Public Interest Disclosures: principles to follow: recording information
The following information must be recorded in respect of every public interest disclosure:
- The date of the request for information (where applicable);
- The person making the request for the information (where applicable); (NB that person must have a valid business reason for making such a request)
- Where different (or in the case of proactive disclosures) the person to whom the disclosure is made;
- Where applicable, details of the subject of the request (name, address, reference number where appropriate (such as a NINO); and date of birth);
- Summary details of the information disclosed, including local references (such as the CENTAUR system, used for recording details of suspects etc.) and file references;
- The purpose of the disclosure;
- Where intelligence material is to be disclosed, confirmation that the material has been properly evaluated prior to disclosure using the 5x5x5 assessment grid;
- The name and grade of the person authorising the disclosure;
- Cross reference to the section of CRCA under which the disclosure falls (see IDG60232);
- Where applicable, cross reference to the general instruction under which the disclosure is made (see IDG60233);
- Confirmation that the necessity and proportionality of the disclosure have been considered;
- The extent to which the authorising officer has permitted the recipient’s further use of the material (NB the law provides that information disclosed under public interest powers may not be further disclosed by the recipient unless explicitly sanctioned by HMRC).
This information should be recorded centrally within the operational unit, in a manner that permits the ready interrogation of the system in response to a senior management assurance query or legal challenge. The information should be retained in the same manner, and for the same length of time, as other information liable to be required subsequently as evidence in the event of a legal challenge.
An example of a data sharing spreadsheet can be found in the Enforcement Handbook together with other guidance that may be useful.
Management audit of disclosures
In all cases a system of assurance must be in place to enable local senior management, at not less than Grade 7 (band 11/B2 level), to verify, when required, that disclosures have been carried out in accordance with the management assurance checklist set out below. Management checks to permit such verification should be conducted regularly, so as to provide ongoing assurance that the system is operating correctly. In many cases, those parts of the business that have previously made Public Interest Disclosures will have already established management audit procedures - these should be maintained, but reviewed to ensure that they meet the minimum standards now set out in this guidance. In all cases, as a minimum, audit checks must be carried out at intervals not exceeding three months and must examine an appropriate proportion of disclosures made. Any irregularity or other problem revealed by the management assurance process must be escalated through the relevant Grade 7, and referred to your Data Guardian to consider any action that may be required as a result.
In the case of disclosures to the PNC, management checks must conform to the requirements of the Management of Police Information code of practice and associated guidance including the approved systems reporting procedure.
HMRC policy is to have a nominated Commissioner responsible for the integrity and coherence of the process, who as part of that function will be responsible for dealing with any difficult issues that arise. Accordingly local systems of assurance must be sufficient to permit local management to provide the Board with such information, awareness and access to records as they may require in relation to the proper operation of the system.
As a minimum requirement, the assurance system must be sufficient to permit:
- Confirmation that all authorisations to disclose were in accordance with the statute;
- Confirmation that authorisations have been given only where a disclosure was indeed appropriate and proportionate; and that any disclosures complied with the terms of that authorisation;
- Confirmation that disclosures under a general instruction were appropriate and proportionate;
- Confirmation that the record keeping requirements were adhered to;
- Identification of any failure to meet these requirements.
Management checks must always be carried out by officers of a higher grade than those who carried out the original authorisation or disclosure action.