IDG40415 - Sharing information outside of HMRC: disclosure for HMRC’s functions: disclosing information that relates to identifiable individuals or legal entities
HMRC’s statutory duty of confidentiality provides particular protection for ‘identifying information’ (information that relates to an identifiable individual or legal entity or would allow the recipient to deduce the identity of that individual or legal entity). This protection is in the form of a criminal sanction for ‘wrongful disclosure’.
The criminal offence is set out at section 19 CRCA and it is committed when there is an unlawful disclosure of identifying information held for a function of HMRC. This offence reflects Parliament’s intention that there should be particularly strong safeguards to protect identifying information.
In addition, disclosures of information relating to a living individual must comply with the Data Protection Act (see IDG40160). Essentially, this means that any disclosure must meet the data protection principles as contained in the Data Protection Act 2018 and the General Data Protection Regulations.
Although the DPA and GDPR do not apply to legal entities such as companies, if you are considering disclosing identifying information in respect of a company or other legal entity, you should consider whether (i) in fact, the information relates to the directors or other personnel and would allow them to be identified; and (ii) whether there are any Human Rights implications of the disclosure to any individual or legal entity (see IDG40140). Usually it is Article 8 of the European Convention on Human Rights (the right to privacy) that may potentially be infringed by any disclosure, but this infringement is permitted if the interference is for a legitimate objective (as set out in Article 8) and the disclosure is proportionate, necessary and relevant to that purpose. This means that, the greater the infringement, the more important the objective(s) in question will need to be (see IDG40160 and IDG40140 for more guidance on assessing proportionality). However, you should bear in mind the other rights contained in the European Convention on Human Rights and consider whether there could be any potential impact on these as a result of the disclosure.
Further guidance on the Data Protection Act and GDPR can be found on IDG40160 and the Office for the Data Protection Officer (ODPO)- internal users; please access via intranet pages. Further guidance on Human Rights can be found on the Human Rights intranet site (see IDG80300).
Examples of situations where you are likely to be justified in disclosing identifying information for the purposes of HMRC’s functions include:
- passing HMRC debt details to the Official Receiver in bankruptcy work
- providing the police with details of a forthcoming visit by an HMRC officer so that the police can assess the health and safety risk (see IDG40460)
- making enquiries about an HMRC customer with a third party (see IDG30400)
- disclosing whether an individual’s partner (or ex-partner) is a higher rate taxpayer, or is receiving child benefit, to ensure that the child benefit paid can be reclaimed from the higher rate taxpayer in accordance with current policy
- carrying out distraint in a public place.
In these cases, disclosure of the details of specific, identifiable individuals or legal entities is made in order for the department to carry out its functions.
What if there is more than one way to carry out an HMRC function?
There can be situations where a number of ways forward may be available, some of which involve disclosing information and some of which do not. You should consider each case on its merits to decide whether you should disclose. You may disclose the information if:
- failing to do so would result in HMRC being significantly less effective or efficient in carrying out its functions;
- any detrimental impacts on individuals or legal entities that may result from the disclosure are proportionate to the expected benefits; and
- there are no viable alternatives that could achieve the same outcome without the same (or a similar) level of disclosure.
Every case needs to be considered on its merits. However, an example of a situation where you might proceed with a disclosure could be where a tax enquiry could be concluded more quickly by revealing information obtained from a third party. You might judge that, if you disclosed the information to the customer ahead of being required to reveal it by an order in court proceedings, the customer would be more likely to recognise and agree to their true tax liability and that early disclosure would therefore be more resource efficient for both HMRC and the customer. There could be other similar situations where HMRC could carry out its functions without the disclosure but, by making the disclosure, those functions could be carried out significantly more effectively. However, you would need to be clear that the disclosure was proportionate to the objective you were aiming to achieve.
In every case of disclosure of information for the purposes of HMRC’s functions, it is important that the information disclosed is only the minimum amount that will allow the function to be carried out and no more. This applies whether or not the information relates to identifiable individuals or legal entities.
Releasing information on identifiable HMRC customers into the public domain
The fact that information held by HMRC is already in the public domain does not relieve HMRC officials of their duty of confidentiality. When considering whether you may lawfully disclose such information, you will still need to follow the steps set out at IDG40410. However, HMRC officials may acknowledge that they are aware of information in the public domain (without commenting on or adding to it) without breaching the duty of confidentiality.
There are certain circumstances in which HMRC releases information on identifiable customers into the public domain for the purposes of its functions. An example is publicising details of those who have been convicted of a criminal offence (or who have fled the country after detection of the offence but prior to trial or sentence).
HMRC publishes details of ‘deliberate tax defaulters’ under specific legislation approved by Parliament. The legal basis is therefore not ‘for the purposes of HMRC’s functions’. The criteria for publication are tight and are set out in section 94 of the Finance Act 2009.
If you are considering releasing information into the public domain, you should seek advice from your Data Guardian in the first instance. They will probably wish to consult Press Office and/or the Information Policy and Disclosure team.
Common situations where a disclosure of customer information would not be lawful
There are many situations where a function of HMRC can be carried out without making a particular disclosure but the disclosure would bring broader benefits, for example, to another organisation and/or in relation to wider government objectives. An example here might be the provision of information to assist the police to investigate a criminal offence. Supplying this information is not necessary for HMRC to carry out its functions, or to help progress particular HMRC cases, but it may help the wider fight against crime.
We would not be able to make such disclosures on the legal basis that they are for the purposes of HMRC’s functions, although there will often be another lawful method of disclosure such as a statutory gateway (IDG40320) or in the public interest (see IDG60000).
Particular difficulties can occur where the functions of HMRC and another person or government department are closely tied together. Distinguishing whether disclosure supports HMRC’s functions, the other person’s functions, or indeed the functions of both, is problematic. Where disclosures in such situations are contemplated, further guidance should be sought from your Security & Information Business Partner (SIBP).