IDG30210 - Confidentiality when dealing with the customer: customer confidentiality: consent

HMRC staff have a duty of confidentiality under S18 Commissioners for Revenue and Customs Act 2005 (CRCA). We can only disclose information about a customer to someone else in limited circumstances. S18(2)(h) allows us to make a disclosure with the consent of each person to whom the information relates.

There are some basic principles for consent that apply:

  • whether your customer is an individual, a business or a company;
  • whoever you are disclosing the information to, e.g. an accountant; other paid agent; a family member or friend; a voluntary sector organisation;
  • for all HMRC data whether direct taxes, indirect taxes, tax credits or duties.

The Information Commissioners Office (ICO)’s guidance on the Data Protection Act 2018 and General Data Protection Regulations (GDPR) (look up Office of Data Protection Officer (ODPO) on intranet) requires that consent requires;

  • a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
  • a very clear and specific statement of consent.
  • Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
  • Make it easy for people to withdraw consent and tell them how.
  • Keep evidence of consent – who, when, how, and what you told people.

Positive indication

Valid consent should be explicit and cannot be assumed from inaction. There needs to be some kind of positive indication, e.g. a signature, verbal (oral) affirmation or online box tick.

Freely given

There needs to be a choice with a viable alternative option should the data subject not want to give their consent.

In the case of authorising an agent, this is a choice in itself; the alternative is to deal with your own tax matters.

The customer should be able to withdraw their consent as easily as they give it.

Fully informed and specific

We need to make the customer aware of the amount and type of data that HMRC holds about them. There must be a reasonable expectation that the customer knows and understands what information they are consenting to be disclosed. This may vary depending on the customer.

If you are unsure if the consent you hold applies to the information in question, please refer this to your manager who can contact your Data Guardian in cases of doubt.

When is a customer likely to consent to disclosure of their personal information?
Evidence
Period consent is valid for
Procedure to obtain consent
Information that should not be disclosed

When is a customer likely to consent to disclosure of their personal information?

Sometimes it may be in the customer’s interest to ask us to disclose information about them to a third party. For example, a customer may want:

  • to appoint an agent, accountant or other professional representative to act on their behalf with HMRC
  • a friend, family member or a voluntary organisation to help them deal with the department
  • HMRC to pass their information to another government department that can provide services to the customer

Top of page

Evidence

HMRC needs to have a reasonable level of proof that the customer has given their consent for us to disclose their information.

We retain evidence of consent:

  • For our own records, to check the customer has agreed to their information being disclosed
  • In case of a dispute, HMRC could be challenged civilly (for a breach of S18 CRCA or the Data Protection Act) or criminally (for fraud) if we disclose without valid consent

Top of page

Period consent is valid for

Consent may be:

  • open ended
  • for a specific time period
  • for a single compliance check or enquiry.

Some forms of consent, such as those appointing a professional agent, can last until they are replaced by a new agent appointment.

  • Keep consent under review, and refresh it if anything changes.
  • Avoid making consent to processing a precondition of a service.

The customer has the right to withdraw their consent at any time either in writing, by telephone or in person.

If you are unsure if the consent is still valid or whether it applies to the information in question, please refer this to your manager who may contact your Data Guardian.

Top of page

Procedure to obtain consent

Consent may be given in writing; through an online service; and, in specific circumstances, verbally in person or over the phone.

There are some departmental forms designed to capture all the information we need to demonstrate we have a positive indication of the customer’s fully informed and specific consent.

The use of official forms e.g. a 64-8, are not mandatory and you can accept a letter provided it includes:

  • whom the customer is authorising to receive the information from HMRC
  • the nature of the information to be disclosed, e.g. for specific types of taxes
  • the period for which consent is given, where consent is time limited
  • the customer’s signature. The CRCA is not prescriptive on whether the signature needs to be a original “wet” signature or a photocopy/electronic signature, however depending on the context and business area there maybe specific rules on when a original “wet” signature is needed. Guidance on the approach to be taken on wet and electronic signatures should be reviewed (internal users- please look up on the intranet), and you should consult with your business area and your Security & Information Business Partner (SIBP) in the first instance if you have any doubt.

Verbal consent may be given by the customer over the phone or in person to allow another person to be told their personal information.

Verbal consent is valid for one disclosure only. If the customer would like someone to act on their behalf without the customer present or would like us to write to their representative, they will need to send in written authority, e.g. a letter or form 64-8.

Before accepting verbal consent, you must be satisfied that you are speaking to the customer. You can use security questions to verify their identity. Your business area will have a ‘consent’ script - a list of questions and statements to go through to ensure that the principles of consent have been met.

You should make the customer aware that HMRC will be disclosing personal information to their representative.

Remember that you should only disclose information covered by the verbal consent and which is necessary for the representative to act effectively for the customer.

Full guidance on how to handle such telephone calls can be found on the Caller Verification part of the DMB Guide at DMBM512810 onwards may help- internal users this can be found on the intranet.

There will be circumstances where you can anticipate the possibility of disclosing personal information, e.g. during an interview with a customer and their spouse, with business partners or some other third party.

You should record the names of everyone present and to avoid any later disputes over whether consent was given you should start the interview by drawing attention to the likelihood of personal information being disclosed.

The third party may be there to support the customer or help with communication rather than acting as an agent or representative but you still need to make the customer aware that personal information may be disclosed and get their written consent to the third party being present when personal information is discussed.

This need not be on a form 64-8 but can simply say that they agree to the third party (named) being present when personal information is being discussed at the interview.

Where it is not practical to get written consent you should record in the notes of the meeting that the customer has given verbal consent for the third party to be present when personal information was disclosed.

When a customer dies, HMRC will treat their Personal Representative as if they were now the customer. If the Personal Representative wants to give consent for the disclosure of HMRC information relating to the deceased, you should follow the procedure outlined at IDG30470.

If the customer is a company and it is in the midst of an insolvency process, follow the procedure at IDG40610. This permits the person handling the company’s affairs to give consent.

If the company has already been dissolved then there is no person able to give the company’s consent and so this method of disclosure cannot be used.

Time limited consent for specialist agents

A customer may appoint an agent with specialist knowledge to handle a particular aspect of their tax affairs even though they already have an agent who will continue to act under the existing terms of the consent given.

Form 64-8 doesn’t cover this situation so you should ask for a letter setting out the area the specialist is dealing with and the period they will be acting for e.g. to deal with the capital allowance claims for the accounting period currently under enquiry.

Information that should not be disclosed

There is no obligation for HMRC to disclose every piece of information it holds. For example, you should not disclose if that disclosure would compromise an ongoing investigation. Seek further guidance from your manager if you are unsure.