This blog questions how the Data Protection and Digital Information Bill (the “Bill”) impacts on the lawfulness and compatibility of any further processing by a controller, in particular, a controller that voluntarily discloses personal data to HMRC. This worked example illustrates how this Bill further undermines the current level of protection afforded to data subjects.
In summary, the Bill allows HMRC to lawfully obtain personal data for its purposes via voluntary disclosure from any controller; such disclosures can occur even when:
- there is no “public interest” component to a particular disclosure to HMRC and
- where a particular disclosure is not associated with any specific HMRC investigation (i.e. a failure to disclose does not prejudice HMRC’s collection or assessment of tax).
If these changes are enacted, it will become difficult for the data subject (or ICO) to claim that there has been unlawful processing of personal data by HMRC.
Although the example used is a disclosure to HMRC, similar issues arise with voluntary disclosures of personal data to any law enforcement agency pursuing a criminal investigation, especially those agencies which bristle with information collecting powers (e.g. DWP).
As usual, the Explanatory Memorandum to the Bill does not touch on the subject matter of this blog (e.g. why is voluntary disclosure to be expanded in this way?); perhaps it is designed to be an Unexplanatory Memorandum.
The current compatibility test
Before describing the changes made by the Bill, it is worth understanding how the Purpose Limitation Principle and the compatibility assessment work together when disclosures to public bodies (e.g. to HMRC) occur under the current UK_GDPR regime.
The Purpose Limitation Principle requires personal data to be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” (my emphasis).
So if a controller has collected personal data and is then asked to disclose such data to HMRC for its purposes, the relevant “further” processing specified by the Principle is the controller’s disclosure to HMRC for its tax purposes.
The key issue in this Principle is whether such a disclosure is “incompatible” or not. This question is answered using the provisions of Article 6(4) which provides three options as to whether that further processing is incompatible.
In our example (voluntary disclosure to HMRC for tax purposes), the further processing is NOT incompatible if the processing:
- has the consent of the data subject
- constitutes “a necessary and proportionate measure … to safeguard …. any of the objectives referred to in Article 23(1)” (this is a reference to the possibility that a disclosure can satisfy an exemption specified in Schedule 2 to 5 of the DPA2018), or
- passes the compatibility assessment test (also detailed in A.6(4)). This considers, for instance, the nature of the personal data disclosed, the relationship between the disclosing controller and data subject, the impact on the data subject of the disclosure etc.
As there is an applicable exemption in Schedule 2, paragraph 2 of the current DPA2018 that covers all HMRC’s tax processing, it is the second bullet point that applies.
In further detail, this tax exemption can exempt any data subject right, the Lawfulness, Fairness and Transparency Principle and the Purpose Limitation Principle, if application of any of these rights or Principles would “prejudice the assessment or collection of tax or duty”.
Thus before a controller volunteers disclosure to HMRC, HMRC would have to assert that a failure to disclose would prejudice these matters (e.g. collection of tax). Once this assertion is documented, then the Purpose Limitation Principle is exempt and compatibility does not need to be considered by the disclosing controller.
Note that if there is “no prejudice” (i.e. the exemption does not apply) and in the absence of data subject consent, then the disclosure is likely to be incompatible in breach of the Purpose Limitation Principle. It is this restriction that the Bill seeks to lift (i.e. make all voluntary disclosures of personal data compatible, in the absence of data subject consent and, without the application of the taxation exemption).
For completeness, the voluntary disclosure by the controller to HMRC has a lawful basis if the exemption applies. It is in “the public interest” as the HMRC are investigating (it’s in the public interest to catch tax evaders) and the disclosure is to another person (the HMRC) who has a function conferred on it by an enactment; namely Article 6(1)(e). The gory detail of this position can be found in my previous blog.
What are the Bill’s changes?
In summary, the Bill introduces two Annexes:
- Annex 1 provides an A.6 lawful basis for a disclosing controller to make these voluntary disclosures (e.g. to HMRC); the new construction avoids the application of a “public interest” test to a particular disclosure of personal data (also explained in my previous blog).
- Annex 2 exempts the Purpose Limitation Principle in all circumstances (e.g. even when there is no prejudice to HMRC’s tax functions).
First, however, new Article 8A introduced into the UK_GDPR by the Bill, states that the processing is automatically compatible if “the processing meets a condition in Annex 2”. Annex 2 comprises a list of 11 conditions including taxation and law enforcement.
In the context of a voluntary disclosure to HMRC, Annex 2 provides two options for this disclosure.
Option 1 disclosure
The first option occurs when:
- “the processing is necessary for the purposes of making a disclosure of personal data to another person in response to a request from the other person” (e.g. in our example, the HMRC is the “another person” asking for a controller to disclose to it).
