© Crown copyright 2019
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: firstname.lastname@example.org.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/transaction-monitoring-privacy-notice/transaction-monitoring-privacy-notice
Purpose of this document
In order to protect your data and our services HMRC operates transaction monitoring capabilities. This records how you connect to our systems, and what you do whilst you are on them. We only monitor you when you are signed into our services.
This privacy notice explains how HMRC collects and uses your personal information for transaction monitoring purposes. You should read the HMRC Privacy Notice alongside this privacy notice.
Why we process your data
HMRC processes your data for transaction monitoring purposes to:
- keep your data safe, private and secure
- make sure that your data is protected from people looking to use it for fraudulent and criminal purposes
- prevent fraud
- prevent, detect, investigate and prosecute criminal activity
What data we collect and when
Transaction monitoring records information about you when you are signed into our services.
We collect personal data about:
- the computers, phones or devices you use
- the internet connections you use
- what you do when you are on our services
- what you tell us
Transaction monitoring may collect your personal data even if you do not directly use our systems.
For example when:
- an authorised tax agent or representative contacts us on your behalf
- your employer pays your income tax on your behalf by PAYE
- you sign in to Government Gateway to access another government service
- you use a software package or application which is compatible with Making Tax Digital to record your business records which helps you complete and submit tax updates or returns to us
How we process your data
When you sign in to one of our services we create unique identifiers in the browser, application or device you’re using. We also give you a transaction monitoring cookie which we use to help recognise you and link you to your account.
The information we collect includes:
- unique identifiers
- browser type and settings
- device type and settings
- operating system
- mobile network information including carrier name and phone number
- application version number
We also collect information about the interaction of your apps, software, browsers and devices with our services, including the:
- IP address
- date and time
- referrer URL of your request
We collect information about what you do in our services, such as:
- pages you access
- information you give us
We may also collect information about you from trusted security partners who provide us with information to protect against abuse.
We use this information to help improve the safety and security of our services. This includes detecting, preventing and responding to fraud, abuse, security risks and technical issues that could harm HMRC, or our customers.
Our legal basis for processing your personal data
We collect and process personal data for transaction monitoring purposes to prevent and detect crime and fraud and for the purposes set out above because it is necessary to do so in the public interest and so that we can carry out our official functions as a government department.
As HMRC is permitted to carry out transaction monitoring without your consent, you cannot withdraw your consent.
When we may share your personal information with third parties
We will, in some circumstances and where the law allows, share your data with third parties.
When we detect crime we may share information with other law enforcement agencies, government departments, credit reference agencies, and anti-fraud groups.
Overseas data transfers
In order to develop a reliable device identification, transaction monitoring device profiling shares IP addresses and device information with a third party supplier which has data centres located in the EU and the USA, and which complies with the EU-US Privacy Shield Framework.
How long we keep your data
In line with with our records management and retention and disposal policy, we keep transaction monitoring records for 6 years plus the current year.
Where you have held a continuous account with HMRC for longer than this standard retention period we may hold some account information which is older, but which is still up to date.
Your rights in relation to transaction monitoring
You can read about your rights in the HMRC Privacy Notice.
Contact HMRC or make a complaint
You can contact us if you have questions about this privacy notice or want to make a complaint.
Changes to this privacy notice
We keep our privacy notices under regular review. If we make changes to this notice, we’ll amend the date at the top of this page.