GDPR and HMRC Requests: Taxpayer Rights

Why this topic matters for UK taxpayers

For most UK taxpayers, the real concern is not whether data protection law applies to HMRC—it does—but how far those rights actually extend when HMRC is actively checking a tax position. In practice, many individuals assume GDPR gives them full visibility and control over their tax data. The reality is more balanced. HMRC operates under UK GDPR and the Data Protection Act 2018, but it also has statutory duties and enforcement powers that can limit how those rights work in specific situations. Understanding that boundary is what allows you to respond confidently rather than react defensively.

HMRC’s dual role: data controller and tax authority

HMRC is both a data controller under UK GDPR and a statutory body responsible for collecting taxes. That combination creates a unique position. On one hand, HMRC must handle personal data lawfully, transparently and securely. On the other, it must protect the integrity of the tax system.

This is why your rights are not absolute. HMRC must comply with data protection principles, but it can restrict certain disclosures where releasing information would undermine tax collection or compliance activity. In practical terms, HMRC is not simply another organisation holding your data—it has legal powers that shape how and when information is shared.

What taxpayer rights actually look like in practice

UK taxpayers have the standard set of rights under data protection law: access to personal data, correction of inaccuracies, and limited rights to restrict or object to processing. However, these rights operate within a framework.

For example, the right of access allows you to see personal data HMRC holds about you. It does not automatically entitle you to every internal note, draft decision, or third-party communication. The distinction between “your data” and “all records” is where many misunderstandings arise.

Understanding Subject Access Requests (SARs)

A Subject Access Request is the main tool for obtaining personal data from HMRC. It allows you to request copies of information held about you, along with details of how that data is used.

In practice, the effectiveness of a SAR depends heavily on how it is framed. Broad, unfocused requests tend to result in delays and heavily redacted responses. More precise requests—targeting specific tax years, enquiries, or types of correspondence—are usually more useful and processed more efficiently.

When HMRC can limit what you receive

HMRC is allowed to withhold information in certain circumstances. The most relevant is where disclosure would prejudice the prevention or detection of crime or the assessment and collection of tax.

This does not mean HMRC can refuse requests entirely without justification. The restriction must be applied carefully and proportionately. In real terms, you may receive partial disclosure—some documents provided, others redacted or withheld—particularly where compliance checks or investigations are involved.

Why “full disclosure” is rarely the outcome

Many taxpayers expect a complete, unfiltered file when making a data request. That expectation is rarely met. In practice, records may contain third-party information, internal risk assessments, or investigative material that cannot be shared in full.

For example, if HMRC receives information from another source about undeclared income, that source may not be disclosed. Similarly, internal notes explaining how HMRC plans to approach an enquiry are often protected. The result is that SAR responses are typically curated rather than comprehensive.

HMRC information requests: a separate legal framework

It is important to separate GDPR rights from HMRC’s power to request information. These are governed by different rules.

HMRC can issue formal information notices requiring documents or details that are reasonably necessary to check a tax position. These requests are not optional, and GDPR does not override them. If the request is valid, you are expected to comply, even if the information includes personal or financial data.

The meaning of “reasonably required”

The phrase “reasonably required” is central to HMRC’s powers. It acts as a safeguard against overly broad or irrelevant requests.

In practice, this means HMRC should only ask for information that has a clear connection to the tax issue under review. If a request appears excessive—such as asking for unrelated financial records—you can challenge it or ask for clarification. The focus should always be on relevance, not volume.

Real-world example: mixed personal and business finances

Consider a sole trader who uses a personal bank account for both private and business transactions. If HMRC opens an enquiry into business income, it may request full bank statements.

From the taxpayer’s perspective, this can feel intrusive. From HMRC’s perspective, it is often necessary to identify business receipts. This scenario highlights a practical lesson: separating business and personal finances can significantly limit the scope of future information requests.

Record-keeping: the overlooked foundation

A common issue in HMRC enquiries is not the request itself, but the taxpayer’s inability to provide adequate records. HMRC expects individuals—particularly the self-employed, landlords and directors—to keep accurate and complete records.

Where records are missing, taxpayers are expected to reconstruct them as far as possible. Bank statements, invoices, and third-party confirmations can all be used. Failure to provide reasonable evidence can lead to estimated assessments and potential penalties.

Using HMRC’s digital tools before making a request

Before submitting a SAR, it is often worth checking what information is already available through HMRC’s online services. Personal tax accounts, PAYE records, and income summaries can provide much of what taxpayers are looking for.

In many cases, the issue is not lack of access but lack of awareness. Using these tools first can save time and avoid unnecessary formal requests.

How to make a SAR more effective

A well-structured SAR can make a significant difference. The key is specificity. Instead of asking for “all data held”, focus on a defined issue or timeframe.

For example, requesting “all correspondence and notes relating to a 2023/24 Self Assessment enquiry” is far more likely to produce a useful response. It also reduces the likelihood of delays caused by HMRC needing to clarify the request.

Third-party data and redaction issues

One of the most common frustrations with SAR responses is redaction. This often occurs where documents contain information about other individuals or entities.

HMRC must balance your right of access with the privacy rights of others. Where information cannot be separated cleanly, entire sections may be withheld. This is not unusual and is generally consistent with data protection rules.

When HMRC data appears incorrect

Errors in HMRC data do occur, particularly with PAYE systems, multiple employments, or late submissions by employers. When this happens, the solution is not simply to challenge HMRC, but to identify the source of the error.

Providing supporting documents—such as payslips, P60s, or accounts—is essential. In many cases, the issue originates from employer reporting rather than HMRC’s internal systems.

Challenging HMRC decisions versus requesting data

There is an important distinction between understanding a decision and challenging it. A SAR may help you see the data behind a decision, but it is not the mechanism for disputing the outcome.

If you believe HMRC has made an incorrect assessment, the appropriate route is usually a formal appeal or review. Data access can support that process, but it does not replace it.

Risks of over-disclosure

While failing to provide information is a risk, providing too much can also create problems. Submitting excessive or irrelevant documents can complicate an enquiry and raise additional questions.

A more effective approach is structured disclosure—providing relevant documents clearly organised and explained. This not only helps HMRC but also strengthens your position.

International and cross-border considerations

For taxpayers with overseas income or assets, HMRC’s information requests can extend beyond the UK. International data-sharing agreements mean HMRC may already have partial visibility of foreign income.

In such cases, requests for supporting documentation are common. Transparency is particularly important here, as discrepancies can trigger deeper enquiries.

Handling situations where HMRC refuses part of a request

If HMRC refuses to provide certain information, the first step is to seek clarification. Understanding the reason—whether it relates to exemptions or third-party data—is essential.

If concerns remain, you can escalate the issue through HMRC’s complaints process and, if necessary, to the Information Commissioner’s Office. However, challenges are most effective when they are specific and evidence-based.

The balance between rights and obligations

The interaction between GDPR and HMRC powers is best understood as a balance. Taxpayers have genuine rights to access and correct their data, but HMRC also has legitimate powers to request information and protect the integrity of the tax system.

Approaching the situation with this balance in mind leads to better outcomes than treating it as a conflict.

Summary of key insights

HMRC is subject to UK GDPR and the Data Protection Act 2018, but its rights are not absolute because HMRC also has statutory confidentiality duties and tax/crime-related exemptions.

A subject access request is usually the right route when you want to see your own personal data, but HMRC says you should first check your personal tax account, HMRC app and Income Record Viewer for information already available there.

HMRC can lawfully ask for information or documents through formal powers where they are reasonably required to check a tax position or collect a debt, and taxpayers may face penalties if they ignore a valid notice.

The most common mistake is to treat GDPR as either a magic shield against HMRC requests or a guarantee of a full, unredacted file. The law is narrower than that: access is real, but so are the exemptions.

If you want, I can turn this into a more SEO-optimised magazine-style article with a stronger intro, a sharper conclusion, and a matching meta title and meta description.

FAQs

Q1: Can someone refuse an HMRC data request if it includes personal or sensitive information?

A1: Well, it’s worth noting that “personal” doesn’t automatically mean “protected from HMRC”. In my experience with clients, the key question is whether HMRC is asking under a formal legal power. If they are, you generally cannot refuse simply because the data is sensitive.

However, you can challenge the scope. For example, if HMRC asks for full personal bank statements but your enquiry only relates to rental income, there may be grounds to question whether all transactions are relevant. The practical move here is to respond, but clarify or limit the scope rather than outright refuse.

Q2: Can someone request internal HMRC notes about how a tax decision was made?

A2: This is where expectations often don’t match reality. You can request personal data, but internal reasoning, risk assessments, or investigation strategy may not be fully disclosed.

