Confidentiality when dealing with the customer: customer confidentiality: Subject Access Requests
The Data Protection Act (see IDG40160) provides a right of access to individuals (called Data Subjects in the Act) to the personal data HMRC holds about them. A ‘Subject Access Request’ is a request made by a customer for access to personal data about themselves. A subject access request is called a SAR and shouldn’t be confused with a Suspicious Activity Report made under the anti-money laundering regime.
How to identify a SAR
Most requests from customers for details of their own information can be treated as routine, e.g. a copy of their last tax return or notice of coding. However, if a request specifically refers to the Data Protection Act (DPA), or asks for more information than would normally be provided, then you should treat it as a SAR. Phrases like “information about me” or “my personal information” will usually indicate that you should treat the request as a SAR. If in doubt, consult your local Subject Access Officer (see below).
SARs must be in writing. This includes a letter, e-mail or fax.
A SAR does not have to mention that it is a request made under the DPA.
People often request information about themselves under the Freedom of Information Act (see IDG40150). These are actually SARs and should be dealt with under the DPA rather than as FoI requests.
What to do when you receive a SAR
The DPA says you must respond to a SAR within 40 days. To ensure the department can meet this deadline, you must deal with a SAR as quickly as possible.
Each of the main HMRC lines of business has their own arrangements for handling SARs. If you are unsure how to deal with a SAR, you should contact your local Subject Access Officer. Contact details are shown on the DPA intranet site (see IDG80300).
Personal data which need not be disclosed
There is a specific provision in the DPA which allows HMRC to withhold personal data requested in a SAR in certain circumstances. There are also a number of exemptions that allow us to withhold personal information, for example where release of the information might prejudice the assessment or collection of tax. If you think that an exemption might apply to some of the information that has been requested, you should seek advice from your nominated contact.
Third party requests
The DPA does not itself provide a legal gateway for the disclosure of HMRC information. If a third party (that is the not the customer and not HMRC) makes a request for confidential information solely citing the DPA we must refuse them and explain we can only do this if one of the exceptions at Section 18(2) of the Commissioners for Revenue and Customs Act 2005 apply, or there is a specified legal gateway that would allow it.
Guidance on the DPA generally can be found on the DPA intranet pages.