Ask and you may receive...using the Data Protection Act

    In a number of recent IR35 cases we have received ‘caught’ opinions from HMRC following their fact finding/contact with the end client, which in the majority of cases we are not privy to. At this juncture we have requested notes of the meeting, both handwritten and typed, as well as a copy of the questions asked of the end client, in order to ensure that we have a complete understanding of all of the information on which HMRC have based their opinion so that we can formulate a robust, and comprehensive response in defence of our clients position.

    Whilst one would expect this information to be freely provided, we have encountered strong resistance on HMRC’s part to do just that, forcing us down the line of making a request under the DPA using a Subject Access Request (SAR). The process for this is as follows:

    • SAR request submitted to HMRC, asking for copies of the notes of meeting, handwritten notes taken by HMRC together with a copy of the list of questions posed.

    • HMRC refused the SAR, stating that  ‘the information requested does not relate to “personal data” and therefore as these refer to details associated with a limited company, there is no right to access it under the DPA’.

    HMRC’s internal guidance can be found here.

    Contrary to the response received from HMRC, the guidance states that Subject Access Requests can be refused only on the following grounds: 

    Where release would be likely to:

    • Prejudice the prevention or detection of crime.

    • Prejudice the apprehension (arrest) or prosecution of offenders.

    • Prejudice the assessment or collection of any tax or duty.

    • Reveal the identity of another person, or information about them.

    The guidance goes onto state ‘we will do our best to apply these conditions carefully, without damaging the effectiveness of our work, so that we can meet your requests as often as possible’.  

    Following HMRC’s refusal, requests for the information were made via the Information Commissioner’s Office asserting that none of the four conditions for refusal were appropriate and citing the reason that HMRC had discussed personal information pertaining to our clients with third parties but were refusing to share that information with the individuals concerned.

    At this point we notified HMRC that requests had been lodged with the ICO and that we would not be corresponding with HMRC further until such time as the ICO had considered and responded to our requests, repeating our assertion that HMRC’s grounds for refusal, being that the data is not of a personal nature, is unsound.

    The ICO’s decision states ‘from the information provided to us, it does appear that HMRC has breached the DPA.’ The decision goes onto say that HMRC has not responded appropriately to the SAR, confirming that the information requested does indeed relate to the individuals personal data, thereby repudiating the main strand of HMRC’s grounds for refusal.

    This was however, not the end of the matter, as HMRC has challenged the decision of the ICO and a number of similar cases are now currently under discussion between the two parties and we await the outcome with interest.

    Whilst the commentary in this article specifically refers to IR35 enquiry cases, the processes outlined are equally applicable to any information request that you wish to make to HMRC concerning your clients’ personal data.

    For further information or to discuss this article please contact Jacqui Mann or Nigel Nordone on 0345 223 2727.