- “the request states that the other person (in our example, this is HMRC) needs the personal data for the purposes of carrying out processing that”—
- “is described in Article6(1)(e)” (e.g. for HMRC’s public task)
- “has a legal basis that satisfies Article6(3)” (e.g. HMRC’s public task is the functions bestowed on it by enactment), or
- “is necessary to safeguard an objective listed in Article23(1)(c) to (j)”. (Article 23(1)(e) explicitly refers to exemptions needed for “taxation matters”).
As there is an applicable exemption covering taxation matters in Schedule 2, paragraph 2 of the current DPA2018, one can see that Option 1 covers disclosures to HMRC in circumstances similar to the current arrangements but in the absence of “public interest” considerations.
So any controller volunteering personal data to HMRC via Option 1 does not need to consider the compatibility arrangements.
Option 2 disclosure
The second option is in Annex 2, paragraph 10. Under the heading “Taxation”, the paragraph states that “This condition is met where the processing is carried out for the purposes of the assessment or collection of a tax or duty or an imposition of a similar nature”.
So why have two conditions that apply to disclosures to HMRC? Well, if one condition applies when an exemption applies to the disclosure (Option 1), the Option 2 condition becomes relevant when the exemption cannot be applied. Remember Annex 1 negates the need for a “public interest” test to be applied to the disclosure to HMRC.
Hence the availability of an Option 2 disclosure confirms my conclusion that HMRC is seeking to lawfully obtain personal data from controllers even when (a) there is no public interest in the disclosure and (b) where such a disclosure is not associated with any specific HMRC investigation (i.e. a failure to disclose does not prejudice HMRC’s collection or assessment of tax).
Note the taxation condition (paragraph 10) does not even require the disclosure to be “necessary” for HMRC functions, unlike the paragraph 5 which requires disclosure to be “necessary” for law enforcement processing.
Mind you, if the Government’s proposed Human Rights changes are implemented, the ICO and Courts will be required to give “great weight” to what Prime Minister Liz Truss decides as “necessary” and “proportionate”. So, in practice, any “necessary” safeguard is likely to be significantly degraded (see references).
Concluding questions
The combined effect of Annex 1 and Annex 2 is to provide a huge exemption from the provisions that best protect the data subject from unlawful and incompatible processing.
The Annexes also provide an alternative mechanism for HMRC to obtain personal data without reference to its wide powers (e.g. under Schedule 36 of the Finance Act 2008). These powers allows HMRC to demand any information or any document related to tax matters from almost anybody.
This raises three important policy questions which should be considered by Parliament prior to approving legislation that promotes the expansion of the proposed voluntary disclosure route.
- Are HMRC powers fit for purpose? If the answer is “no” why can’t Ministers approach Parliament with an argument for an upgrade of HMRC powers rather than expand the reach of voluntary disclosures to HMRC?
- Should HMRC be required to use its powers (e.g. Schedule 36) to demand personal data before it adopts a voluntary request for the disclosure of personal data?
- Should HMRC be required to state when using a voluntary disclosure arrangement that there is no obligation for a controller to disclose and if there were to be a refusal to disclose personal data there would be no detriment to the controller?
These questions certainly need answering in the context of HMRC and dare I say it, certain law enforcement processing and national security. Perhaps the ICO could do the honors?
Autumn Data Protection Courses
I am holding another day course on the changes arising from the Data Protection and Digital Information Bill on Tuesday, September 27 (by Zoom only; £250 + VAT per delegate). Program available from: info AT amberhawk.com
Because of continued COVID uncertainty, the following courses can be attended in person, or via Zoom, or as a mixture if you something untoward happens. It's up to you.
- The next Data Protection PRACTITIONER Courses are in London on Monday September 19-24 (5 days) and on Monday October 31-November 4 (5 days)
- The next Data Protection FOUNDATION Course is in London on Tuesday November 15-17 (3 days).
Full details (as we are upgrading our Amberhawk website), details of all the above courses can be obtained by emailing info AT amberhawk.com
References
How the Human Rights changes impact on data protection: https://amberhawk.typepad.com/amberhawk/2022/07/uk-bill-of-rights-set-to-undermine-uk_gdpr-and-adequacy.html (see other references at the end of the blog)
I have produced a “Keeling Schedule” for the changes to A.5, A.6, A.13, A.14: you can download it from the References at the end of: https://amberhawk.typepad.com/amberhawk/2022/08/dpdi-bill-removes-public-interest-test-in-push-to-legitimise-general-public-sector-data-sharing.html