PRIVACY IMPACT ASSESSMENT IN RESPECT OF THE DISCLOSURE OF INFORMATION ON VAT TRADERS IN THE UNITED KINGDOM: DATA PROTECTION COMPLIANCE CHECK Introduction HM Revenue and Customs (HMRC) proposes to authorise the disclosure of information on VAT expenditure and date of receipt data for all VAT traders in the United Kingdom to the Office for National Statistics (ONS) (the executive office of the Statistics Board now the UK Statistics Authority). In order to comply with Government data handling requirements it was agreed that a Privacy Impact Assessment (PIA) needed to be carried out. Careful assessment of relevant risks indicated that a Data Protection Compliance Check was needed. This document provides details of the review that was undertaken. Basic Questions 1. Purpose/Objective of Initiative ONS, the executive office of the UK Statistics Authority (UKSA), wishes to gain access to VAT expenditure and date of receipt data collected by HMRC for all VAT traders in the United Kingdom. This will be used to support ongoing work to improve business and economic statistics, minimise the burden on small businesses and, in the longer term, reduce data collection costs. HMRC are already able to disclose VAT traders’ identification and turnover data to the Statistics Board under Section 91(1) of the Value Added Tax Act 1994. ONS use this information for the purpose of the compilation or maintenance of a central register of businesses (the Inter-Departmental Business Register) and other statistical purposes. 2. What is the high level potential privacy impact of the proposal? There are no direct high level privacy issues associated with this proposal. The data in question relate to VAT traders’ expenditure together with information on the date of receipt of traders’ returns. In most cases the data will refer to businesses and not to individuals although in some cases the business could be a sole trader or partnership and in such circumstances the information will be personal data. The disclosure of the data will be authorised by an Information Sharing Order using powers in the Statistics and Registration Service Act 2007 (the 2007 Act) and in all cases the information can only be used for specified statistical purposes. As a result there are no high level privacy issues. 1 In addition, it should be noted that HMRC is already providing a range of VAT data to ONS. The proposed Information Sharing Order will only allow for the transfer of two additional non-sensitive variables. 3. Provide details of any previous PIA or other form of personal data assessment done on this initiative (in whole or in part). Not applicable. Existing arrangements relating to the transfer of other VAT data came into force before there was a requirement to undertake any such assessment. 2 The Data Protection Principles 1) Personal Data shall be processed fairly and lawfully and, in particular shall not be processed unless – a. at least one of the conditions in Schedule 2 is met, and b. in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. Which condition in Schedule 2 is met? Condition 5(c) the exercise of any functions of the Crown, a Minister of the Crown or a government department, and 5(d) the exercise of any functions of a public nature exercised in the public interest by any person, are both met in this case. Is any sensitive personal data being processed? No. If “Yes” to the above question please list the conditions in Schedule 3 that are met. Not applicable. Please confirm that to the best of your knowledge the data are being processed fairly and lawfully. The information is being processed lawfully through a legal gateway to be created under section 47 of the 2007 Act. We are confident that this proposal is also compliant with the common law duty of confidence. 2) Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Please give a brief description of the safeguards in place to ensure that the data are only used for the prescribed purposes: When made, the Regulations will specify that the information disclosed can only be used for the following statistical purposes: – the production of statistics under section 20 of the 2007 Act. 3 Furthermore, once this information is in the possession of the UKSA the confidentiality provisions of section 39 of the 2007 Act will apply. Any unlawful disclosure of the information will be a criminal offence and any person found guilty of such an offence will be liable to a term of imprisonment or a fine or both. 3) Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. How is the adequacy of personal data for each purpose determined? (Please give examples.) ONS has prepared a statistical business case setting out its requirements for access to Value Added Tax (VAT) expenditure data (VAT purchases from Box 7 of the VAT returns received by HMRC) and return receipt data from HMRC’s VAT system. Access to these data is essential in order to enable ONS to meet increasing demands for new and improved business statistics, reduce the burden on businesses and, in the longer term, provide a more accurate and cost effective means of monitoring business change and economic cycles. By adding expenditure and date of receipt variables to the existing VAT turnover data ONS would have an accurate information source for all but the smallest taxable businesses for the two most fundamental financial variables and for related reporting patterns. The availability of this