DMBM513170 - Customer contact and data security: legislation and policy: Data Protection Act

The majority of this manual will be archived on 30 Apr 2024. If there is content within this manual you use regularly, email hmrcmanualsteam@hmrc.gov.uk to let us know.

What is the Data Protection Act (DPA)?

The DPA covers the use (processing) of personal data and is intended to protect the privacy of information HMRC holds about individuals. The requirements of the DPA are contained within eight fundamental principles (‘the 8 Principles’) and these set out requirements for the way that personal data must be handled. We must ensure that our records are:

  • adequate for our business purpose, relevant and not excessive
  • accurate and up-to-date
  • not kept for longer than is necessary.

DPA gives ‘living individuals’ the right of access to their information or personal data in any form, including electronic and paper. HMRC’s policy is to be as open as possible with our customers. Our policies and procedures are designed to exceed the minimum requirements of the Act.

The DPA does not specify what records we should keep or how long we should retain them. The Act incorporates the eight data quality principles which all government departments must follow.

We can exempt information from disclosure in certain circumstances; these are defined by the Act.

The guidance in this manual is solely concerned with the information sharing provisions of the DPA.

Occasionally you will receive a call or a letter in which a customer asks for access to the information we hold about them. This is called a ‘Subject Access Request’ (SAR).

Sometimes the customer will refer to a ‘Freedom of Information request’, but any time a customer asks for information about themselves from our records is actually a SAR that they are talking about, see DMBM510260.

Detailed guidance is available on the Data Protection Act, see: