IDG40160 - Sharing information outside of HMRC: legal obligations: Data Protection Act 2018 and the General Data Protection Regulation
In addition to the CRCA, there are other, more general pieces of legislation which impact on the way we use and disclose information, such as the Data Protection Act 2018 (DPA) and the General Data Protection Regulation 2016 (GDPR).
The DPA 2018 and the GDPR 2016 came into effect in May 2018 and apply to all processing of personal data by HMRC. The legislation sets new standards for transparency, individual rights, record keeping, compliance and enforcement. The legislation also creates special categories of personal data that require more sensitive handling.
The GDPR requires HMRC to comply with a number of principles. These can be found on the GDPR knowledge hub.
GDPR/DPA 2018 Issues relevant to all disclosures of HMRC information
In terms of the disclosure of personal data there are some key factors to consider:
- Disclosure is a form of data processing and is therefore subject to the GDPR/DPA 2018
- Data sharing must be fair, lawful and transparent and meet all other GDPR/DPA 2018 requirements.
The requirement that the processing be fair and lawful means that there must be a legal basis for making the disclosure. For information on ensuring there is a legal basis, please consult IDG2000 for disclosures within HMRC and section IDG4000 for disclosures outside of HMRC.
You must ensure the type and volume of personal data disclosed must be adequate, relevant and limited to the minimum necessary for the specified pupose of the share. This means information should only be disclosed for a clear aim or purpose even where a legal basis exists, and even then the information disclosed should be the minimum needed to achieve the clear aim and purpose of the disclosure.
Does the GDPR 2016 or the DPA 2018 provide a gateway to allow disclosure?
Section 195 of the DPA 2018 provides a legal gateway for HMRC to disclose information to the Ministry of Defence (MoD) for the purpose of contacting ex-reservists and those liable for recall to military service. Further information on disclosures to the MOD can be found at IDG 5300.
Otherwise, if a third party (that is not the customer and not HMRC) makes a request for confidential information soley citing the GDPR/DPA, we must explain that HMRC may only disclose information it is allowed by the CRCA.
Further Guidance
Please consult your Security Information Management Team if you are unsure about obligations in your business area.