Confidentiality and disclosure of information by HM Revenue and Customs (HMRC): policy and legal framework
Updated 8 April 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/hmrc-datalab/confidentiality-and-disclosure-of-information-by-hm-revenue-and-customs-hmrc-policy-and-legal-framework
This document was published on 11 March 2019.
Commissioners for Revenue and Customs Act, 2005
HMRC is a statutory body with statutory functions and a statutory duty of confidentiality which are set out in legislation in the Commissioners for Revenue and Customs Act, (CRCA) 2005. It is the UK’s tax, payments and customs authority and its core purpose is to:
- collect the money to fund the UK’s public services
- help families and individuals with targeted financial support and
- through its customs service facilitate legitimate trade and protect the UK’s economic, social and physical security
The duty of confidentiality prohibits HMRC officials (and those acting on behalf of the Commissioners) from disclosing information held by HMRC in connection with its functions. This prohibition applies to all information held by HMRC in connection with its functions and reflects the importance placed on ‘taxpayer confidentiality’ by Parliament when the Department was created. The effective functioning of the Department was felt to depend critically on its customers being able to trust that the information held on them would be appropriately protected and would be disclosed only in controlled, limited circumstances.
There is additional protection for information that relates to an individual or legal entity whose identity is specified in the disclosure or can be deduced from it (‘identifying information’) in the form of a criminal sanction for wrongful disclosure.
Information Gateways
HMRC will only share information with third parties in specified circumstances where it is legally allowed to do so. The main exceptions (‘gateways’) set out in the CRCA are:
- with the consent of the taxpayer to disclose their confidential tax information
- for the purposes of carrying out HMRC’s functions
- in accordance with a statutory gateway (‘legal gateway’)
- in the public interest (in limited circumstances) and
- by order of the Court
Legal Gateways
HMRC shares information with a large number of third parties, including government departments, agencies, devolved governments and other public authorities through over 250 information gateways. The terms of each information gateway are specific to the type of information that can be disclosed and the purpose for which the information will be used.
For instance the information gateways in the Digital Economy Act 2017 provide HMRC with the discretion to disclose:
- non-identifying information in the public interest, including for purposes not related to specific HMRC functions and use
- de-identified (de-personalised) data to support accredited researchers to access and link data in secure facilities for the purpose of carrying out research for public benefit.
Functions Gateway
HMRC has the discretion to disclose information for the purposes of its functions and where this does not contravene any restriction imposed by the Commissioners. Any disclosure must be exercised in a way that is consistent with the common law duty of confidentiality and there must be a clear link between a disclosure and the HMRC function it serves.
The more remote the function from HMRC’s core purposes or benefit to HMRC of disclosure, the greater the need to justify the disclosure and explain the link to HMRC’s functions.
Asserting a disclosure will support HMRC’s functions in a generic way is not sufficient and if disclosure brings only broader benefits which do not impact on a function of HMRC, then the disclosure is not permitted.
HMRC discloses information to private sector organisations almost exclusively on the basis that they are ‘working on HMRC’s behalf’ and therefore unable to use the data for their own purposes.
HMRC’s functions
HMRC’s initial functions are set out in the CRCA and include:
- the collection and management of all revenue, national insurance and tax credit functions and
- anything necessary, expedient, incidental or conducive to those functions (collectively described as ancillary functions)
HMRC also has functions in areas such as child benefit, statutory maternity pay, statutory paternity pay, adoption pay, national minimum wage, import and export declaration systems and the collection and enforcement of taxes payable at the border.
Ancillary functions
Examples of HMRC’s ancillary functions include promoting publicity about the tax system, establishing advisory bodies, employment of its staff, entering into agreements and acquiring and disposing of property.
Disclosure for an ancillary function is permitted where there is a sufficiently close connection between the purpose for which the disclosure is made and a core HMRC function.
It is also possible to share information with a third party as part of an initiative that serves both HMRC’s purposes and those of the third party. It is on this basis that we have been
able to share de-identified information with researchers and academics to produce high quality analysis that benefits both HMRC and the wider research community.
Read more about HMRC’s functions and services.
Data Protection and Human Rights Act
HMRC must comply with general law principles when considering any disclosure and be compliant with the General Data Protection Regulation (GDPR), Data Protection Act 2018 and the Human Rights Act 1998 when disclosing information. In particular, any disclosure of information must be proportionate, relevant and limited to what is necessary to achieve its purpose.
CRCA and the Freedom of Information Act (FOIA)
A disclosure by HMRC in compliance with FOIA is a lawful disclosure under CRCA but information relating to identifiable individuals or legal entities is exempt from disclosure under FOIA.
CRCA and transparency
HMRC is committed to being as transparent as possible while complying with its statutory duty of confidentiality. It is part of HMRC’s functions to publish information that promotes public understanding of its work and increases accountability and public confidence.
Public authorities also have a duty under the FOIA to maintain a ‘publication scheme’ that includes information on their priorities, policies and procedures. HMRC publishes information on its performance and activities on GOV.UK and on www.data.gov.uk, the single online portal for central and local data.
All information releases take into account HMRC’s obligation to collect the taxes for which it is responsible and the impact that publication will have on tax collection, including the need to protect sensitive and personal information provided by individual taxpayers in order to encourage openness and promote voluntary compliance.