Customer contact and data security: confidentiality: Subject Access Request (SAR) made under the DPA 2018.
The Data Protection Act (DPA) covers the use (processing) of personal data and is intended to protect the privacy of information HMRC holds about individuals, see DMBM513170.
Occasionally you will receive a call or a letter in which a customer asks for access to the information we hold about them. This is called a ‘Subject Access Request’ (SAR). Sometimes the customer will refer to a ‘Freedom of Information request’, but any request a customer makes for information about themselves from our records is actually a SAR. SARs can be made wither online, in writing or verbally.
You should always bear in mind when writing notes on the record that a customer may at any time submit a SAR.
Handling subject access requests
SARs should be handled in accordance with the DM SARS guidance. However, any requests for recordings of calls handled by Debt Management will need to be referred to the Business Support Unit by redirecting the request via internal post to the address below for written requests, or mailbox for verbal requests.
Some SARs will request a mix of information but BSU will only provide call recordings; the receivers of the SAR should arrange the provision of the other information requested (such as notes from customer records).
SAR mentioned during calls
If during an inbound or outbound call you receive a SAR under the DPA, you should:
- explore with the customer whether the issue can be resolved without the need for a SAR
- tell customers asking to be sent a transcription (a text version of conversation) of previous calls that we are unable to do so - the DPA indicates that we do not have to create records or information (transcribing a call recording is the creation of a record)
- advise customers who choose to pursue a SAR for call recordings that we may not have recorded all Debt Management calls. (This content has been withheld because of exemptions in the Freedom of Information Act 2000)
- inform the customer that call recordings, where we have them, will be sent on a CD.
- advise customers wishing to make a request that they can:
- use our online form to make the request, the form is on our website and search HMRC SAR
- put their request in writing
- make a verbal request
- inform the customer that written requests for call recordings should be sent to:
DM Business Support Unit
HM Revenue and Customs
St. Mungo’s Road
- the request should contain as much of the following detail to allow us to trace the recordings:
- requestor’s full name
- company’s full name (if applicable)
- current address (and previous address if this has changed recently)
- customer reference (NINO, UTR, PAYE refer, VRN and so on)
- dates and times of the calls they wish access to
- name of the collector they spoke to (if known)
- phone number they called us from or we called them on
- phone number they dialled (if they called us)
- the specific information they want access to (for example, DM VAT call recordings) - we are not obliged to comply with requests that are too broad or vague
- (This content has been withheld because of exemptions in the Freedom of Information Act 2000)
Customers can also request copies of their information using social media platforms such as Facebook and Twitter. Requests coming through Social Media must contain the same level of detail as a written request before it can be actioned.
More information is available on Gov.uk.