IDG41400 - Legal obligations on information use imposed by other pieces of legislation: Data Protection Act 1998
In addition to the CRCA, there are other, more general pieces of legislation which impact on the way we use and disclose information, such as the Data Protection Act 1998 (DPA).
What is the Data Protection Act?
The DPA covers the use (processing) of personal data and is
intended to protect the privacy of information HMRC holds about
individuals. The requirements of the DPA are contained within eight
fundamental principles (‘the 8 Principles’) and these
set out requirements for the way that personal data must be
handled.
The DPA covers the ‘processing’ of personal data
and in this context, processing covers most of the things that HMRC
does with data including, collection, storage, alteration,
disclosure and deletion.
The DPA also defines what constitutes personal data. Most of
the information HMRC processes about individuals falls within the
scope of the Act but some data that is held manually is not
necessarily personal data within the meaning of the DPA.
Information which does not relate to an individual, for example
company information, is not personal data. But where a business is
operated as a sole proprietorship, information about the affairs of
the business will be personal data.
The DPA has implications across many HMRC functions. Detailed
guidance on all its implications for HMRC is on the Data Protection
site (see
IDG90150). The guidance in this manual
is solely concerned with the information sharing provisions of the
DPA.
DPA issues relevant to all disclosures of HMRC information
In terms of the disclosure of personal data there are some key factors to consider.
- Disclosure is a form of processing and is therefore covered by the Act.
- Disclosure (processing) of personal data must be fair and lawful.
The requirement that the processing be fair and lawful means
that there must be a legal basis for making the disclosure, for
example because the CRCA allows it, or there is a legal gateway in
place which supports it. See
IDG40500 for a description of the ways
in which to make a lawful disclosure.
In addition, the type and volume of personal data to be
disclosed must be
proportionate to the purpose for which it will be
used. This latter requirement is difficult to define absolutely but
essentially it means that a judgement must be made about whether it
is reasonable to disclose the data considering what it will be used
for.
Does the DPA itself provide any gateways to allow disclosure?
The DPA does not itself provide a legal gateway for the
disclosure of information. If a third party (that is, not the
customer and not HMRC) makes a request for confidential information
solely citing the DPA, we must refuse them. We must explain that
HMRC may only disclose information if it is allowed by the CRCA, as
well as the DPA (see
IDG40500).
The Act does provide a number of exemptions from some of the
8 Principles. This means, so long as our disclosure is allowed by
the CRCA, the exemptions enables the Department to make a
disclosures of personal data in the specified circumstances. These
exemptions relate to specific functions and the most appropriate
for HMRC are
- Section 29 ‘crime and taxation’
- Section 35 ‘disclosures required by law or in connection with legal proceedings’.
The application of exemptions is quite complex and if you require further information or assistance you should seek further guidance.
Subject Access Request
The DPA provides a right of access to individuals (called Data Subjects in the Act) to their personal data. They exercise this right by submitting a Subject Access Request (SAR) and unless certain exemptions apply we must provide their personal data within a specified time. More information about SARs can be found at IDG51000.
Further guidance
Guidance on DPA generally can be found on KAI Knowledge
Resources’ intranet page (see
IDG90150).
For further guidance and assistance generally on
confidentiality, contact KAI Knowledge Resources (see
IDG90100).
