IDG51000 - Procedure for disclosing to others (non-government): Requests from individuals for information about themselves (Subject Access Request - SARs)
The Data Protection Act (see IDG41400) provides a right of access to individuals (called Data Subjects in the Act) to the personal data HMRC holds about them. A ‘Subject Access Request’ (SAR) is a request made by a customer for access to personal data about themselves. This DPA SAR should not be confused with Suspicious Activity Reports made under the anti-money laundering regime.
How to identify a SAR
Most requests from customers can be treated as a routine business-as-usual matter. However, if a request specifically refers to the Data Protection Act (DPA), or is asking for more information than would normally be provided, then you should treat it as a SAR. Phrases like “information about me” or “my personal information” will usually indicate that the request should be treated as a SAR. If in doubt, you should consult your local Subject Access Officer (see below).
SARs must be in writing which includes pen on paper, by e-mail or by fax but the SAR does not need to mention that it is a request made under the DPA.
People often request information about themselves under the Freedom of Information Act (see IDG41200). These are actually SARs and should be dealt with under the DPA rather than as FoI requests.
Procedure you should take upon receiving a SAR
The DPA requires a response to the individual within 40 days. To ensure the department can meet this deadline, you must deal with a SAR as quickly as possible.
Each of the main HMRC lines of business will have their own arrangements for handling SARs. If you are unsure how to deal with a SAR, you should contact your local Subject Access Officer. Contact details are shown on the DPA intranet site (see IDG90150).
Personal data which need not be disclosed
There is a specific provision in the DPA which allows HMRC to withhold personal data requested in a SAR in certain circumstances. There are also a number of exemptions that allow us to withhold personal information, for example where release of the information might prejudice the assessment or collection of tax. If you think that an exemption might apply to some of the information that has been requested, you should contact your local Subject Access Officer for advice.
Further guidance
Guidance on DPA generally can be found on the DPA intranet pages (see IDG90150).
For further guidance and assistance generally on confidentiality, contact Information Strategy (see IDG90100).
