Guidance

HMRC Privacy Notice

Find out about HMRC's data protection policy and procedures.

Documents

Details

The Data Protection Act 2018 requires organisations who process personal data to meet certain legal obligations.

These are contained within the Data Protection principles. HMRC is a data controller within the meaning of the act and processes large volumes of personal data.

Updates to this page

Published 18 May 2010
Last updated 9 October 2024 + show all updates
  1. Information about data sharing with the The Scottish Courts and Tribunals Service has been added.

  2. The HMRC Privacy Notice has been updated to confirm that personal information may be used during the testing of IT systems or processes.

  3. 'How we use your information' has been updated to include the routine examination of business records which can contain personal data when carrying out civil and criminal investigative work. A new section on Artificial Intelligence, analytics and machine learning has been added. The 'Automated decision-making' section has been updated to include circumstances when automated decision-making is allowed including measures to safeguard individual rights.

  4. EU institutions has been added to the list of third parties HMRC will share data with and information on UK and EU institutions has been added in the 'Data sharing' section.

  5. 'How we use your information' has been updated to include the use of GOV.UK One Login to verify identity.

  6. Added translation

  7. Links have been added to the 'Situations in which we’ll use your personal information' and 'When we may share your personal information with third parties' sections.

  8. Department for International Trade (DIT) has now changed to the Department for Business and Trade (DBT).

  9. When we may share your personal information with third parties now includes Education and Skills Funding Agency for apprentice levy and Department for Education for policy development and evaluation of training or education and the Department for International Trade, including the UK Export Support Service and Trade Remedies Authority, in support of their trade purposes and activities.

  10. The sections about when we may share your personal information with third parties, how to complain to HMRC have been updated. Sections about data protection principles, coronavirus (COVID-19) and your personal information, automated decision making, the security of your data with third party service providers, rights of access, correction, erasure and restriction, right to withdraw consent, fees required and contacting the Information Commissioner’s Office (ICO) have been removed.

  11. The section 'Contact HMRC or make a complaint' has been updated with the name of the interim Data Protection Officer and the process to follow when making a complaint.

  12. The list of third parties we may share your personal information with has been updated.

  13. Information about what personal data we make publicly available and share with accredited processors and researchers has been updated.

  14. Guidance on when HMRC may share your personal information with third parties has been updated to include the Border Flow Service.

  15. The Data Protection Officer (DPO) appointed by HMRC has changed to Nicholas de Lacy-Brown, to oversee compliance with its data protection obligations.

  16. Information added about how coronavirus (COVID-19) measures may affect how personal information is collected, and sections on how to contact HMRC and the Information Commissioner’s Office updated.

  17. Guidance on when we may share your personal information with third parties has been updated.

  18. The 'Automatic Exchange of Information' link under the 'Data sharing' section has been updated to 'Automatic Exchange of Information Privacy Notice'.

  19. Guidance on how we use particularly sensitive personal information, when we may share your personal information with third parties and information about criminal convictions has been updated.

  20. Guidance has been updated about the kind of information we hold about you, situations in which we’ll use your personal information and when we may share your personal information with third parties. Information about transaction monitoring has been added.

  21. The guidance has been updated to show how you can make a complaint to HMRC, and to update the address of HMRC's Data Protection Officer.

  22. This guidance has been updated with information about the new General Data Protection Regulation (GDPR) 2018 and the Data Protection Act (DPA) 2018.

  23. Updated with information about how to make a subject access request.

  24. This guidance has been updated to explain how requests are made.

  25. First published.

Sign up for emails or print this page