IDG40230 - Sharing information outside of HMRC: procedural guidance: Memoranda of Understanding

It is mandatory for all ongoing information exchanges with other public sector bodies to be covered by a process level Memorandum of Understanding (pMOU) and for one-off exchanges to be covered by a Data Usage Agreement (DUA).

A MOU or a DUA should not be completed until it has been established that legislation is in place which permits the disclosure of the information. If you are unsure you should contact your Data Guardian for advice.

MoUs and DUAs do not create a lawful means for exchange of information. They are not legally binding and are not contracts. They simply document the processes and procedures agreed between the two public sector bodies when information is being passed from one to the other.

MoUs and DUAs are agreed and signed by the HMRC line of business to which the information belongs and the body with whom information is exchanged. They set out clearly the procedures that the information exchange needs to follow and perform a number of useful functions such as:

  • confirming the agreed legal understanding of what the lawful authority is for sharing the information (the only permitted lawful authorities are described at IDG40320);
  • setting out administrative arrangements for the disclosure of information, including commitments to meet the relevant costs, persons involved, timescales, frequency of disclosure etc;
  • agreeing the terms under which the data may be disclosed beyond the receiving body, if at all.

HMRC has recently revised its Process MoU (pMoU) template and it now incorporates all key information that was included in the Umbrella MoU (uMoU). It includes the purpose, what happens to the data and sets standards that helps all parties involved in the sharing to be clear about their roles and responsibilities. This helps HMRC demonstrate that we are meeting our accountability obligations under UK GDPR where personal data is being exchanged. HMRC’s MoU Register provides a strategic view of our data shares with other government departments and public service bodies.

Following consultation with some receiving departments and within HMRC, we have agreed that the uMoU is decommissioned and there is no need for uMoU governance activities or reviews to take place.

To ensure that HMRC has a robust assurance process in place to track all external disclosures of data. For internal users- please look up External Data Exchange guidance and the templates.

The EDE Team will keep the current version of the Umbrella MOU on a database. The version control of each MOU will be the responsibility of the author. All directorates will be responsible for keeping copies of all their MOUs and they will be the contact point for providing sight/copies of Process MOUs. Internal users- please look up EDE MOU Templates and Guidance on the intranet.

All MoUs should be reviewed on a regular basis to ensure they remain up to date and continue to reflect the “as is” position.

Where HMRC enters into a commercial relationship with a private sector organisation (or with to organisations that are partly public and partly private) any disclosures of information must be covered by a legally binding commercial contract which clearly sets out the agreed procedures. For advice on disclosures to private sector organisations, please contact the Commercial Directorate Policy Team(This content has been withheld because of exemptions in the Freedom of Information Act 2000)