Data Protection Compliance Check

advertisement
PRIVACY IMPACT ASSESSMENT IN RESPECT OF THE
DISCLOSURE OF INFORMATION ON VAT TRADERS IN THE
UNITED KINGDOM: DATA PROTECTION COMPLIANCE
CHECK
Introduction
HM Revenue and Customs (HMRC) proposes to authorise the disclosure of
information on VAT expenditure and date of receipt data for all VAT traders in the
United Kingdom to the Office for National Statistics (ONS) (the executive office of
the Statistics Board now the UK Statistics Authority). In order to comply with
Government data handling requirements it was agreed that a Privacy Impact
Assessment (PIA) needed to be carried out. Careful assessment of relevant risks
indicated that a Data Protection Compliance Check was needed. This document
provides details of the review that was undertaken.
Basic Questions
1. Purpose/Objective of Initiative
ONS, the executive office of the UK Statistics Authority (UKSA), wishes to gain
access to VAT expenditure and date of receipt data collected by HMRC for all VAT
traders in the United Kingdom. This will be used to support ongoing work to improve
business and economic statistics, minimise the burden on small businesses and, in the
longer term, reduce data collection costs.
HMRC are already able to disclose VAT traders’ identification and turnover data to
the Statistics Board under Section 91(1) of the Value Added Tax Act 1994. ONS use
this information for the purpose of the compilation or maintenance of a central register
of businesses (the Inter-Departmental Business Register) and other statistical purposes.
2. What is the high level potential privacy impact of the proposal?
There are no direct high level privacy issues associated with this proposal.
The data in question relate to VAT traders’ expenditure together with information on
the date of receipt of traders’ returns. In most cases the data will refer to businesses
and not to individuals although in some cases the business could be a sole trader or
partnership and in such circumstances the information will be personal data. The
disclosure of the data will be authorised by an Information Sharing Order using
powers in the Statistics and Registration Service Act 2007 (the 2007 Act) and in all
cases the information can only be used for specified statistical purposes. As a result
there are no high level privacy issues.
1
In addition, it should be noted that HMRC is already providing a range of VAT data to
ONS. The proposed Information Sharing Order will only allow for the transfer of two
additional non-sensitive variables.
3. Provide details of any previous PIA or other form of personal data
assessment done on this initiative (in whole or in part).
Not applicable.
Existing arrangements relating to the transfer of other VAT data came into force
before there was a requirement to undertake any such assessment.
2
The Data Protection Principles
1) Personal Data shall be processed fairly and lawfully and, in particular
shall not be processed unless –
a. at least one of the conditions in Schedule 2 is met, and
b. in the case of sensitive personal data, at least one of the conditions
in Schedule 3 is also met.
Which condition in Schedule 2 is met?
Condition 5(c) the exercise of any functions of the Crown, a Minister of the Crown or
a government department, and 5(d) the exercise of any functions of a public nature
exercised in the public interest by any person, are both met in this case.
Is any sensitive personal data being processed?
No.
If “Yes” to the above question please list the conditions in Schedule 3 that are met.
Not applicable.
Please confirm that to the best of your knowledge the data are being processed fairly
and lawfully.
The information is being processed lawfully through a legal gateway to be created
under section 47 of the 2007 Act. We are confident that this proposal is also
compliant with the common law duty of confidence.
2) Personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in any manner incompatible
with that purpose or those purposes.
Please give a brief description of the safeguards in place to ensure that the data are
only used for the prescribed purposes:
When made, the Regulations will specify that the information disclosed can only be
used for the following statistical purposes: –

the production of statistics under section 20 of the 2007 Act.
3
Furthermore, once this information is in the possession of the UKSA the confidentiality
provisions of section 39 of the 2007 Act will apply. Any unlawful disclosure of the
information will be a criminal offence and any person found guilty of such an offence
will be liable to a term of imprisonment or a fine or both.
3) Personal data shall be adequate, relevant and not excessive in relation to
the purpose or purposes for which they are processed.
How is the adequacy of personal data for each purpose determined? (Please give
examples.)
ONS has prepared a statistical business case setting out its requirements for access to
Value Added Tax (VAT) expenditure data (VAT purchases from Box 7 of the VAT
returns received by HMRC) and return receipt data from HMRC’s VAT system.
Access to these data is essential in order to enable ONS to meet increasing demands
for new and improved business statistics, reduce the burden on businesses and, in the
longer term, provide a more accurate and cost effective means of monitoring business
change and economic cycles.
By adding expenditure and date of receipt variables to the existing VAT turnover data
ONS would have an accurate information source for all but the smallest taxable
businesses for the two most fundamental financial variables and for related reporting
patterns. The availability of this information will support vital work to:



