IDG10200 - Introduction: frequently asked questions
This page is a useful introduction to information use, disclosure and confidentiality. It addresses the most commonly asked questions about these issues, and provides an overview of information disclosure procedures. Please read this page if you are new to the subject. This page also provides links to other parts of this manual where questions are addressed in more depth.
Frequently asked questions answered in this section
Who is the customer?
What is the duty of confidentiality I owe as an HMRC officer to all HMRC customer information?
What are the sanctions for those who breach the HMRC duty of confidentiality?
Can information be shared within the Department?
When might there be a risk of wrongfully sharing information?
How can I disclose information outside the Department in a lawful way?
How can I share information with other government departments?
What are the overriding issues I must also consider when making any disclosure?
When can I make a disclosure ‘in the public interest’?
Where can I get further guidance?
What is the scope of this guidance?
Who is the customer?
In this guidance ‘customer’ means all the individuals and organisations the Department deals with in carrying out its functions. This includes individuals, employers, employees, sole proprietors, partnerships and legal entities such as limited companies and trusts.
You have an equal duty of confidentiality to deceased customers (see IDG30470).
You have an equal duty of confidentiality to those who you think behave legally and those who you think do not (including suspects and offenders).
Further information on this subject is available at IDG30100.
What is the duty of confidentiality I owe as an HMRC officer to all HMRC customer information?
The Act that established HMRC made provision for the conduct of all staff in relation to confidentiality.
Section 18 of the Commissioners for Revenue and Customs Act 2005 (CRCA) makes it clear that you must not give (‘disclose’) HMRC information to anyone, unless you have lawful authority to do so (see IDG40120). This includes other government departments and their agencies, local authorities, the police or any other public bodies.
All new staff must sign a declaration of confidentiality (PDF 51KB) upon entering the department. This will be provided in the Manager’s Induction Pack. See IDG40200 for the circumstances in which information may be disclosed outside HMRC.
What are the sanctions for those who breach the HMRC duty of confidentiality?
Unlawful disclosure of information is a criminal offence under Section 19 CRCA, and is punishable on conviction by a fine, imprisonment for up to 2 years, or both. For HMRC staff it is also a disciplinary offence which may lead to dismissal.
This section must be read in context: it may be beneficial to the Department, or to others, to share information. However, you must ensure you have the lawful authority to do so.
It is important to realise that confidentiality is your personal responsibility. As such any penalties for breach of confidentiality may fall on you personally.
The purpose of the guidance in this manual is to help you ensure that you do not make an unlawful disclosure of information. Please read chapters IDG40130 (and other sections relevant to your area) to ensure this. A more detailed explanation and account of the criminal sanction is available at IDG40130.
Can information be shared within the Department?
Yes. You may share information between the former Customs and former Revenue parts of the Department, or in other ways across HMRC, so long as there is a business need to do so. Business need means that there is a valid reason, directly connected to HMRC’s functions, for information to be passed from one person to another. There will not be a business need where information is passed from one person to another because that information may be personally interesting.
If you are aware of information about HMRC customers that would benefit another part of HMRC, talk to your line manager about actively passing this information on. Practical ways to do this are outlined at IDG20000 where you will find further guidance.
When might there be a risk of wrongfully sharing information?
You need to be mindful of HMRC’s duty of confidentiality in relation to its customers’ information in all contact outside the Department. For example:
- in telephone contact ensure information is only disclosed to authorised persons, whose identity you have verified (see IDG30230)
- when obtaining information from third parties be aware of any confidential information you may yourself be giving out by seeking information from the third party (see IDG30420)
- when meeting customers face to face ensure only information relating to that customer is disclosed, and that the customer consents to disclosure to any others present (see IDG30240)
- remember the need for those visiting HMRC offices to also be bound by confidentiality rules (see IDG70000)
Information generally on how to protect confidentiality when dealing with customers can be found at IDG30000.
How can I disclose information outside the Department in a lawful way?
