Article by Robin Williamson, Senior Technical Editor, Croner.CCH.
Published in the August 2001 issue of Tax Adviser.
• Under the Data Protection legislation, taxpayers will soon have the right of access to their files held in paper form by the Revenue departments.
• From a date yet to be decided, access will be extended to paper records held in unstructured form.
• Customs and Excise have released some details of how they propose to implement these changes, but the Inland Revenue are still considering the question.
• In practice these rights are likely to be hard to gain access to, unless the person lodging the request has a sound knowledge of the internal working of the department they are dealing with; and even then the exigencies of taxpayer security and confidentiality are likely to prove a stumbling block.
From 24 October 2001, the rights of data subjects under the Data Protection Act 1998 will be extended to manual records held in structured filing systems. At present they only extend to records held on computer.
This means, in practice, that citizens will have access to their paper files lodged in government departments on broadly similar terms as they now have access to their computer files.
At some later date, the right of access will be extended to paper records held in unstructured form by public authorities. This will be effected by bringing into force an amendment made to the Data Protection Act 1998 by the Freedom of Information Act 20001. The Freedom of Information Act 2000 is being phased in over a period of five years from the date of its passing on 30 November 2000, and at present there is no agreed timetable for giving effect to this amendment.
The purpose of this article is to consider what these changes will mean for taxpayers, by giving an overview of the legislation, and setting out what is so far known about how the Inland Revenue and Customs and Excise will implement them.
The data protection laws for taxpayers
This section aims to give a very brief overview of the data protection laws which taxpayers and their advisers might need to use in their dealings with the Revenue. It is not (nor in the space available could it be) in any way a comprehensive account of those laws which are wide-ranging and very complex.
Under the Data Protection Act 1998 (‘DPA’), persons and organisations which manage the processing of data (‘data controllers’) have a duty to comply with certain principles (‘the data protection principles’) in respect of all personal data under their control2. For the purposes of the DPA, ‘data’are of four types3:
• data held in a computer system (‘automated data’);
• data which are recorded with the intention of being processed automatically;
• data which are held manually in a filing system arranged by reference to individuals or to criteria relating to individuals, ‘in such a way as to make it readily accessible’ (a ‘relevant filing system’); or
• data which form part of an ‘accessible record’, a term which covers certain health, education, housing and social work records.
Under the DPA, there are two ‘transitional periods’4. During the first transitional period, the DPA only applies, broadly, to automated data, or information obtained for processing as automated data – that is, the first two categories of data listed above. These are referred to in the Act as ‘eligible automated data’. The first transitional period ends on 23 October 2001, and thereafter, data protection extends to ‘eligible manual data’ as well – for the purposes of the present discussion, the third category.
Returning to the definition of ‘data’ summarised above, ‘personal data’ are data which relate to a living individual who can be identified from the actual data, or from other information to which the data controller may have access5. The term includes expressions of opinion about the individual, and any indications of the intentions of the data controller or of any other person concerning that individual.
The ‘data protection principles’ designed to protect the integrity of personal data and the rights of the individual who is the subject of it (‘the data subject’) are eight in number6. These include the obligation to process personal data fairly and lawfully; to obtain such data only for specified and lawful purposes; to ensure that they are accurate, relevant and not excessive in relation to the purposes for which they are processed; not to keep them longer than necessary; to take appropriate technological and organisational measures against unauthorised processing and against loss, destruction or damage of data; and not to transfer data outside the European Economic Area unless the destination country has adequate protection for the rights of data subjects.
Of particular interest from a practical viewpoint is the fourth data protection principle – personal data must be accurate and, where necessary, kept up to date – and the sixth – personal data must be processed in accordance with the rights of data subjects under the Act7.
The right of subject access 8
Within the ambit of the sixth data protection principle is the right of subject access. The data subject has the right to be informed whether the data controller processes information about him, and, if that is the case, to be given a description of the data, the purposes for which it is processed, and to whom it is to be disclosed. The data controller must also communicate, in an intelligible form, any information contained in the data, and any information the data controller has about the source. That is subject to rules protecting the identity of any individual who might be identifiable from the information to be supplied.
The request must be in writing and must enable the data controller to satisfy itself as to the identity of the person enquiring, and to locate the information sought. The data controller must comply with the request within 40 days. The data must be communicated in the state they were in when the request was received – this may take account of any amendments or deletions made in the meantime, and which would have been made regardless of the request9. Clearly this outlaws any attempt by the data controller to manipulate the data in order to avoid disclosing something which it is obliged to disclose but which might cause embarrassment.
Right to prevent processing of certain data 10
Among the other rights of data subjects is the right to prevent, by notice to the data controller, the processing of data in certain cases, particularly where such processing is likely to cause substantial, unwarranted damage or distress to the data subject or to another. This may be resisted by the data controller on various grounds, including:
• the data subject has given his consent to the processing;
• the processing is necessary for compliance with any legal obligation to which the data controller is subject (other than one imposed by contract);
• the processing is necessary in order to protect the vital interests of the data subject.
The fourth data protection principle can be enforced by court order. The data subject may apply to the court for an order that data which are inaccurate, or which contain an expression of opinion based on inaccurate data, be rectified, blocked, erased or destroyed. Where the data controller has taken reasonable steps to ensure the accuracy of the data, but the data subject has nevertheless expressed the view that they are inaccurate, the data controller must indicate that fact, and may be required to set out ‘a statement of the true facts relating to the matters dealt with by the data’. Where data have been rectified, blocked, erased or destroyed under this provision, the court may also order the data controller to notify third parties of the fact.
