CRG3150 - Mistakes: Data security issues

Maintaining the security of confidential data, particularly customer information, is vitally important. The rules that must be followed are set out on the Data Security site. We regard all unauthorised or inappropriate disclosures of information as mistakes for the purposes of considering remedy. Bear in mind, however, that Section 19 of the Commissioners for Revenue and Customs Act 2005 provides that “wrongful disclosure” constitutes a criminal offence. For that reason, always be careful not to give the impression that we accept that we have breached the provisions of the Act. It is not for the complaints process to determine what is in effect a legal matter.

We should not assume that all complaints from customers about information falling into the hands of other people automatically involve a statutory infringement. There may be other situations where the officer has simply been careless. Although this may call into question the officer’s conduct, it may not necessarily amount to “wrongful disclosure” as defined by the Act. If you need advice, contact Security and Information Directorate.

Example

  • A partner in a business resigned. Some years later we contacted the accountant dealing with the partnership, and not realising that he did not also act for the former partner, told him about the health problems of the former partner and the steps being taken in respect of his share of partnership debts. As a result another of the partners went to see him and his illness became common knowledge. We accepted mistake and made a payment for worry and distress caused by our inappropriate disclosure.

Particular care is needed in the case of joint claims, for example for tax credits. Where the claimants separate it is important to take steps to ensure that personal information about one is not inadvertently disclosed to the other. If disclosure is made in such circumstances, make a note of how it occurred and whether HMRC was at fault so that there is an audit trail in the event of a financial redress claim. Seek the advice of CCAST at an early stage.

The customer’s consent is normally required before we can disclose information outside the Department but we can lawfully disclose information to various public bodies in certain circumstances. If you have any problems, refer to the Information Disclosure Guide or if this does not answer your question, contact the Information Policy and Disclosure team in Central Policy.