HMRC data sharing – confidentiality rules

HMRC data sharing – confidentiality rules

A recent freedom of information request made by The Times has again shone a light on HMRC practice when it comes to sharing confidential taxpayer details outside the department.

Specifically, from this request, we learned that the Cabinet Office consults HMRC when deciding who should, and should not, receive recognition through the notoriously secretive honours system. We were told that HMRC applies a traffic light system to rate nominees according to their ‘tax behaviours’. For example, someone who is participating in one or more tax avoidance schemes may be awarded an amber light, but taxpayers found to have committed tax evasion will be given a red light.

But is it acceptable to share information outside HMRC or should we be concerned?

Definition of confidential

To answer that question we must first understand what exactly is meant by ‘confidential’ and the rules on protecting taxpayer information. The starting point will be the legislation that gave us HMRC, the Commissioners for Revenue and Customs Act 2005, but specifically s 18. On confidentiality, this section states that HMRC officers cannot share any information held by the department unless the disclosure itself is:
  • in the public interest;
  • to a prosecuting authority;
  • pursuant to a court order; or
  • made with the consent of each person to whom the information relates.
This is not an exhaustive list but it covers the most common areas.

Underpinning HMRC’s approach to protecting taxpayer’s confidential information is its internal manual Information Disclosure Guidance (IDG). This states that officers must not ‘disclose HMRC information to anyone, unless [they] have lawful authority to do so. This includes other government departments and their agencies, local authorities, the police, any other public bodies, agents and members of the public’.

A principal purpose of the IDG is to help HMRC officers to understand the process should information need to be disclosed outside the department.

Information shared within HMRC can be done so freely as long as there is a business need. But the rules on disclosure outside HMRC go slightly further than the CRCA and confirm such action is permitted:
  • For the purposes of HMRC’s functions (see below).
  • If the expressed authority of the taxpayer has been received, such as a mandate to contact a third party.
  • If one of the legal ‘gateways’ applies (see below).
  • Under a court order.
  • If it is in the public interest.
  • If the relevant prosecuting authorities need to be informed.
An overarching principle is contained in the HMRC charter, which outlines the standards taxpayers can expect from HMRC (and vice versa). This states: ‘We’ll [HMRC] protect information we obtain, receive or hold about and only share information about you when the law lets us.’

HMRC holds an enormous amount of information relating to taxpayers. It is the responsibility of its information policy and disclosure team to advise and provide guidance to officers on the issue of confidentiality. At a more local level an officer can take any query to their angelically named ‘data guardian’.


One situation in which it would be lawful to disclose information externally is when legislation makes a specific provision for HMRC to do so with another government department, agency or public authority. These provisions are often referred to as ‘legal’ or ‘information’ gateways and allow HMRC to disclose to ‘specific people for specific reasons’.

There are 50 gateways listed on HMRC’s website. These include the Charity Commission, Student Loan Company and the Ministry of Defence.

Gateways are unique and each will have its own administrative procedures that HMRC and its counterparty must follow. The accessibility of gateways and how these are relied on in practice is clear. By comparison, the reliance on ‘for the purposes of HMRC’s functions’ is far more questionable.

HMRC functions

When there is no legal gateway HMRC can rely instead on disclosure being necessary for the purposes of an HMRC function. In these instances the procedures are often set out in jointly agreed documents such as a memorandum of understanding (MoU).

But do these MoUs give us reason for concern?

Taking HMRC’s input into the honours system as an example, the procedures governing the role of the department are set out in the MoU it has with the Cabinet Office. This eight-page document was most recently updated in March 2017 and will remain in force for five years. The document describes its purpose is:

‘The Cabinet Office requests government departments including HMRC to undertake checks on individuals in order to inform the honours committee’s recommendations on the suitability of individuals for an honour … [and] ... as part of the nomination process, the Cabinet Office tries to minimise the risk that prospective candidates have behaved in ways likely to bring the system into disrepute.’

This may seem reasonable from the point of view of the Cabinet Office, but it is difficult to see how that reconciles with CRCA 2005 or HMRC’s own IDG. As the MoU explains, ‘[nominees] are not aware that they have been nominated or which specific checks may be carried out to validate their particular nomination’.

There is no reason to believe that, in the case of the honours selection process, the Cabinet Office will do anything other than ensure the information is used for the purposes for which it is provided. However, I would ask why, for example, the prime minister would need to be notified if an individual receives an amber or red flag (as per the MoU), as is the case now?

In this example, the MoU seeks to justify disclosure of taxpayer information for these purposes under the principle of it being ‘for the purposes of HMRC’s functions’. It offers four grounds to explain why sharing confidential information satisfies the ‘for the purpose of HMRC functions’ test:
  •  [it] increases the likelihood that the individual subject to the HMRC check will ensure that their tax affairs are in order and up to date;
  • [it] increases the likelihood that other individuals in a similar position will be influenced to rectify their tax affairs if they become aware that poor tax behaviour is not consistent with the award of an honour;
  • [it] increases the likelihood that taxpayers at large will maintain their trust in the integrity of tax administration by HMRC and comply with their tax obligations voluntarily if tax behaviour is seen as a factor when considering public reward and recognition via the honours system; and
  • [it] reduces the likelihood that taxpayers at large will lose their trust in the integrity of tax administration by HMRC and so fail to comply with their tax obligations voluntarily. Trust would likely be lost if an honour was awarded to someone with negative tax behaviours and those behaviours became linked to the positive recognition that accompanies the award of an honour. I can with a degree of hesitation accept arguments two to four but I struggle with the first. I would draw a comparison with a report published earlier this year on the effectiveness of the publishing details of deliberate defaulters (PDDD) initiative which concluded ‘the research found no strong evidence that PDDD is an effective deterrent to defaulting on one’s tax obligations’.
Low threshold

Most concerning is that there appears to be an incredibly low threshold that would need to be met to justify the ‘for the purpose of HMRC functions’ test. This test is subjective and, in this example, what influences the behaviour of one taxpayer would not necessarily influence the next. Based on experience I would suggest an equally low bar applies to other MoUs.

