Customer contact and data security: confidentiality: Subject Access Request (SAR) made under the DPA 2018.
The Data Protection Act (DPA) covers the use (processing) of personal data and is intended to protect the privacy of information HMRC holds about individuals, see DMBM513170.
Occasionally you will receive a call or a letter in which a customer asks for access to the information we hold about them. This is called a ‘Subject Access Request’ (SAR). Sometimes the customer will refer to a ‘Freedom of Information request’, but any request a customer makes for information about themselves from our records is actually a SAR. All SARs must be in writing; this can be by letter, fax or email.
You should always bear in mind when writing notes on the record that a customer may at any time submit a SAR.
Handling subject access requests
SARs should be handled in accordance with the DM SARS guidance. However, any requests for recordings of calls handled by Debt Management will need to be referred to the Business Support Unit by redirecting the request via internal post to the address below.
Some SARs will request a mix of information but BSU will only provide call recordings; the receivers of the SAR should arrange the provision of the other information requested (such as notes from customer records).
SAR mentioned during calls
If during an inbound or outbound call you receive a SAR under the DPA, you should:
- explore with the customer whether the issue can be resolved without the need for a SAR
- tell customers asking to be sent a transcription (a text version of conversation) of previous calls that we are unable to do so - the DPA indicates that we do not have to create records or information (transcribing a call recording is the creation of a record)
- advise customers who choose to pursue a SAR for call recordings that we may not have recorded all Debt Management calls and have only done so:
- between 16 August 2016 and 16 May 2017
- from 9 October 2017
- advise customers wishing to make a request that it must be made in writing and contain as much of the following detail to allow us to trace the recordings:
- requestor’s full name
- company’s full name (if applicable)
- current address (and previous address if this has changed recently)
- customer reference (NINO, UTR, PAYE refer, VRN and so on)
- dates and times of the calls they wish access to
- name of the collector they spoke to (if known)
- phone number they called us from or we called them on
- phone number they dialled (if they called us)
- the specific information they want access to (for example, DM VAT call recordings) - we are not obliged to comply with requests that are too broad or vague
- inform the customer that the written request for call recordings should be sent to:
DM Business Support Unit
HM Revenue and Customs
St. Mungo’s Road