Disclosing information to persons outside of HMRC is only permitted in the circumstances detailed below:
- For the purposes of HMRC’s functions. An example is where it is necessary to advise a bailiff of a taxpayer’s name and address in order that the bailiff can enforce collection of overdue tax, see IDG40400.
- Where the person or organisation that the information is about has given their consent, see IDG40210. An example could be a taxpayer who provides authorisation for an agent, accountant or other third party to receive confidential information.
- Where the duty of confidentiality is specifically overridden by legislation that permits the disclosure of information to a particular third party. These are often known as ‘legal’ or ‘information’ ‘gateways’. See IDG40320.
- Where HMRC receives a court order that is binding on the Crown which instructs HMRC to disclose information. See IDG40500.
- Where disclosure is made for the purposes of a prosecution being pursued by HMRC. See IDG54300.
- Where disclosure is in the public interest. See IDG60000.
- Disclosure to the relevant prosecuting authorities. See IDG54300.
See IDG40120 for more information on disclosing information with lawful authority.
How can I share information with other government departments?
One of the circumstances in which it is lawful to disclose information outside HMRC is where legislation makes specific provision for HMRC to disclose information to another government Department, agency or public authority. These provisions, known as ‘legal’ or ‘information’ ‘gateways’, allow HMRC to disclose to specific people for specific reasons.
Many gateways have administrative procedures which must be followed, so it is important that when considering use of any legal gateway you refer to the guidance in this manual first. These procedures are often set out in jointly agreed documents such as memoranda of understanding or other protocols.
IDG50000 sets out most of the legal gateways and the procedure to be followed. If you receive a request from a public body not covered in IDG50000, or under legislation not referred to in that chapter, then seek further guidance.
What are the overriding issues I must also consider when making any disclosure?
There is general legislation that protects the privacy of individuals’ information. As well as considering whether a disclosure is made with lawful authority, as outlined above, it is also necessary to consider the following legislation when disclosing HMRC information:
Data Protection Act (2018) and The General Data Protection Regulations (GDPR( - This covers the way that personal data (information relating to a living individual) is handled. The Act lays down principles which specify requirements for how personal data is processed and imposes a series of safeguards to protect that data. For example, to be compliant, personal data must be disclosed lawfully and fairly, and must be relevant, adequate but no more than the minimum neccessary. Internal users- for more guidance please look up the Office of the Data Protection Officer intranet pages.
Human Rights Act (1998) - In its broadest sense, this aims to protect the fundamental rights and freedoms of people. These are expressed in a series of ‘Articles’ and it is the eighth one that is most important in relation to protecting information. This states that everyone has the right to respect for their private and family life, their home and their correspondence. Decisions about disclosing information, therefore, have to take account of the need to balance these rights against the wider public interest in delivering effective tax administration. For more guidance see IDG40140.
When can I make a disclosure ‘in the public interest’?
HMRC has a statutory authority to disclose information in certain prescribed circumstances, where such a disclosure would be in the public interest. HMRC’s authority to make public interest disclosures is narrowly drawn and very specific in what it covers.
HMRC must only use the public interest disclosure power where no other gateway exists, and then only where the disclosure matches one of the specific circumstances covered. Generally, only certain parts of the Department (mainly those engaged in law enforcement) would be likely to make public interest disclosures. Detailed guidance has been written for those who may make public interest disclosures, see IDG60000.
Where can I get further guidance?
Your Security & Information Business Partner (SIBP) will help you with any questions or uncertainties.
What is the scope of this guidance?
This guidance applies only to domestic disclosures i.e. those made predominantly to UK bodies under UK law and practice. Disclosures outside the UK are commonly made under a variety of international agreements and treaties. These disclosures are outside the scope of this guidance.
This guidance does not cover disclosures made under the provisions of the Criminal Procedure and Investigations Act 1996. Further guidance on CPIA matters can be found in the Enforcement Handbook, see IDG80300 for a link to this guidance.