HMRC Office of the Data Protection Officer Privacy Notice
Published 9 April 2020
© Crown copyright 2020
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/hmrc-office-of-the-data-protection-officer-privacy-notice/hmrc-office-of-the-data-protection-officer-privacy-notice
The purpose of this document
This privacy notice describes how HMRC’s Office of the Data Protection Officer (ODPO) collect and use your personal information in accordance with data protection legislation.
You should read the main HMRC Privacy Notice alongside this Privacy Notice.
HMRC employees should also read the Staff Data Privacy Notice.
Why we use your personal data
The Data Protection Officer (DPO) is a mandatory role appointed by HMRC to meet the requirements of the data protection legislation.
The DPOs role, supported by the ODPO is to act as an independent arbiter in understanding, advising, assessing and reporting data protection risks to HMRC’s Executive Committee and the business.
We help monitor data protection compliance within HMRC and provide advice where requested.
The DPO is a public figure for external customers and businesses and a key link to the regulator, the Information Commissioner’s Office (ICO).
Data subjects, including HMRC employees and the public at large, may contact the DPO regarding all issues relating to HMRC’s processing of their personal data and the exercise of their data protection rights.
HMRC is the relevant public authority and controller of all the personal data processed by the ODPO.
The ODPO processes your personal data for the purposes set out in this privacy notice mainly under Article 6(1)(e) of the UK General Data Protection Regulation (UK GDPR), because it is necessary for the performance of tasks carried out in the public interest and in the exercise of official authority vested in HMRC.
How we use your personal data
Some of the personal information we process is provided to us directly when you contact us with a data protection issue. In most circumstances we will liaise with other parts of HMRC to deal with your enquiry.
We also receive information from other parts of HMRC, such as when we become involved in complaints, enquiries and information requests, or when your personal data is contained in reports of breaches.
We process personal data relating to:
- members of the public
- businesses
- HMRC employees, prospective employees and former employees
- HMRC business areas
- consultants and other professional experts
- agents and representatives
- relatives, children, guardians, dependents and associates
In some circumstances the ODPO may hold particularly sensitive information about you (known as special category data), including data revealing racial or ethnic origin, religious or philosophical beliefs, trade union membership, or data concerning health or sexual orientation.
Any special category data we hold about you will be done so in accordance with the safeguards and conditions for processing set out in HMRCs appropriate policy document.
Data security
The ODPO is part of HMRC and its staff are bound by HMRCs terms and conditions, including HMRCs statutory duty of confidentiality.
HMRC information held by the ODPO accordingly remains information held internally within HMRC and subject to the same strict security standards.
Sharing information with third parties
We will, in some circumstances and where the law allows, share your data with third parties, in particular the ICO.
The ICO Privacy Notice on the Information Commissioner’s website provides more information about the circumstances in which we may share your personal data with them.
How long we keep your personal data
Your personal data will be retained by the ODPO whilst there is a business need to do so and for a reasonable period after a case has been resolved.
For more information refer to HMRC records management and retention and disposal policy.
In some circumstances we will anonymise your personal information so that it can no longer be associated with you, in which case we will use such information without further notification.
Your rights
You can read about your rights in the HMRC Privacy Notice.
Contact ODPO or make a complaint to the ICO
If you have any questions about this privacy notice or how we handle your personal information, please email us at: advice.dpa@hmrc.gov.uk.
If you want to request a copy of your personal data follow HMRC’s subject access request guidance.
You should follow the existing complaints process if you want to complain about HMRC.
You also have the right to make a complaint at any time to the ICO by contacting the Information Commissioner on the Information Commissioner’s website.
The Information Commissioner’s website has more information about data protection and your rights.
Changes to this privacy notice
This privacy notice will be periodically reviewed and updated.