Sharing information outside of HMRC: legal obligations: Freedom of Information Act 2000
In addition to the CRCA, there are other, more general pieces of legislation which impact on the way we use and disclose information, such as the Freedom of Information Act 2000 (FOIA).
What is the Freedom of Information Act?
The Freedom of Information Act (FOIA) provides a right of access to recorded information held by public authorities. HMRC is subject to the Act.
Subject to other provisions of the Act, any person who makes a request for information must be informed whether HMRC holds it, and if so, the information must be communicated to them.
Procedure to take if you receive a request for information
There is a statutory time limit of 20 working days for answering an FOI request. As soon as you receive a request, you must act immediately to help the department meet this deadline.
All requests must be registered by the central FOI unit and you should refer the request to them via your local FOI rep. All the contacts you might need are published on the FOI site contacts list (see IDG80300).
The FOI process means that requests are answered by the most appropriate part of HMRC: that is hardly ever the person who first identifies the request. Please do not attempt to answer an FOI request yourself - you must pass it to your local FOI rep.
What an FOI request looks like
The request does not need to mention any legislation or refer directly to the Act, but it must:
- be in writing, which may include email or fax,
- state the name of the applicant and an address for correspondence,
- describe the information wanted.
It is not always easy to identify whether a request falls within the scope of the Act or whether it is of a more normal business nature. There is guidance on the FOI site FAQ page (see IDG80300) which provides help in distinguishing between the two.
The FOIA does not allow anyone to obtain information about a customer. Section 18(1) CRCA and section 19(4) Border, Citizenship and Immigration Act 2009, apply the section 44 FOIA exemption to remove customer information from the right of access under the Act. The FOI central team has stock replies to give a proper FOIA-compliant refusal. Practically, our response under FOIA will always “neither confirm nor deny” we hold information.
Requests from non-living customers (e.g. companies), or from third-parties who have the customer’s consent, should be dealt with on a discretionary basis, making it clear that any information is being given outside the terms of the FOIA.
Requests from living individuals for information about themselves should be answered using the Subject Access Request (SAR) process which is a provision within the Data Protection Act (see IDG30220).
If you have any doubts about a request, more detailed guidance on FOI generally can be found on the FOI site (see IDG80300).
For further guidance and assistance generally on confidentiality please contact your Data Guardian.