personal information on our instructions or with our agreement, and where they do so they have agreed to treat the information confidentially and to keep it secure. We will also disclose personal data to an agent if we receive the consent of the individual to whom the data concerns.

10. Policy review statement

This policy will be periodically reviewed and updated.

Back to top