Market leading insight for tax experts
View online issue

Taxpayer confidentiality, data protection and Covid-19

printer Mail
HMRC's increased role during the Covid-19 pandemic puts a fresh spotlight on its duties and obligations regarding data protection and taxpayer confidentiality.

HMRC is now one of the most important collectors of personal and confidential information and is a key data controller. Its current deep and wide involvement and assistance in the ongoing management by the government of the coronavirus pandemic also means that it is the recipient and controller, together with other public authorities, of significant data. This puts a fresh spotlight on its duties and obligations towards taxpayers regarding confidential information and data protection.

As HMRC is a creature of statute, it has to act in accordance with its statutory functions and duty of confidentiality as set out in the Commissioners for Revenue and Customs Act 2005. Apart from these obligations and duties towards taxpayers, is it also subject to the General Data Protection Regulation and the Data Protection Act 2018. It is not permitted to act outside the scope of the legislation.

Helpfully, HMRC has recently updated its guidance on privacy and security of information (see HMRC Privacy Notice, updated 9 April 2020). This guidance summarises the data protection principles; the type of information collected; how it is collected, used and shared; data security and retention. But these are mere guidelines, and if there is any concern regarding HMRC’s powers or actions, the relevant legislation should be consulted.

HMRC’s duties and obligations go beyond mere collection and holding of information. Given that it will be responsible for implementing many of the government measures to assist individuals and corporates affected by the coronavirus, HMRC may also be asked to disclose and share the information it holds with other government departments in order to assist the government in achieving its aim.

For example, HMRC may use or share personal information where its needs to comply with a legal obligation. It may also do so where it is necessary for the performance of a task which it carries out in the public interest and where it is necessary for the prevention of a crime.

However, this is where breaches could occur, and taxpayers should be alert to their remedies should they be concerned in any way about the manner in which the information is collected, held or shared.

Taxpayers may request access to their information held by HMRC; request correction of any information; request erasure of some information; object to processing of information where there are grounds to object; or make a complaint. Taxpayers may also in some instances take action to prevent HMRC from sharing information. 

We should all stay alert regarding personal information, as data breaches and mistakes can happen, often with very significant consequences, and even more so now in the age of Covid-19. 

EDITOR'S PICKstar
Top