Sharing information outside of HMRC: legal obligations: Data Protection Act 2018 and the General Data Protection Regulation 2018
In addition to the CRCA, there are other, more general pieces of legislation which impact on the way we use and disclose information, such as the Data Protection Act 2018 (DPA) and the General Data Protection Regulation 2018 (GDPR)
The DPA 2018 and the GDPR 2018 came into effect in May 2018 and apply to all processing of personal data by HMRC. The legislation sets new standards for transparency, individual rights, record keeping, compliance and enforcement. The legislation also creates special categories of personal data that require more sensitive handling.
The GDPR requires HMRC to comply with a number of principles. These can be found on the GDPR knowledge hub.
GDPR/DPA 2018 Issues relevant to all disclosures of HMRC information
In terms of the disclosure of personal data there are some key factors to consider:
- Disclosure is a form of data processing and is there subject to the GDPR/DPA 2018
- Data sharing must be fair, lawful and transparent and meet all other GDPR/DAP 2018 requirements.
The requirement that the processing be fair and lawful means that there must be a legal basis for making the disclosure, for example because the CRCA allows it, or there is a legal gateway in place which supports it.
In addition, the type and volume of personal data that we disclose must be adequate, relevant and limited to what is necessary in relation to the puposes for which it will be used. This means information should only be disclosed for a clear aim or purpose even where a legal basis exists, and event then the information disclosed should be the minimum amount needed to achieve the clear aim and purpose of the disclosure.
Does the GDPR 2018 or the DPA 2018 provide a gateway to allow disclosure?
Section 195 of the DPA 2018 provides a legal gateway for HMRC to disclose information to the Ministry of Defence (MoD) for the purpose of contacting ex-reservists and those liable for recall to military service. Further information on disclosures to the MOD can be found at IDG 5300.
Otherwise, if a third party (that is not the customer and not HMRC) makes a request for confidential information soley citing the GDPR/DPA, we must explain that HMRC may only disclose information it is allowed by the CRCA.
Please consult your Security Information Management Team if you are unsure about obligations in your business area.