beta This part of GOV.UK is being rebuilt – find out what beta means

HMRC internal manual

Information Disclosure Guide

Sharing information outside of HMRC: legal obligations: Data Protection Act 1998

In addition to the CRCA, there are other, more general pieces of legislation which impact on the way we use and disclose information, such as the Data Protection Act 1998 (DPA).

The Data Protection Act

The DPA covers the use (processing) of personal data and is intended to protect the privacy of information HMRC holds about individuals. The requirements of the DPA are contained within eight fundamental principles (‘the 8 Principles’) and these set out requirements for the way that personal data must be handled.

The DPA covers the ‘processing’ of personal data and in this context, processing covers most of the things that HMRC does with data including, collection, storage, alteration, disclosure and deletion.

The DPA also defines what constitutes personal data. Most of the information HMRC processes about individuals falls within the scope of the Act but some data that is held manually is not necessarily personal data within the meaning of the DPA. Information which does not relate to an individual, for example company information, is not personal data. But where a business is operated as a sole proprietorship, information about the affairs of the business will be personal data.

The DPA has implications across many HMRC functions. Detailed guidance is available on the Data Protection site on the intranet (see IDG80300). The guidance in this manual is solely concerned with the information sharing provisions of the DPA.

DPA issues relevant to all disclosures of HMRC information

In terms of the disclosure of personal data there are some key factors to consider:

  • Disclosure is a form of processing and is therefore covered by the Act.
  • Disclosure (processing) of personal data must be fair and lawful.

The requirement that the processing be fair and lawful means that there must be a legal basis for making the disclosure, for example because the CRCA allows it, or there is a legal gateway in place which supports it. See IDG40300 for a description of the ways in which to make a lawful disclosure.

In addition, the type and volume of personal data that we disclose must be proportionate to the purpose for which it will be used. This is difficult to define absolutely but essentially it means that a judgement must be made about whether it is reasonable to disclose the data considering what it will be used for.

Does the DPA itself provide any gateways to allow disclosure?

The DPA does not itself provide a legal gateway for the disclosure of information. If a third party (that is, not the customer and not HMRC) makes a request for confidential information solely citing the DPA, we must refuse them. We must explain that HMRC may only disclose information if it is allowed by the CRCA.

The DPA does provide a number of exemptions which allow us to withhold personal information from the individual who has requested it. These exemptions relate to specific functions and the most appropriate for HMRC are:

  • Section 29 - prejudice to the prevention or detection of crime or to the assessment or collection of tax;
  • Section 35 - information relating to legal advice or legal proceedings.

The application of exemptions is quite complex and if you require further information or assistance you should seek further guidance from your local Subject Access Officer (see the DPA intranet site for further details (IDG80300)).

Subject Access Request

The DPA provides a right of access to individuals (called Data Subjects in the Act) to their personal data. They exercise this right by submitting a Subject Access Request (SAR) and unless certain exemptions apply we must provide their personal data within a specified time. More information about SARs can be found at IDG30220.

Further guidance

Guidance on DPA generally can be found on the DPA Intranet pages (see IDG80300).