enhance the accuracy and quality of major economic indicators derived from
the Annual Business Survey (e.g. predicted values for turnover and expenditure
as well as the predicted values for the Gross Value Added and Employment
Costs variables);
investigate the feasibility of estimating key monthly indicators, quarterly
supply-use tables and quarterly intermediate consumption as well as changes in
relationships between survey and VAT data across a full economic cycle;
develop a better understanding of the movement of intermediate consumption
in relation to Gross Value Added and output during a recession; and
analyse reporting patterns to establish the best statistical methods for producing
accurate short term economic indicators.
In addition, the information will contribute to wider work being undertaken by the
Government including the formulation, evaluation and review of monetary and fiscal
policy as well as macro-economic forecasting. In particular, the Bank of England and
the Monetary Policy Committee would have more reliable short-term estimates of
GDP at the time they needed for interest rate decisions.
4
Access to the VAT expenditure data will enable ONS to improve efficiency and value
for money in its data collection, increase quality by greatly extending coverage of
small businesses beyond a small sample and reduce the costs to businesses of
providing data.
Officials from HMRC have supported this work and contributed to the development
and review of the statistical business case.
How is an assessment made as to the relevance (i.e. no more than the minimum
required) of personal data for the purpose for which it is collected?
Not applicable.
4) Personal Data shall be accurate and, where necessary kept up to date.
Is the information only being used for statistical purposes?
Yes.
Section 33 of the Data Protection Act 1998 provides that information used only for
statistical purposes does not have to be kept up to date.
If “No” to the above question please describe the safeguards in place to ensure
information is being kept up to date.
Not applicable.
5) Personal data shall not be kept for longer than is necessary
Is the information only being used for statistical purposes?
Yes.
The information will only be used for statistical purposes and therefore may be kept
indefinitely.
If “No” to the above question please describe the safeguards in place to ensure
information is only being held for as long as necessary.
Not applicable.
5
6) Personal Data shall be processed in accordance with the rights of data
subjects under this Act.
Right to make a Subject Access request
Please describe the procedures in place to provide access to records under this
principle. (Please note information held for statistical purposes is exempt from this
right.)
ONS is exempt under s.33 of the Data Protection Act 1998 from providing access to
personal data under a subject access request. ONS’s policy is not to provide access as
the records it holds are subject to statistical processes that may modify the records to
make them suitable for the production of relevant business statistics. The records are
not held as a definitive record of an individual’s personal circumstances. If disclosed,
through a subject access request this could mislead the individual and cause
unnecessary concern, harm or distress.
Processing that may cause Damage or Distress
Please describe safeguards to ensure that there is no damage or
distress caused to the data subject.
To benefit from s.33 of the Data Protection Act 1998 the processing must not cause
damage or distress to individuals. ONS policy, practice, and statute law requires that
no information relating to an identifiable individual is disclosed, whether in a statistic
or through any of our data handling processes. Similarly, ONS’s policies and
procedures would not allow anyone to make any decision or take any action that could
affect an individual.
Right to Object
Does your project have a process for passing S10, S11, S12, or S14 DPA notice to the
ONS Data Protection Officer?
Yes ONS has a standard process in place which is described on its website here:
Information Charter
http://www.ons.gov.uk/about/information-charter/index.html
Confidentiality
http://www.ons.gov.uk/about -statistics/methodology-andquality/quality/quality-projects/risk-mgmt/confid-data-collected-forstatl-purposes/index.html
6
7) Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against
accidental loss or destruction of, or damage to, personal data.
Will this data be processed in line with ONS’s data security policies?
Yes.
The Information Asset Owner for the data when held in ONS will be Caron Walker.
ONS Information Asset Owners follow the policies for Information Security agreed at
an Executive level committee and signed off by the ONS Senior Information Risk
Officer.
The VAT expenditure data will be entered in the ONS Information Asset Register.
ONS meets all the data handling mandatory measures as set out in the O’Donnell
review and incorporated into the Security Policy Framework.
All ONS staff have completed and passed an information security learning package.
If No, please briefly describe the safeguards that will be in place.
Not applicable.
8) Personal data shall not be transferred to a country or territory outside the
European Economic Area (EEA) unless that country or territory ensures
an adequate level of protection for the rights and freedoms of data
subjects in relation to the processing of personal data.
Is the information being transferred outside of the EEA?
No.
If “Yes” where is it to be transferred? and what protection does that country offer?
(e.g. is it a member of the Safe Harbour scheme?)
Not applicable.
7
Download