HMRC is sending "nudge" reminder texts, apparently using mobile phone numbers harvested from the two-step authentication process. Wendy Bradley asks: Is this within the spirit of the GDPR?
On 9 January 2019 I received a text message which read: "HMRC Self Assessment: Do your tax return online and pay by 31 January to avoid a penalty. Completed in the last few days? Thanks, you don't need to do anything else."
This came from a number that I didn't recognise, and when I looked back through my phone's history I saw I had received several messages from the same number, always in January, always in the format "XXXXXX is your HMRC access code."
This is the number used in the two-step authentication process when I log onto the HMRC system to do my tax return. I had given HMRC my number for this purpose, but couldn't recall having been asked or giving permission for them to use my mobile number for anything else.
In the great scheme of things, being "nudged" by HMRC to submit my tax return isn't the end of the world, nor was it when I had to give them my bank account details. It’s just another little step nibbling away at data privacy. So I fired off an email to their Data Protection Officer, Chris Franklin, asking how this complied with the data protection legislation.
HMRC has a privacy notice which tells you it will repurpose your data where it is "necessary for the performance of a task carried out in the public interest or in the exercise of our official authority as a government department".
Is it "necessary" for HMRC to nag me to do my tax return? It already has a legal power to compel me to do it, and can impose penalties if I fail to comply: is it necessary to compound the offence by nagging me as well?
Is HMRC’s argument that nagging me is a "task carried out in the public interest" and that repurposing my mobile phone number is necessary to the task?
The legislation underpinning HMRC’s privacy notice is the Commissioners for Revenue and Customs Act 2005 (CRCA 2005) s17(1), which says: "Information acquired by the Revenue and Customs in connection with a function may be used by them in connection with any other function". However, CRAC 2005 s 17(2) makes it clear this isn't a carte blanche permission, but it is subject to other legislation and treaties, so it doesn’t "trump" the provisions of GDPR.
The GDPR uses almost identical language in GDPR article 6.1 (e). Using data collected for one purpose (two-step authentication) for another (nudge text messages) is lawful if "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller".
Is it a necessary function of HMRC to send "nudge" messages? Clearly not.
Is nagging taxpayers a task carried out in the public interest? Opinions differ.
My next stop was the Information Commissioners Office, but the ICO seem to require a significant number of individual complaints before it will investigate.
An ICO spokesperson said: “Data protection law requires organisations to be open and transparent with individuals about how their data will be processed. Anyone who has concerns about the way their personal data has been handled can bring their complaints to us."
I encourage you and your clients to email the ICO, if you too have been nagged by HMRC and are unhappy about it. In an unconnected case, the ICO fined a firm called Tax Returned Ltd £200,000 for sending out spam text messages. HMRC would presumably argue that it is "nudging" or reminding the taxpayer rather than "marketing", but it would be interesting to hear the Information Commissioner's view of HMRC’s actions.
Another concern might be whether HMRC has been sufficiently clear that providing your mobile number to authenticate your logon might result in nagging text messages. Is the wording in the HMRC privacy notice sufficiently specific to enable us as "data subjects" to fully understand the extent of the processing operations carried out by HMRC?
I would like to hear your views.
About Wendy Bradley
Wendy Bradley is a retired tax inspector, now working as a freelance journalist.