Again, returning to the IDG, HMRC officers are advised that, when deciding whether to disclose the information in order to perform a function or duty, they must:
  • for each disclosure, identify the specific HMRC function(s) whose purpose(s) will be served by the disclosure;
  • take appropriate account of relevant facts, in particular how the disclosure benefits HMRC’s functions and (where applicable) balance against any potential negative impacts on HMRC’s functions. If the negative ramifications of disclosure outweigh the positive impact, you should not disclose;
  • ignore irrelevant information, for example how the disclosure could benefit another government department;
  • disclose information only where there is an overall positive impact on HMRC’s functions and disclose only the minimum amount of information needed to achieve the specified purpose(s); and
  • in the case of information on identifiable living individuals, take account of the protection of personal data under the Data Protection Act (DPA) and for both identifiable individuals and legal entities (such as companies or charities), the right to privacy set out under Art 8 of the European Convention on Human Rights.
The guidance goes on to confirm that ‘you [HMRC officer] will be the person best placed to make judgments about whether and how to disclose information you hold for the purpose of an HMRC function, following the steps set out above’. Critically, no one appears to be policing this decision-making.

The following case study is an example of a team of HMRC officers who did not fully appreciate their obligations on taxpayer confidentiality.

Case study

We were instructed by an individual who had already been issued with code of practice 9 by HMRC under the contractual disclosure facility (CDF). In other words, HMRC had a strong suspicion that this person had committed ‘serious tax fraud’ and was offering him the opportunity to settle his affairs on a civil basis. Due to an invalid outline disclosure being submitted by his previous adviser, the terms of the CDF had been withdrawn and we became involved after HMRC’s in-depth investigation had already begun.

In our first meeting with HMRC we were told, in quite a casual manner by one of the officers present, that our client was ‘considered high profile in the [HMRC] office’. Considering IDG and other procedures that must be followed, we immediately raised this as a serious concern.

In our view it was not acceptable for our client’s tax affairs to become water cooler gossip, which was what had been implied. When challenged, HMRC gave a rather confused response but did eventually assure us in writing that the details of the case had been shared only between individuals connected to the investigation. Of course, we had no way to disprove this.

As the investigation progressed, we continued to have concerns that taxpayer confidentiality was being compromised. The HMRC officer referred to informal conversations he had undertaken with the police and other government agencies. When we learned that such contact had been made we asked the HMRC officer to confirm:
  • That all contact with other agencies was appropriate and authorised.
  • The contact had been made in accordance with a legal gateway.
  • The precise nature of the details that were exchanged and what each party disclosed.
Again, the response was, not particularly helpful or insightful. We were told that there was an MoU in place but ‘HMRC does not regard it as appropriate to disclose its MoUs’. After an FOI request this was duly shared with us but it was interesting that the HMRC officer had been reluctant to divulge something so uncontroversial with us in the first place. After all, MoUs are there to protect our rights as taxpayers.

Perhaps not unexpectedly there was nothing in the MoU that caused us any great concern but it was the explanations provided by the officer in making the requests that raised yet more questions. It showed how easy it could be for the ‘functions of HMRC’ test to be satisfied. The officer told us that he was seeking to understand whether there was a link between a matter on which the police was investigating our client and the tax inquiry. There was no obvious connection and we could not see any other reason for making such inquiries other than this HMRC officer’s curiosity. This is not something that accords with either CRCA 2005 or the IDG.

The issue of HMRC officers disclosing taxpayers’ confidential information and relying on the defence that it was for the purposes of HMRC’s functions has been tested before in R (on the application of Ingenious Media Holdings plc and another) v CRC. The case involved Dave Hartnett, the former permanent secretary for tax in HMRC who, in his role, briefed journalists about tax avoidance in an ‘off the record’ meeting.

In finding that Mr Hartnett had breached confidentiality, Lord Toulson in the Supreme Court noted: ‘As to the justifications put forward by HMRC, a general desire to foster good relations with the media or to publicise HMRC’s views about elaborate tax avoidance schemes cannot possibly justify a senior or any other official of HMRC discussing the affairs of individual taxpayers with journalists.’ [emphasis added]

The decision included a detailed analysis of CRCA 2005, s 18 and showed that courts are prepared to hold HMRC to account when it relies on ‘for the functions of HMRC’ without proper justification. The bar is not as low as some HMRC officers may think after all.

So what can be done?

When agents are dealing with cases such as this and there are concerns HMRC is stepping outside its own guidelines and CRCA 2005, it is often helpful to raise this directly with the officer involved. We found that the way HMRC conducted the investigation and treated our client noticeably improved after we queried the officer’s actions.

Returning to the IDG, perhaps interestingly, any HMRC officer who fails to comply with the rules can face disciplinary action and could be found guilty of a criminal offence liable to a fine, imprisonment for up to two years or both. Surely this is a red flag on HMRC’s traffic light system one would expect?

This article was first published in Taxation Magazine, October 2018.

Leave a comment

 Security code