information will support vital work to: enhance the accuracy and quality of major economic indicators derived from the Annual Business Survey (e.g. predicted values for turnover and expenditure as well as the predicted values for the Gross Value Added and Employment Costs variables); investigate the feasibility of estimating key monthly indicators, quarterly supply-use tables and quarterly intermediate consumption as well as changes in relationships between survey and VAT data across a full economic cycle; develop a better understanding of the movement of intermediate consumption in relation to Gross Value Added and output during a recession; and analyse reporting patterns to establish the best statistical methods for producing accurate short term economic indicators. In addition, the information will contribute to wider work being undertaken by the Government including the formulation, evaluation and review of monetary and fiscal policy as well as macro-economic forecasting. In particular, the Bank of England and the Monetary Policy Committee would have more reliable short-term estimates of GDP at the time they needed for interest rate decisions. 4 Access to the VAT expenditure data will enable ONS to improve efficiency and value for money in its data collection, increase quality by greatly extending coverage of small businesses beyond a small sample and reduce the costs to businesses of providing data. Officials from HMRC have supported this work and contributed to the development and review of the statistical business case. How is an assessment made as to the relevance (i.e. no more than the minimum required) of personal data for the purpose for which it is collected? Not applicable. 4) Personal Data shall be accurate and, where necessary kept up to date. Is the information only being used for statistical purposes? Yes. Section 33 of the Data Protection Act 1998 provides that information used only for statistical purposes does not have to be kept up to date. If “No” to the above question please describe the safeguards in place to ensure information is being kept up to date. Not applicable. 5) Personal data shall not be kept for longer than is necessary Is the information only being used for statistical purposes? Yes. The information will only be used for statistical purposes and therefore may be kept indefinitely. If “No” to the above question please describe the safeguards in place to ensure information is only being held for as long as necessary. Not applicable. 5 6) Personal Data shall be processed in accordance with the rights of data subjects under this Act. Right to make a Subject Access request Please describe the procedures in place to provide access to records under this principle. (Please note information held for statistical purposes is exempt from this right.) ONS is exempt under s.33 of the Data Protection Act 1998 from providing access to personal data under a subject access request. ONS’s policy is not to provide access as the records it holds are subject to statistical processes that may modify the records to make them suitable for the production of relevant business statistics. The records are not held as a definitive record of an individual’s personal circumstances. If disclosed, through a subject access request this could mislead the individual and cause unnecessary concern, harm or distress. Processing that may cause Damage or Distress Please describe safeguards to ensure that there is no damage or distress caused to the data subject. To benefit from s.33 of the Data Protection Act 1998 the processing must not cause damage or distress to individuals. ONS policy, practice, and statute law requires that no information relating to an identifiable individual is disclosed, whether in a statistic or through any of our data handling processes. Similarly, ONS’s policies and procedures would not allow anyone to make any decision or take any action that could affect an individual. Right to Object Does your project have a process for passing S10, S11, S12, or S14 DPA notice to the ONS Data Protection Officer? Yes ONS has a standard process in place which is described on its website here: Information Charter http://www.ons.gov.uk/about/information-charter/index.html Confidentiality http://www.ons.gov.uk/about -statistics/methodology-andquality/quality/quality-projects/risk-mgmt/confid-data-collected-forstatl-purposes/index.html 6 7) Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Will this data be processed in line with ONS’s data security policies? Yes. The Information Asset Owner for the data when held in ONS will be Caron Walker. ONS Information Asset Owners follow the policies for Information Security agreed at an Executive level committee and signed off by the ONS Senior Information Risk Officer. The VAT expenditure data will be entered in the ONS Information Asset Register. ONS meets all the data handling mandatory measures as set out in the O’Donnell review and incorporated into the Security Policy Framework. All ONS staff have completed and passed an information security learning package. If No, please briefly describe the safeguards that will be in place. Not applicable. 8) Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Is the information being transferred outside of the EEA? No. If “Yes” where is it to be transferred? and what protection does that country offer? (e.g. is it a member of the Safe Harbour scheme?) Not applicable. 7