I’ve seen cases where clients receive heavily redacted notes or summaries instead of full internal commentary. That’s usually lawful if disclosure would undermine HMRC’s compliance work. If you’re trying to understand why a decision was made, a formal appeal or review is often more effective than relying solely on a data request.

Q3: What happens if HMRC holds incorrect personal data about someone’s income or tax position?

A3: In practice, this is more common than people think — especially with PAYE mismatches or duplicate employments. You have the right to request correction, but the key is evidence.

For instance, if HMRC shows £60,000 income but your P60 shows £52,000, you need to provide supporting documents. HMRC won’t amend records purely on assertion.

A useful tip: always check whether the issue comes from employer submissions first. Quite often, the “error” sits upstream in payroll reporting rather than HMRC’s system itself.

Q4: Can a taxpayer limit a Subject Access Request to speed up HMRC’s response?

A4: Absolutely — and it’s one of the smartest things you can do. Broad requests tend to slow everything down.

In my experience, a focused request like “all correspondence and notes relating to my 2022/23 Self Assessment enquiry” is far more effective than asking for “all data held”.

You’ll usually get a quicker, more relevant response — and avoid unnecessary redactions.

Q5: Can HMRC ask for information from someone’s personal bank account for a business enquiry?

A5: Yes, and this often catches people off guard. If you’re self-employed or a sole trader, HMRC can request personal bank records where business and personal finances overlap.

I’ve dealt with freelancers who assumed their personal account was off-limits — it isn’t if business income flows through it.

The practical takeaway: separation of business and personal finances isn’t just tidy bookkeeping — it reduces how much HMRC can legitimately ask for.

Q6: What should someone do if HMRC asks for information they no longer have?

A6: This comes up frequently with older records. HMRC expects reasonable efforts, not perfection.

If records are missing, the best approach is reconstruction — bank statements, supplier invoices, emails. I’ve seen landlords successfully rebuild rental records from letting agent summaries.

What you should avoid is ignoring the request. A partial but explained response is far better than silence, which can escalate the issue quickly.

Q7: Can someone use GDPR to find out if HMRC is investigating them?

A7: Not reliably. While you may receive some information, HMRC is allowed to withhold data where disclosure would prejudice an investigation.

In practical terms, if there is an active compliance check, you may only see limited references — or nothing explicit at all.

If you suspect an enquiry, it’s usually clearer from HMRC correspondence than from a data request.

Q8: Can HMRC share a taxpayer’s data with other government departments without consent?

A8: Yes, in certain circumstances. HMRC can share data where there is a legal basis — for example, with other departments to prevent fraud or ensure correct benefit entitlement.

I’ve seen this in cases involving Universal Credit or student loan repayments, where income data flows between systems.

This isn’t a GDPR breach — it’s part of lawful data sharing under statutory powers.

Q9: What happens if someone ignores an HMRC information request completely?

A9: This is one of the more serious mistakes. Ignoring HMRC doesn’t make the issue disappear — it usually escalates.

In practice, this can lead to penalties, estimated assessments, or formal enforcement. I’ve seen cases where HMRC raised inflated assessments simply because no information was provided.

Even if you disagree with the request, you should respond and challenge it properly rather than ignore it.

Q10: Can an employee check if their PAYE data held by HMRC is accurate?

A10: Yes, and they should — especially if something looks off in their tax code or take-home pay.

The simplest route is through the personal tax account, which shows employment history and income data. In my experience, discrepancies often arise from duplicate employments or delayed payroll submissions.

Catching these early can prevent underpayments building up over time.

About the Author

Maz Zaheer, AFA, MAAT, MBA, is the CEO and Chief Accountant of MTA and Total Tax Accountants, (Registered with Companies House) two premier UK tax advisory firms. With over 15 years of expertise in UK taxation, Maz provides authoritative guidance to individuals, SMEs, and corporations on complex tax issues. As a Tax Accountant and an accomplished tax writer, he is renowned for breaking down intricate tax concepts into clear, accessible content. His insights equip UK taxpayers with the knowledge and confidence to manage their financial obligations effectively.

https://www.linkedin.com/in/totaltaxaccountants/

Disclaimer:

The information provided in our articles is for general informational purposes only and is not intended as professional advice. While we strive to keep the information up-to-date and correct, MTA makes no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, products, services, or related graphics contained in the articles for any purpose. Any reliance you place on such information is therefore strictly at your own risk. The graphs may also not be 100% reliable.