How does HMRC use third party data?
Answered 17 March 2026
Here is a comprehensive answer on how HMRC uses third party data.
What the law says
Legislative basis — Schedule 23, Finance Act 2011
Para 1 of Schedule 23 to the Finance Act 2011 (FA11/SCH23) gives HMRC officers the power to obtain data from relevant data-holders. The legislation identifies categories of data-holder and the type of data that can be requested from each. There are 16 types of relevant data-holders, and the Data-Gathering Powers (Relevant Data) Regulations 2012 (SI 2012/847) specify the relevant data for each class.
The data that a relevant data-holder may be required to provide:
- may be general data, or data relating to particular persons or matters; and
- may include personal data (such as names and addresses of individuals).
The powers came into force on 1 April 2012 and apply to relevant data even if it relates to periods before that date.
Separate powers — Schedule 36, FA 2008
The data-gathering powers under Schedule 23 are different from and additional to the information and inspection powers under Schedule 36 FA 2008. Importantly, the data-gathering powers cannot be used to ask for information on the tax position of the data-holder itself — Schedule 36 powers are available for that purpose.
Communications data — F(No 2)A 2023
In early 2023, Home Office guidance classified "subscriber data" (mandatory fields when subscribing for an online service) as possible communications data under the Investigatory Powers Act 2016, which temporarily restricted Schedule 36 and Schedule 23 notices from requesting such data. A new clause in F(No 2)A 2023 exempted HMRC's civil tax functions from this restriction, meaning that as long as HMRC confirms a request is for civil rather than criminal purposes, third parties must now provide what has been requested under Schedule 36/Schedule 23.
HMRC guidance / practice
Purpose: risk analysis and compliance
The data-gathering powers are used by HMRC to gather specific pieces of information about groups of people, for use in risk analysis. Once acquired in connection with an HMRC function, the data may be used for any other HMRC function, subject to the usual rules.
Specifically, the data is used in the following ways:
- To target publicity and support where there is a risk tax has been overpaid.
- To target compliance checks on cases where there is a risk tax has been underpaid, so that overall compliant people see fewer checks.
- To determine the right approach when checking — e.g. whether to start with a quick phone call or an in-depth investigation.
- As a deterrent to non-compliance — the fact that information is shared with HMRC discourages people from concealing sources of income.
How data is collected: two routes
Data gathering powers are used in one of two ways:
- An individual officer can use the powers when enquiring into people who received payments from a single entity.
- The specialist Data Acquisition and Exchange (DAE) team acquires all bulk third party data from UK relevant data-holders under Schedule 23 powers on behalf of HMRC — for example, rental income paid by letting agents to landlords.
The data-holder notice
HMRC requests data by issuing a data-holder notice to the data-holder. The notice must cite the relevant legislation (Para 1, Schedule 23 FA 2011 and SI 2012/847), specify why the notice is being sent, what data is required, how it should be supplied, where it should be sent, and by what date. HMRC may also seek tribunal approval before issuing a notice; if the tribunal approves, the data-holder cannot appeal against it.
Safeguards
Safeguards are built into the legislation and HMRC's procedures to ensure that data-gathering requests are:
- Reasonably required by the issuing officer for the purpose of collecting data relevant to compliance checks; and
- Only requested from relevant data-holders.
Officers must also take particular care to preserve confidentiality when obtaining and using third party information, and must be mindful of the impact of data protection legislation.
Informal requests
In addition to formal powers, HMRC can ask third parties to provide information about taxpayers informally. Third parties may have obligations not to disclose under data protection legislation, but legislation contains exemptions that allow disclosure to HMRC, and in certain circumstances HMRC may give assurances that those exemptions apply.
Citation sources
Data Acquisition and Exchange issue all Schedule 23 data-holder notices on behalf of HMRC. We can issue a data-holder notice to a data-holder and require them to provide the relevant data that is specified in the notice. There is a limit to how far back we can request data, and we can only require the data-holder to provide documents that are in the data-holder’s possession or power. We may ask the tribunal for approval to issue a data-holder notice. The tribunal may only approve our data-holder
Data-gathering powers enable us to collect data about third parties from data-holders to use in our compliance activities. The legislation identifies categories of data-holder and the type of data we can request from each data-holder. We request the data by issuing a data-holder notice to the data-holder. Data gathering powers are used in one of two ways. An individual officer can use the data gathering powers when enquiring into people who received payments from a single entity. Data Acquisitio
In early 2023, guidance from the Home Office classified “subscriber data”, i.e. the mandatory fields when subscribing for an online service, as possible communications data (CD) under the Investigatory Powers Act 2016 (IPA). Third Party Information Notices and Financial Institution Notices under Schedule 36 FA08 were therefore restricted to not requesting this data. It also meant that a recipient of a Sch23 data-holder notice was not compelled to send a return to HMRC if it included data from a
There are 16 types of relevant data-holders that we can require to provide relevant data. The term relevant data-holders include a person who was a data-holder but who ceased to be a data-holder less than four years from the date of the data-holder notice. For example, a person who used to be a solicitor but who retired last year would still be a data-holder as a solicitor. The Data-Gathering Powers (Relevant Data) Regulations 2012 (SI 2012/847) specify the relevant data for each class of data-
This page and chapter are under review as the relevant content is also published in the technical guidance chapters of the Compliance Handbook, within Compliance checks factsheets and in Compliance checks guidance. If you use particular pages regularly, please email hmrcmanualsteam@hmrc.gov.uk to let us know the specific content you find useful. The notice must contain reference to the relevant legislation; that is, Paragraph 1 Schedule 23 to the Finance Act 2011 and The Data-gathering Powers (R
You need to take particular care when obtaining and using third party information to make sure that confidentiality is preserved. It is important that you know when and what information you may ask for how to obtain the information how to use the information ), and the impact of the Data Protection Act 1998 (IHTM09391) on the collection and use of third party informationThe IHTA information powers have been replaced by FA08/Sch36 (as amended and extended by FA09). Further guidance about
This page and chapter are under review as the relevant content is also published in the technical guidance chapters of the Compliance Handbook, within Compliance checks factsheets and in Compliance checks guidance. If you use particular pages regularly, please email hmrcmanualsteam@hmrc.gov.uk to let us know the specific content you find useful. Para 1 of Schedule 23 to the Finance Act 2011 gives HMRC officers the powers to obtain data from relevant data-holders. These powers come into force on
The data-gathering powers are used by HMRC to gather specific pieces of information about groups of people, for use in risk analysis. Once we have acquired the information in connection with an HMRC function we may use it for any other function, subject to the usual rules. The large number of people and the need to keep down the cost of administering the tax system mean HMRC cannot check every single tax return in depth. Risk information is therefore essential to HMRC’s compliance checking funct
This page and chapter are under review as the relevant content is also published in the technical guidance chapters of the Compliance Handbook, within Compliance checks factsheets and in Compliance checks guidance. If you use particular pages regularly, please email hmrcmanualsteam@hmrc.gov.uk to let us know the specific content you find useful. You can ask third parties to provide information about taxpayers informally. The third parties may have obligations not to disclose the information, und
The data-gathering powers allow us to require a relevant data-holder to provide ‘relevant data’. We request the relevant data using a data-holder notice, see CH28250. Relevant data means data associated in the regulations with each type of data-holder. The types of data-holders and the relevant data that may be required from them are covered in CH28400. The data that a relevant data-holder may be required to provide may be general data, or data relating to particular persons or matters, and may