Information disclosure Gateways with other government departments: Anti-terrorism, Crime and Security Act 2001 (ATCSA): standard procedure for disclosing any information for criminal purposes
When not to use this procedure
If you are in the department’s Criminal Investigation, Detection or Risk & Intelligence Service directorates (‘Enforcement’) and
- there is a time critical need for information, or
- you are in a joint working situation with the recipient of the information, or
- you have an established working relationship with the recipient of the information
then you should follow the procedure outlined at IDG50130. In all other situations you should use the procedure outlined on this page.
When to use this procedure
Enforcement authorities (such as the Police, Trading Standards, the Serious Fraud Office) may request information about a HMRC customer from you to assist in their criminal investigations or proceedings. Information may be supplied to them if HMRC has signed a memorandum of understanding with the body, as listed in IDG50140.
Alternatively you may sometimes have information which you think such enforcement bodies could use for the purposes of any criminal investigation or proceedings, or for the initiation or bringing to an end of any criminal investigation or proceedings. If the body in question has not actually requested this information, HMRC may be able to make a pro-active disclosure of the information.
What information may be disclosed
In the case of enforcement authorities, any information which will be used by the organisation for the purposes of any criminal investigation or proceedings, or for the initiation or bringing to an end of any criminal investigation or proceedings, may be disclosed.
Procedure to follow
External Requests to HMRC
If the intelligence agency or enforcement authority makes a request for information from any part of HMRC, the request should immediately be referred to the National Co-ordination Unit (NCU). Provide the organisation with NCU contact details (see below), and instruct them to contact the team directly. You may also refer them to the Code of Practice for the ATCSA (COP-AT), which is a publicly available document that formally outlines the procedure for ATCSA disclosures. This document is available on the internet via the HMRC external website Code of Practice page.
Changes to the ATCSA legislation mean that this gateway cannot be used to disclose information to the intelligence services. Instead, HMRC may disclose information to the intelligence services through a legal gateway provided by section 19 of the Counter-Terrorism Act 2008. However, the same procedures apply for disclosures to the intelligence services as enforcement bodies outlined in this guidance.
Requests for HMRC information under ATCSA by law enforcement authorities and public bodies should be routed via the NCU.
If you have information which you wish to pro-actively disclose, you should refer the information on an Intelligence Report to the RIS Intelligence Bureau (IB), email@example.com with an explanation of why you consider it will support criminal investigations or proceedings by the recipient.
The IB will handle the disclosure to the recipient. If IB need any further information from you, they will request it.
If in exceptional circumstances an immediate ATCSA disclosure is required in respect of live operational work outside of office hours you should follow the guidance at IDG50110 if you work in the Fraud Investigation Service (FIS) or Risk & Intelligence Service (RIS) directorates. FIS/RIS staff should also be aware of the detailed procedure for disclosure as outlined in the Criminal Justice Procedure in the section . You should refer to that detailed guidance before making a disclosure. If you cannot use the procedure at IDG50110 (for example because you do not work in one of the specified directorates), you should contact NCU who are able to provide out-of-hours cover, see below for contact details.
This guidance applies to the whole of the United Kingdom.
If you receive a request for information and are unsure how to proceed, please contact your Data Guardian.
Contact details for the National Co-ordination Unit can be found at IDG80100.