Transparency data

Memorandum of understanding: For the purposes of reducing debt from unpaid Criminal Financial Penalties

Published 19 March 2026

Applies to Scotland

This Memorandum of Understanding (MoU) between HM Revenue and Customs (HMRC) and Scottish Courts and Tribunal Services (SCTS) was agreed and put in place in 2025.

1. Introduction

This MoU sets out the information sharing arrangement between the aforementioned participants. For the context of this MoU ‘information’ is defined as a collective set of data or facts that when shared between the participants through this MoU will support the participants in delivering the purpose of the data sharing activity described in section 2 below.

Information will only be exchanged where it is lawful to do so. The relevant legal bases are detailed within this agreement. It should be noted that ‘exchange’ covers all transfers of information between the participants, including where 1 participant has direct access to information or systems in the other.

This MoU is not intended to be legally binding. It documents the respective roles, processes, procedures, and agreements reached between HMRC and the participants. This MoU should not be interpreted as removing, or reducing, existing legal obligations or responsibilities of each participant, for example as controllers under the UK General Data Protection Regulations (UK GDPR).

2. Purpose and benefits of the data sharing agreement

2.1 Purpose of the data share

Scottish Courts and Tribunal Service (SCTS) Fines Enforcement Officers (FEOs) perform a statutory law enforcement role in executing criminal financial penalties by providing information and advice to fine payers or by applying administrative sanctions to secure compliance. 

FEOs often have to rely on limited or out of date information which prevents them in carrying out their statutory functions, meaning that they are:

• unable to proactively contact fine payers to provide support and advice
• unable to deploy administrative sanctions to secure compliance where default or non-engagement continues
• have no option but to take enforcement action that could have been avoided if engagement had been secured

A pilot was previously conducted between HMRC and SCTS between December 2022 to December 2023 to analyse the effectiveness of data sharing for SCTS to obtain up to date contact information as well as Pay As You Earn (PAYE) and Self-Assessment (SA) data from HMRC to assist in establishing contact with fine payers and the collection of outstanding debt.

This business-as-usual data share commenced in December 2024.  Analysis of the first 4 monthly data shares between HMRC and SCTS made between December 2024 and April 2025 (as at 4th September 2025) shows the continuing value of the data share as outlined below

• 3,299 individuals owing almost £1.5 million were successfully matched
• 793 individuals have paid over £325,000
• 56 individuals with outstanding debt totalling £35,000 had their liability to pay a fine discharged by the court
• 447 individuals with outstanding debt totalling £260,000 now have their fines back on track to be paid
• 1,254 individuals with debt totalling over £550,000 are the subject of ongoing enforcement action

HMRC considers that the disclosure of information to SCTS is necessary and proportionate to assist with their collection and enforcement of unpaid fines. There is no function for HMRC other than to support SCTS in performing their statutory law enforcement role.

An Application Programming Interface (API) is currently being developed for this data share, which is anticipated to be in place by December 2025, however this date could be subject to change. Once the API is in place this MoU will be reviewed in order to cease the data share. A new MoU will be developed for the API solution.

2.2 Aims of the data share

By receiving HMRC data this will enable SCTS to continue to reduce the amount of outstanding debt, which will allow the FEOs to:

• proactively engage with fine defaulters to offer them information and advice
• allow individuals to maintain responsibility for complying with any agreed payment plans
• apply sanctions to deal with wilful default, allowing criminal penalties to be collected on a timelier and more efficient basis

By receiving HMRC data this leaves a reduced number of individuals who may require to be cited or arrested to appear before the court for enquiry.

2.3 How will data being shared help achieve those aims?

HMRC is a non-ministerial department established by The Commissioners for Revenue and Customs Act 2005 (CRCA 2005). HMRC are the UK’s Tax, Payments and Customs Authority and through these functions HMRC collects the relevant data that is necessary to support SCTS in reducing the amount of debt owed to them.

2.4 Benefits of the data share

SCTS

• improved fine collections rates for SCTS
• reduction in debt to SCTS and the public purse
• reduced Experian tracing costs for SCTS
• consistency of approach to fines enforcement across all home nations
• reduced number of fines enquiry hearings and arrest warrants, meeting SCTS’s key policy objective of minimising Police and Court involvement in the fines process
• improved SCTS Efficiency in relation to sanctions deployed
• improved support for individuals having genuine difficulty in paying their fines

HMRC

There are no direct benefits to HMRC as a result of this share, other than to support SCTS achieve their objectives of collecting outstanding debt.

3. Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessments have been completed by both participants in this agreement. The details of which are found below.

Organisation	DPIA Ref	Date registered	last review
HMRC	13622	23 January 2024	25 September 2025
SCTS	SCTSDPIA2022-009	05 August 2022	24 June 2025

4. Relationships under UK GDPR in relation to any personal data being exchanged under this agreement

4.1 HMRC

HMRC will be disclosing and receiving personal data under this agreement.

Where personal data is being disclosed under this agreement, HMRC’s status will be a controller because HMRC separately determines the purpose and means of the processing of the personal data.

Where personal data is being received under this agreement, HMRC’s status will be a controller because HMRC separately determines the purpose and means of the processing of the personal data after transfer.

4.2 Scottish Courts and Tribunal Services

SCTS will be disclosing and receiving personal data under this agreement.

Where personal data is being received under this agreement, SCTS’s status will be a controller because they separately determine the purpose and means of the processing of the personal data after transfer.

Where personal data is being disclosed under this agreement, SCTS’s status will be a controller because they separately determine the purpose and means of the processing of the personal data.

5. Handling of Personal Data and Security

Where participants bear the responsibility of a data controller (see Section 4.1 and 4.2), they must ensure that any personal data received pursuant to this MoU is handled and processed in accordance with the current 7 UK GDPR principles.

Additionally as part of the Government, HMRC and SCTS must process personal data in compliance with the mandatory requirements set out in HM Government Functional Standard GovS 007: Security issued by the Cabinet Office when handling, transferring, storing, accessing or destroying Information assets.

Participants must ensure effective measures are in place to protect personal data in their care and manage potential or actual incidents of loss of the personal data. Such measures will include, but are not limited to:

• personal data should not be transferred or stored on any type of portable device unless absolutely necessary, and if so, it must be encrypted, and password protected to an agreed standard
• participants will take steps to ensure that all staff involved in the data sharing activities are adequately trained and are aware of their responsibilities under the Data Protection Act (DPA), UK GDPR and this MoU
• access to personal data received by participants pursuant to this MoU must be restricted to personnel on a legitimate need-to-know basis, and with security clearance at the appropriate level
• participants will comply with the Government Security Classifications Policy (GSCP) where applicable

6. Duration, Frequency and Volume of the data sharing

Date MOU comes into effect	MOU formal review date	MOU cease date	Frequency and volume of the data being shared
01 October 2025	30 September 2026	30 September 2026	This is a monthly data share consisting of up to 3000 customer records per month. There is currently an API being developed for this data share which is anticipated to be in place by December 2025 (could be subject to change). Once the API is live this MoU will be subject to review and assurance with a view to ceasing it. A new MoU will be developed for the API.

7. Legal considerations and basis to share data between the participants

HMRC has specific legislation within the CRCA 2005 which covers the confidentiality of information held by the department, when it is lawful to disclose that information and legal sanctions for wrongful disclosure. For HMRC, disclosure of information is precluded except in certain limited circumstances (broadly, for the purposes of its functions, where there is a legislative gateway or with customer consent). Unlawful disclosure relating to an identifiable person constitutes a criminal offence. The criminal sanction for unlawful disclosure is detailed at section 19 of the CRCA 2005.

Data can only be shared where there is a legal basis for the exchange and for the purposes described in this MoU as specified at Section 8 below. No data should be exchanged without a legal basis and all exchanges must comply with our legal obligations under both the DPA 2018 and Human Rights Act (HRA) 1998.

7.1 Legal basis for HMRC to disclose data

HMRC disclose this information to SCTS by virtue of the legal basis of Section 48 of the Digital Economy Act 2017 . Disclosure is for the purposes of the taking of action in connection with debt owed to the public sector.

7.2 Legal basis for SCTS to disclose data

SCTS has a statutory law enforcement role in executing criminal financial penalties. SCTS’ powers are set out in detail in Section 226A to 226I of the Criminal Procedure (Scotland) Act 1995.

SCTS disclose this information to HMRC by virtue of the legal basis of Section 48 of the Digital Economy Act 2017 . Disclosure is for the purposes of the taking of action in connection with debt owed to the public sector.

