HMRC transaction monitoring privacy notice

Updated 19 October 2022

Purpose of this document

To protect your data and our services HMRC operates transaction monitoring capabilities. These record how you connect to our systems, and what you do whilst you are on them.

This privacy notice explains how HMRC collects and uses your personal information for transaction monitoring purposes. You should read the HMRC privacy notice alongside this privacy notice.

Why we process your data

HMRC processes your data for transaction monitoring purposes to:

  • keep your data safe, private, and secure
  • make sure that your data is protected from people intending to use it for fraudulent and criminal purposes
  • prevent fraud
  • prevent, detect, investigate, and prosecute criminal activity

When we collect your data

Our transaction monitoring capabilities may record information about you when you are directly or indirectly using HMRC services.

Directly using HMRC services

This will include when you:

  • sign into, and use your digital tax account
  • register for any service with HMRC
  • file your tax returns or updates
  • use our Webchat
  • phone us
  • use our mobile app

This list is not exhaustive.

Indirectly using HMRC services

Our transaction monitoring capabilities may collect your personal data if someone uses HMRC systems to tell us about you. This could be when:

  • an authorised tax agent or representative contacts us on your behalf
  • your employer pays your income tax on your behalf by PAYE
  • you use a software package or application which is compatible with Making Tax Digital to record your business records which helps you complete and submit tax updates or returns to us

Using a shared HMRC Service

HMRC shares some of our services with other government departments and local authorities. Our transaction monitoring may collect your personal data when you use one of these services:

  • Government Gateway service
  • Check a bank account service

Government Gateway

HMRC operates Government Gateway on behalf of the government.

When you log into Government Gateway to access another government department or local authority service HMRC transaction monitoring may collect and process your data while you are using Government Gateway.

Sometimes you may indirectly use a shared HMRC service. Some of our services perform a specific function within someone else’s service.

HMRC has a shared service to check bank account details are correct. Other government departments and local authorities could collect your bank details from you, then check them with our shared service.

The department or local authority will tell you if they are using an HMRC shared service when you give your bank details using one of our shared services. Our transaction monitoring may then collect and process your data while you use that shared service.

What data we collect and when

Transaction monitoring records information about you when you are using HMRC and shared HMRC services.

We collect personal data about:

  • the computers, phones or devices you use
  • the internet connections you use
  • what you do when you are on our services
  • what you tell us

How we process your data

When you sign in to one of our services we may create unique identifiers in the browser, application or device you’re using. We may also give you a transaction monitoring cookie which we use to help recognise you and link you to your account.

When you use a software package or application which is compatible with Making Tax Digital to record your business records which helps you complete and submit tax updates or returns to us. Your software provider may also supply us information about you to meet their legal obligations to HMRC.

In both instances the information we collect includes:

  • unique identifiers
  • browser type and settings
  • device type and settings
  • operating system
  • mobile network information including carrier name and phone number
  • application version number

We also collect information about the interaction of your apps, software, browsers and devices with our services, including the:

  • IP address
  • date and time
  • referrer URL of your request
  • software you are using
  • mobile app you are using

We collect information about what you do in our services, such as:

  • pages you access
  • services you use directly or indirectly
  • information you give us or our services

We may also collect information about you from trusted security partners who provide us with information to protect against abuse.

We use this information to help improve the safety and security of our services. This includes detecting, preventing and responding to fraud, abuse, security risks and technical issues that could harm HMRC, or our customers.

We collect and process personal data for transaction monitoring purposes to prevent and detect crime and fraud and for the purposes set out above because it is necessary to do so in the public interest and so that we can carry out our official functions as a government department.

As HMRC is permitted to carry out transaction monitoring without your consent, you cannot withdraw your consent.

When we may share your personal information with third parties

We will, in some circumstances and where the law allows, share your data with third parties.

When a third party government department or local authority uses an HMRC shared service, we may share information about your use of that service with them. Where the law allows, this may include your historical use of that service with HMRC or other third party government departments or local authorities.

When we suspect or detect crime, and the law allows, we may share transaction monitoring information with other law enforcement

Overseas data transfers

To develop a reliable device identification, transaction monitoring device profiling shares:

  • IP addresses and device information with a third-party supplier which has data centres located in the EU and America

  • bank account details with third-party suppliers with data centres located in the EU and America

How long we keep your data

In line with with our records management and retention and disposal policy, we keep transaction monitoring records for 6 years plus the current year.

Where you have held a continuous account with HMRC for longer than this standard retention period we may hold some account information which is older, but which is still up to date.

Your rights in relation to transaction monitoring

You can read about your rights in the HMRC privacy notice.

Contact HMRC or make a complaint

You can contact us if you have questions about this privacy notice or want to make a complaint.

Changes to this privacy notice

We keep our privacy notices under regular review. If we make changes to this notice, we’ll amend the date at the top of this page.