CH201640 - How to do a compliance check: using the internet for risk assessment and research: HMRC open source policy

HMRC has a tiered operating model for open source research. The operating model is to enable effective compliance work and to mitigate the risk of unauthorised online surveillance contrary to the Regulation of Investigatory Powers Act 2000 (RIPA).

The HMRC Open Source Operating Model is based on HMRC policy. Tiers 1 and 2 of the HMRC Open Source Operating Model relate to overt activity, Tier 3 relates to covert activity. Although this guidance explains actions required for overt activity under Tiers 1 and 2, reference is made to Tier 3 actions if covert activity is required.

Tier 1

This covers overt internet research, see CH201660. May also include research of social media where a log in is not required.

Tier 2

This covers overt research of social media in support of compliance work where a log in is required (This content has been withheld because of exemptions in the Freedom of Information Act 2000)

Public statement

HMRC has published a statement regarding its use of publicly available information, including social media.

HMRC’s public statement is as follows:

'Open Source' Material

HMRC may observe, monitor, record and retain Internet data which is available to anyone.  This is known as ‘Open Source’ material and includes:

  • news reports
  • internet sites
  • Companies House and Land Registry records
  • blogs and social networking sites where no privacy settings have been applied

HMRC has published this statement to inform the public of its use of the internet and social media to support our compliance activities. This means that when HMRC undertakes this kind of research it may be regarded as overt. A Directed Surveillance Authorisation (DSA) is not required for overt checks. Where HMRC intentionally conceals that checks are being made, such checks will be covert and may require a DSA. Whether checks are overt or covert, whenever private information is obtained it is essential that all actions are reasonable and proportionate.

Opening letters and factsheets used by compliance caseworkers contain the public statement. This informs the recipient that HMRC conducts open source research on publicly accessible websites. It is this published public statement, repeated in the opening letter and factsheets, which renders such research by Tier 1 and 2 compliance caseworkers ‘overt’ rather than ‘covert’ meaning no DSA will be required under Regulation of Investigatory Powers Act 2000 (RIPA) .