8. Lawful basis under UK GDPR to process personal data

8.1 Lawful basis for HMRC to process (share) personal data

The lawful processing of personal data will be undertaken in line with Article 6:1(e) of the UK GDPR (performance of a task in the public interest or exercise of official authority) and section 8(d) DPA 2018 (function of a government department).

8.2 Lawful basis for SCTS to process (share) personal data

The lawful basis for processing personal data is SCTS’ statutory law enforcement role in executing criminal financial penalties under Part 3 of DPA 2018. SCTS functions and powers (which are delegated by the Court through an Enforcement Order) are set out in detail in of the Criminal Procedure Scotland Act 1995 (1995 Act).

To the extent that any processing of information by the SCTS is not Law Enforcement processing, it is considered “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” in terms of Article 6(1)(e) of the UK GDPR and section 8(a) DPA 2018 (administration of justice).

9. Data to be shared

Every month, SCTS will share personal data with HMRC for up to 3000 individuals who have an outstanding SCTS debt.

Data sent from SCTS to HMRC:

• SCTS Unique Identifier
• forenames
• surname
• date of birth
• address
• postcode
• national insurance number (NiNO)

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

HMRC will only return data when there is a confirmed match.

Data sent from HMRC to SCTS:

• HMRC name
• HMRC DOB
• latest HMRC address
• latest HMRC postcode
• telephone number
• mobile number
• email address
• deceased flag
• employed indicator
• employer name
• employer address
• Pay As You Earn (PAYE) latest payment date
• PAYE latest payment amount
• PAYE pay year to date
• PAYE tax year to date
• Self-Employment (SE) indicator
• SE taxable profits 2024
• SE taxable profits 2025
• SE trading address
• SE trading postcode

10. How the data will be transferred

Every month SCTS will populate an Excel document with personal information relating to up to 3000 individuals who have an outstanding SCTS debt.

The data will be shared both inbound and outbound by Secure Data Exchange Service (SDES)

11. Accuracy of the data being shared

Before sharing data both participants must take all reasonable steps to ensure that the data they share is both accurate and up to date.

The exporting department will ensure that data integrity meets their own department’s standards, unless more rigorous or higher standards are set out and agreed at the requirements stage.

Participants will notify each other of any inaccuracies of the data as they are identified.

12. Retention and destruction of data

12.1 HMRC

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

12.2 SCTS

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

13. Onward disclosure to third parties

The data will be used for the purposes laid out in this MoU and will not be shared outside of SCTS without prior approval and consent of HMRC.

14. Role of each participant to the MoU

14.1 Role of HMRC

• identify the appropriate data required from HMRC IT systems and records
• provide the data to SCTS in Microsoft Excel format transferred by SDES from and to agreed contact points
• only allow access to that data by the team requiring it
• ensure that staff handle this data in line with the approved secure transfer method agreed by both departments and within HMRC data security instructions
• only store the data for as long as there is a business need to do so
• move, process and destroy data securely in line with the principles set out in HM Government Functional Standard GovS 007: Security issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
• comply with the requirements in the Government Functional Standard GovS 007: Security and, in particular prepare, for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information

14.2 Role of SCTS

• identify the appropriate data required from HMRC
• only use the information for purposes that are in accordance with the legal basis under which it was received
• only hold the data for as long as there is a business need to do so
• ensure that only people who have a genuine business need to see the data will have access to it
• on receipt, store data received securely and in accordance with the prevailing central government standards, for example in secure premises and on secure IT systems
• if SCTS adheres to a different set of security standards they must inform HMRC what these standards are at 14.3 below and comply with any additional security requirements specified by HMRC
• seek permission from HMRC before onward disclosing information to a third party
• seek permission from HMRC if you are considering offshoring any of the personal data shared under this agreement
• mark information assets with the appropriate government security classification and apply the baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, issued by the Cabinet Office, and as a minimum the top level controls framework provided in the Annexe – Security Controls Framework to the GSC
• where applicable – send the data in MS Excel format transferred by Secure Data Exchange Service (SDES) agreed by both departments under the protective marking ‘Official / Official-Sensitive’

14.3 SCTS Security Standards

SCTS adhere to the principles of the Security Policy Framework, however, there are necessary differences as a result of devolution. For example, SCTS are bound by the following:

• public Records (Scotland Acts) 1937 & 2011
• Framework agreement between SCTS and Scottish Ministers

For additional information SCTS holds accreditation for the Cyber Security Essentials and Cyber Security Essentials Plus schemes.

