HMRC transaction monitoring privacy notice (2024)

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/transaction-monitoring-privacy-notice/transaction-monitoring-privacy-notice

Purpose of this document

To protect your data and our services HMRC operates transaction monitoring capabilities. These record how you connect to our systems, and what you do whilst you are on them.

This privacy notice explains how HMRC collects and uses your personal information for transaction monitoring purposes. You should read the HMRC privacy notice alongside this privacy notice.

Why we process your data

HMRC processes your data for transaction monitoring purposes to:

keep your data safe, private, and secure
make sure that your data is protected from people intending to use it for fraudulent and criminal purposes
prevent fraud
prevent, detect, investigate, and prosecute criminal activity

When we collect your data

Our transaction monitoring capabilities may record information about you when you are directly or indirectly using HMRC services.

Directly using HMRC services

This will include when you:

Indirectly using HMRC services

Our transaction monitoring capabilities may collect your personal data if someone uses HMRC systems to tell us about you. This could be when:

an authorised tax agent or representative contacts us on your behalf
your employer pays your income tax on your behalf by PAYE
you use a software package or application which is compatible with Making Tax Digital to record your business records which helps you complete and submit tax updates or returns to us

HMRC shares some of our services with other government departments and local authorities. Our transaction monitoring may collect your personal data when you use one of these services:

Government Gateway service
Check a bank account service

Government Gateway

HMRC operates Government Gateway on behalf of the government.

When you log into Government Gateway to access another government department or local authority service HMRC transaction monitoring may collect and process your data while you are using Government Gateway.

Sometimes you may indirectly use a shared HMRC service. Some of our services perform a specific function within someone else’s service.

HMRC has a shared service to check bank account details are correct. Other government departments and local authorities could collect your bank details from you, then check them with our shared service.

The department or local authority will tell you if they are using an HMRC shared service when you give your bank details using one of our shared services. Our transaction monitoring may then collect and process your data while you use that shared service.

What data we collect and when

Transaction monitoring records information about you when you are using HMRC and shared HMRC services.

We collect personal data about:

the computers, phones or devices you use
the internet connections you use
what you do when you are on our services
what you tell us

How we process your data

When you sign in to one of our services we may create unique identifiers in the browser, application or device you’re using. We may also give you a transaction monitoring cookie which we use to help recognise you and link you to your account.

When you use a software package or application which is compatible with Making Tax Digital to record your business records which helps you complete and submit tax updates or returns to us. Your software provider may also supply us information about you to meet their legal obligations to HMRC.

In both instances the information we collect includes:

unique identifiers
browser type and settings
device type and settings
operating system
mobile network information including carrier name and phone number
application version number

We also collect information about the interaction of your apps, software, browsers and devices with our services, including the:

IP address
date and time
referrer URL of your request
software you are using
mobile app you are using

We collect information about what you do in our services, such as:

Our legal basis for processing your personal data

We collect and process personal data for transaction monitoring purposes to prevent and detect crime and fraud and for the purposes set out above because it is necessary to do so in the public interest and so that we can carry out our official functions as a government department.

As HMRC is permitted to carry out transaction monitoring without your consent, you cannot withdraw your consent.

We will, in some circ*mstances and where the law allows, share your data with third parties.

When a third party government department or local authority uses an HMRC shared service, we may share information about your use of that service with them. Where the law allows, this may include your historical use of that service with HMRC or other third party government departments or local authorities.

When we suspect or detect crime, and the law allows, we may share transaction monitoring information with other law enforcement

Overseas data transfers

To develop a reliable device identification, transaction monitoring device profiling shares:

IP addresses and device information with a third-party supplier which has data centres located in the EU and America
bank account details with third-party suppliers with data centres located in the EU and America

How long we keep your data

In line with with our records management and retention and disposal policy, we keep transaction monitoring records for 6 years plus the current year.

Where you have held a continuous account with HMRC for longer than this standard retention period we may hold some account information which is older, but which is still up to date.

Your rights in relation to transaction monitoring

You can read about your rights in the HMRC privacy notice.

You can contact us if you have questions about this privacy notice or want to make a complaint.

Changes to this privacy notice

We keep our privacy notices under regular review. If we make changes to this notice, we’ll amend the date at the top of this page.

The document you provided concerns the privacy notice for transaction monitoring conducted by HMRC (Her Majesty's Revenue and Customs) in the UK. This notice outlines the collection and processing of personal data during the use of HMRC services, detailing the purpose, data collected, processing methods, legal basis, data sharing, overseas data transfers, data retention, and individuals' rights in relation to transaction monitoring.

To delve into the concepts mentioned in the article:

Transaction Monitoring: Refers to the ongoing review and analysis of transactions to identify and prevent financial crimes like fraud, money laundering, and other illicit activities.
HMRC (Her Majesty's Revenue & Customs): The UK government's tax authority responsible for collecting taxes, administering some state support programs, and ensuring compliance with tax laws.
Personal Data Processing: Involves the collection, storage, and utilization of individuals' information (such as device identifiers, internet connections, browsing activity, and interaction with HMRC services) for transaction monitoring purposes.
Purpose of Data Collection: The document outlines the reasons for data processing, including ensuring data security, preventing fraudulent/criminal activities, and maintaining the integrity of HMRC services.
Data Collection Methods: It describes the direct and indirect ways through which personal data is gathered, including when individuals use HMRC services directly (e.g., filing tax returns, using the webchat or mobile app) or indirectly (e.g., through authorized tax agents, employers paying taxes on behalf of employees via PAYE, or using compatible software for tax updates).
Data Elements Collected: Includes information about devices used, internet connections, browser/application settings, operating systems, IP addresses, interactions within HMRC services, and details provided to HMRC or its shared services.
Data Processing Procedures: HMRC creates unique identifiers, uses cookies for recognition, receives information from software providers, and monitors interactions to enhance service safety and security.
Legal Basis for Data Processing: HMRC's basis for processing personal data for transaction monitoring is rooted in public interest and fulfilling official governmental functions. Consent withdrawal might not be possible due to this legal basis.
Data Sharing: HMRC may share information with other government departments, local authorities, and law enforcement agencies for crime detection/prevention purposes or when using shared services.
Overseas Data Transfers: Data may be transferred overseas to third-party suppliers in the EU and America for device identification and bank account details.
Data Retention: Records related to transaction monitoring are typically kept for six years plus the current year, in accordance with retention policies. Some older but relevant account information may be retained for longer durations.
Individual Rights: Individuals have rights concerning their data under the HMRC privacy notice, including access to information and the ability to raise complaints.

The provided document emphasizes the importance of safeguarding personal data while utilizing HMRC services, ensuring compliance with legal obligations, and employing monitoring measures to prevent fraudulent activities.