Save content
Have you found this content useful? Use the button above to save it to your profile.
Text message

HMRC nudges taxpayers by text message

29th Jan 2019
Save content
Have you found this content useful? Use the button above to save it to your profile.

HMRC is sending "nudge" reminder texts, apparently using mobile phone numbers harvested from the two-step authentication process. Wendy Bradley asks: Is this within the spirit of the GDPR?


On 9 January 2019 I received a text message which read: "HMRC Self Assessment: Do your tax return online and pay by 31 January to avoid a penalty. Completed in the last few days? Thanks, you don't need to do anything else."

This came from a number that I didn't recognise, and when I looked back through my phone's history I saw I had received several messages from the same number, always in January, always in the format "XXXXXX is your HMRC access code."

This is the number used in the two-step authentication process when I log onto the HMRC system to do my tax return. I had given HMRC my number for this purpose, but couldn't recall having been asked or giving permission for them to use my mobile number for anything else.

In the great scheme of things, being "nudged" by HMRC to submit my tax return isn't the end of the world, nor was it when I had to give them my bank account details. It’s just another little step nibbling away at data privacy. So I fired off an email to their Data Protection Officer, Chris Franklin, asking how this complied with the data protection legislation.


HMRC has a privacy notice which tells you it will repurpose your data where it is "necessary for the performance of a task carried out in the public interest or in the exercise of our official authority as a government department".

Is it "necessary" for HMRC to nag me to do my tax return? It already has a legal power to compel me to do it, and can impose penalties if I fail to comply: is it necessary to compound the offence by nagging me as well?

Is HMRC’s argument that nagging me is a "task carried out in the public interest" and that repurposing my mobile phone number is necessary to the task?

The law

The legislation underpinning HMRC’s privacy notice is the Commissioners for Revenue and Customs Act 2005 (CRCA 2005) s17(1), which says: "Information acquired by the Revenue and Customs in connection with a function may be used by them in connection with any other function". However, CRAC 2005 s 17(2) makes it clear this isn't a carte blanche permission, but it is subject to other legislation and treaties, so it doesn’t "trump" the provisions of GDPR.

The GDPR uses almost identical language in GDPR article 6.1 (e). Using data collected for one purpose (two-step authentication) for another (nudge text messages) is lawful if "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller".

My questions

Is it a necessary function of HMRC to send "nudge" messages? Clearly not.

Is nagging taxpayers a task carried out in the public interest? Opinions differ.


My next stop was the Information Commissioners Office, but the ICO seem to require a significant number of individual complaints before it will investigate.

An ICO spokesperson said: “Data protection law requires organisations to be open and transparent with individuals about how their data will be processed. Anyone who has concerns about the way their personal data has been handled can bring their complaints to us."

I encourage you and your clients to email the ICO, if you too have been nagged by HMRC and are unhappy about it. In an unconnected case, the ICO fined a firm called Tax Returned Ltd £200,000 for sending out spam text messages. HMRC would presumably argue that it is "nudging" or reminding the taxpayer rather than "marketing", but it would be interesting to hear the Information Commissioner's view of HMRC’s actions.

Another concern might be whether HMRC has been sufficiently clear that providing your mobile number to authenticate your logon might result in nagging text messages. Is the wording in the HMRC privacy notice sufficiently specific to enable us as "data subjects" to fully understand the extent of the processing operations carried out by HMRC?

I would like to hear your views.


Replies (6)

Please login or register to join the discussion.

Jennifer Adams
By Jennifer Adams
30th Jan 2019 09:34

This is exactly the reason why I try to make sure that my firm's phone number is in place in HMRC's records rather than clients.

This ensures that any query comes to me first.

I do this because about a year ago HMRC rang me as the only number they had and asked for a client's number.

The conversation went like this:
HMRC': We don't have your client's personal mobile number - can you give it to me please?
Me: 'Why'
HMRC: 'Because your client owes us tax'
Me: 'I don't think so'
During this conversation I looked under client's info online.
He had underpaid £3.75 = interest as he had slightly missed the deadline due to New Year etc.
Me: 'Not giving you his number... I'll tell him - if you are concerned you can write to him instead'.

The reason I was so shirty was that this client is a lecturer of a large London university in the UK specifically undertaking a project for Poland's education dept on the invite of our education dept. He is petrified that underpayment of tax means deportation (yes I know but clients....!) and I could just see his reaction should he receive a phone call from HMRC.
So I now try do change for all my clients (after asking their permission of course) = most agree.

On another note - we've heard the word 'nudges' before with reference to MTD - it seems to be their 'buzz word'.

Thanks (4)
By nodrogbir
30th Jan 2019 11:02

HMRC do just as they like and often waste hours on petty things. It all depend who you get in the day as to the outcome. No one should receive a text unless they have specifically asked for texts to be sent.

Thanks (0)
By dmmarler
30th Jan 2019 12:10

This is just why people do not want to register for any online systems with a government department, or provide any information other than that required by law.

Thanks (3)
By Echo761
30th Jan 2019 13:14
Not the first time that they have done this, I agree this is abuse of data. If I received this from a PPI company it would definitely be an abuse.

Thanks (1)
Chris M
By mr. mischief
30th Jan 2019 19:23

I only ever give HMRC my work landline, never my mobile and never a client mobile number.

Everything about my dealings with HMRC since its formation gives me no trust in their integrity or their competence, and both of those are required here,

Thanks (2)
By malisajama
04th Feb 2019 13:01

Regardless what HMRC's privacy policy says, the use of personal information must be for a specific purpose or purposes and, if consent is used as the lawful basis, the data subject must give positive and informed consent for each purpose. Other lawful bases require that processing is ‘necessary’ for a specific purpose.

It seems highly unlikely that nudging taxpayers by text message is something that HMRC is required to do. Therefore, HMRC needs the specific, informed consent of data subjects to process their personal data for this purpose. Anyone who is thinking of making a complaint to the ICO should first complain to HMRC's Data Protection Officer.

This is all based on the ICO's published guidance.

The next time HMRC requests unnecessary personal information about any client, you could simply advise HMRC that you cannot do so without your client's consent.

Thanks (3)