15. Monitoring and Reviewing and arrangements

This MoU relates to a regular exchange that must be reviewed annually to assess whether the MoU is still accurate and fit for purpose.

Reviews outside of the proposed review period can be called by representatives of either participant. Any changes needed as a result of that review may be agreed in writing and appended to this document for inclusion at the formal review date.

Technical changes necessary to improve the efficiency of the exchange that do not change the overarching purpose can be made without the requirement to review formerly the MoU during its life cycle but must be incorporated at the formal review stage.

A record of all reviews will be created and retained by each participant.

16. Assurance Arrangements

HMRC has a duty of care to assure any data that is passed on to others. Processes covered by this MoU will be subject to annual reviews, from the date of sign off. HMRC may also choose to introduce ad hoc reviews. Assurance will be provided by the annual completion of a Certificate of Review and Assurance (CoRA). The assurance processes should include checking that any information sharing is achieving its objectives (in line with this MoU) and that the security arrangements are appropriate given the risks.

SCTS agrees to provide HMRC with a signed CoRA within the time limits specified upon request.

HMRC reserves the right to review the agreed risk management, controls, and governance in respect of this specific agreement.

17. Security Breaches, Security Incidents or loss or unauthorised disclosure of data

The designated points of contact are responsible for notifying the other participant in writing in the event of loss or unauthorised disclosures of information within 24 hours of the identification of the event.

The designated points of contact will discuss and agree the next steps relating to the incident, taking specialist advice where appropriate. Such arrangements will include (but will not be limited to) containment of the incident and mitigation of any ongoing risk, recovery of the information, and notifying the Information Commissioner and the data subjects. The arrangements may vary in each case, depending on the sensitivity of the information and the nature of the loss or unauthorised disclosure.

18. Subject Access Requests

In the event that a Subject Access Request (SAR) is received by either participant they will issue a formal response on the information that they hold following their internal procedures for responding to the request within the statutory timescales. There is no statutory requirement to re-direct SARs or provide details of the other participant in the response. However, each participant will notify the other if a SAR is received in respect of any personal data shared under this agreement.

HMRC SAR Contact

SCTS SAR Contact

Full details of Data subject’s rights in relation to processing of personal information can be found in each participant’s Privacy Notice, see links below. Also, see ICO Guidance, link below.

HMRC Privacy Notice

SCTS Privacy Notice

ICO Data Sharing Code of Practice – The rights of individuals

19. Freedom of Information Act (FoI) 2000

Both participants are subject to the requirements of the FoI Act 2000 and shall assist and co-operate with each other to enable each organisation to comply with their information disclosure obligations.

In the event of 1 participant receiving an FoI request that involves disclosing information that has been provided by the other participant, the organisation in question will notify the other to allow it the opportunity to make representations on the potential impact of disclosure.

HMRC FOI Contact

SCTS FOI Contact

20. Issues, disputes, and resolution

Any issues or disputes that arise as a result of exchange covered by this MoU must be directed to the relevant contact points. Each participant will be responsible for escalating the issue as necessary within their given management structure.

Where a problem arises it should be reported as soon as possible. Should the problem be of an urgent nature, it must be reported by phone immediately to the designated business as usual contact and followed up in writing the same day. If the problem is not of an urgent nature, it can be reported in writing within 24 hours of the problem occurring.

21. Costs

Any time incurred by HMRC for the delivery of this data and information will be recovered and paid for by SCTS. The costs will be recharged on a quarterly basis.

22. Termination

This MoU may be terminated by giving 3 months’ notice by either participant.

Both participants to this MoU reserve the right to terminate this MoU with 3 months’ notice in the following circumstances: - by reason of cost, resources, or other factors beyond the control of the HMRC or SCTS - if any material change occurs which, in the opinion of HMRC and SCTS following negotiation significantly impairs the value of the data sharing arrangement in meeting their respective objectives

In the event of a significant security breach or other serious breach of the terms of this MoU by either participant the MoU will be terminated or suspended immediately without notice.

In the event of a failure to cooperate in a review of this MoU or provide assurance the agreement may be terminated or suspended without notice.

23. Signatories

This content has been withheld because of exemptions in the Freedom of Information Act 2000.