Beta This part of GOV.UK is being rebuilt – find out what beta means

HMRC internal manual

Compliance Handbook

How to do a compliance check: data-gathering powers: storage of data

Data handling processes must comply with HMRC’s data security requirements and be approved by the local data guardian.

Note: The data-holder notice may specify the ‘means and form’ in which the data-holder must provide the relevant data, providing that the means and form are reasonable.

To comply with the data security requirement you must

  • store the received data securely, that is, physical assets must be kept in lockable storage - electronic versions should be stored in folders with restricted access.
  • notify your data guardian of the data received, and they will consider if the arrangements for storage and disposal meet departmental policy.

You must supply the data guardian with the following information:

  • the types of data obtained
  • the form of the data
  • the officers responsible for access to the data, and those to be granted access
  • the expected use of the data
  • the expected disposal date
  • how the data is to be stored
  • the method of disposal, and
  • how the data will be returned.

There are very tight restrictions on transporting data, particularly when the data is unencrypted. You need to minimise the occasions when data has to be returned to the person by making it clear that the data supplied to us will be automatically destroyed on completion of our actions. However, if the data-holder is adamant that the data must be returned, contact your data guardian for advice and assistance on how the data can be returned.