IDG55500 - Information disclosure Gateways with other government departments: the Digital Economy Act 2017- Section 74 disclosure of non identifying information
Section 74 of Digital Economy Act 2017
1. Section 74 of the Digital Economy Act (DEA) 2017, (Disclosure of non-identifying information by the Revenue and Customs (link is external)), enables HMRC to disclose non-identifying information held in connection with our functions to any person, providing an HMRC officer thinks that the disclosure would be in the public interest. This allows for a wider role in policy development, beyond the functions of HMRC.
Non -identifying and identifying information
2. Information is non-identifying information if it is not, and has never been, identifying information, or it has been created by combining identifying information, but is not itself identifying information.
3. Information is identifying information if it relates to a person whose identity is specified in the information, can be deduced from the information, or can be deduced from the information taken together with any other information.
Public interest Disclosure
4. A public interest disclosure under this provision would normally include things like: improving policy making across government; delivering better public services; improving Government transparency; promoting economic growth; increasing social mobility; protecting the environment, and promoting public health.
Information held in connection with HMRC functions
5. Section 74 is focused on sharing non identifying data already held by HMRC in connection with a function of HMRC for the purpose of wider public benefit. HMRC’s core functions are listed in section 5 of the Commissioners for Revenue and Customs Act 2005. Section 9 of the CRCA sets out the ancillary powers of the Commissioners.
Creation of new datasets- link established to HMRC’s functions
6. If HMRC is asked to match data it already holds for its functions with data provided to HMRC by a third party to produce a new non- identifying dataset, this new dataset will not be information HMRC already holds for its functions, therefore HMRC needs to be able to identify a link to its functions to produce and disclose this new dataset. This is necessary as section 74 only allows non identifying information to be shared by HMRC if it is held by HMRC in connection with its functions and if it is in the public interest for the information to be disclosed.
Creation of new datasets- no link established to HMRC’s functions
7. If third party information is required to create a new dataset and the new information cannot be linked to HMRC’s functions, the information should not be disclosed using s74 DEA.
GDPR legal basis and Data Protection Impact Assessment
8. Officials should be mindful that if s74 of the DEA is used to create a new dataset which involves the processing of personal information, i.e. personal information would need to be linked to HMRC information and de-identified, the GDPR requires HMRC to identify a legal basis for such processing. HMRC would also be required to carry out a Data Protection Impact Assessment (DPIA) to mitigate any GDPR risks. The relevant Security and Information Business Partner (SIBP) in HMRC should always be consulted when a DPIA is being considered.