Does Payroll and HR need consent before sending data to HM Revenue and Customs or other government agencies?l”

The application of the General Data Protection Regulations implies a number of rights that are placed in relation to the use of personal data. It also offers a right in some circumstance to be forgotten.

Payroll and employments also have legal obligations in relation to employment law, right to work legislation, health and safety, use of dangerous materials (say in manufacturing etc.), accidents at work, and especially in relation to obligations to operate Pay As You Earn (PAYE) for Income Tax, National Insurance etc.

Since 2013, almost all employers have been required to submit electronic data to HMRC using, what is termed, Real Time Information(RTI). Personal information is required to be passed to the relevant authorities by law on or before a payment of wages is made.

Does an individual have a right to prevent or stop such an exchange of their personal information? Simply – NO. It is a legal obligation on the employer and forms ‘lawful purpose’ under GDPR.

So once an employee leaves, can that individual exercise their right to be forgotten and have all personal information removed from the employers records? The answer again will generally be NO. Various legal obligations placed on employers require them to retain relevant personal information which they must not remove.

As a for example, HMRC require employers to retain information relevant to PAYE (names, date of birth, legal gender at time of payment, national insurance number, address at time of payment and information processed as it was at the time of processing payment) for three years plus current. The taxes management act requires relevant companies to retain such taxation information for six years. Other employment, pension and health and safety law may require certain personal data to be retained for longer. So employers will have a lawful basis to continue to retain data to meet their legal obligations even without consent or receiving requests under right to be forgotten.

The Information Commissioners Office (ICO) provides the following examples of lawful purpose.

What is the legal obligation basis?

An organisation might use this to comply with the law.


Your employer needs to process your personal data to comply with its legal obligation to disclose employee salary details to HMRC. It relies on legal obligation to do this.

What is the public task basis?

An organisation might use this if it performs a task in the public interest or for its official functions.

Public authorities (eg local councils, government departments, NHS bodies etc) are likely to rely on this basis for a lot of the personal data they process.


When HMRC receives your details from your employer it needs to use these to calculate your tax. HMRC has an obligation to use your data for tax purposes so it can use the public task lawful basis to do this.

The Information Commissioner provides some very helpful information on consent and lawful purpose at:

So take care when processing personal data, don’t be rash and delete data that is required to be retained for payroll and HR lawful purposes.

Leave a Reply