Neither the fourth data protection principle, nor the right to apply to the court under this provision, will apply in respect of paper records which were held before 24 October 1998 (when the DPA first began to have effect) until after the end of the second transitional period (23 October 2007).
Right to compensation 12
An individual who suffers damage because of a contravention by a data controller of any of the requirements of the DPA is entitled to compensation from the data controller. An individual who has suffered both damage and distress is also entitled to compensation for the distress. (Where the contravention arises because personal data is processed for the purposes of journalism, or artistic or literary purposes, it is sufficient to show distress alone.) It is a defence in any proceedings for the data controller to prove that it had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.
General exemptions 13
Data controllers are exempt from complying with any or all of the data protection principles in particular cases. For example, where exemption is required for the purposes of safeguarding national security, the data controller is exempt from all the data protection principles14; or where the data is already in the public domain under any enactment, the data controller is exempt from the provisions dealing with subject information, accuracy and non-disclosure15.
Of particular importance to the present discussion are the exemptions relating to crime and taxation16. Personal data which are processed for the purposes of the following matters:
• the prevention and detection of crime;
• the apprehension or prosecution of offenders; or
• the assessment or collection of any tax or duty or of any imposition of a similar nature,
are exempt from the first data protection principle (personal data to be processed fairly and lawfully) and from the right of subject access, ‘to the extent to which the application of those provisions to that data would be likely to prejudice’ any of those matters.
Unauthorised disclosure 17
There is a criminal offence of ‘knowingly or recklessly’ obtaining or disclosing, or procuring the disclosure of, personal data without the consent of the data controller. It is a defence to show that such obtaining, etc., was necessary for the purpose of preventing or detecting crime, or was required or authorised by any enactment, rule of law or court order. It is also a defence for the accused person to show that he reasonably believed he had the right to obtain, etc., the data, or that he would have had the consent of the data controller if the data controller had known about it, or that in the particular circumstances the obtaining, etc., of the data was in the public interest.
Extension to unstructured manual data
The passing of the Freedom of Information Act 2000 (‘FOIA’) is remarkable for the fuss it has failed to generate, in contrast to the rather more colourful Human Rights Act 1998. This is unsurprising: the FOIA reads like a statement not of what citizens have a right to know, but of what government departments have a right to withhold. But there is one area where it interacts interestingly with the DPA, to confer – albeit then to restrict – rights of access by individuals to personal data held about them by public authorities in manual ‘unstructured’ form – i.e. all paper records, even if they are not part of a ‘relevant filing system’ or of an ‘accessible record’18.
This is quite radical, it may be thought. Take the Inland Revenue or Customs, for instance. Loose papers lying about in different locations around the country could potentially come within the purview of the amended data protection legislation. So could all sorts of scribblings by local Revenue officers, draft minutes or memoranda on bits of A4 setting out opinions on the conduct or motives of an individual taxpayer, and how it is intended to bring him to book. Enquiries could be halted in their tracks by a simple request for any indication, in draft notes held in an officer’s desk drawer, about why personal bank accounts had been asked for, or why the enquiry was being conducted in the first place.
There is not yet, however, any cause for undue excitement among citizens, or alarm on the part of the authorities, for two reasons. First, because implementation is still far off (see opening discussion). Secondly, the FOIA, having extended the scope of the DPA to unstructured paper records, then effectively strips away all the data protection rights but one – the right of subject access19 — itself heavily circumscribed20. The public authority is not obliged to produce such data unless the request contains a description of them. Even then, the authority is not obliged to comply with the request if it estimates that the cost of so doing would exceed ‘the appropriate limit’, which is to be prescribed by regulation. The method of estimation used by the authority is also to be prescribed by regulation. In both cases, regulations are to be subject to the negative resolution procedure, which effectively means little or no Parliamentary scrutiny.
There are other exclusions, notably in respect of personnel matters relating to service under the Crown.
Less a charter for the citizen, it may be thought, than for Sir Humphrey Appleby. There is however, one small crack in the armour – the public authority will be obliged to say at least whether or not it holds the information requested, unless the estimated cost of supplying that information alone would exceed the appropriate limit.
Proposed implementation by Revenue departments
Customs and Excise have given Tax Adviser outline details of he how they propose to implement the changes discussed in this article from 24 October 2001. They will quite simply extend their existing DPA procedures, as set out in Notice 91A, to include the paper records now coming within the purview of the Act. Requests for information must be put in writing to the Data Controller, 1st Floor West, New Kings Beam House, 22 Upper Ground, London SE1 9PJ. Requests can also be e-mailed to email@example.com. The request must contain the name and address of the enquirer (it is understood that many requests omit this vital information!) together with a personal reference number, the name of the system on which the record is held (if known), the part of the department which holds the information, and the type of information required. Customs will respond within 40 days, and may refuse the request if to grant it would prejudice the detection or prevention of crime, the arrest or prosecution of an offender, or the assessment or collection of any tax or duty. There is a complaints procedure as outlined in Notice 1000.
The Revenue were also contacted and asked how they proposed to implement the changes. They issued the following statement:
‘The Inland Revenue is very conscious of its legal obligations under the Data Protection Act and we are currently considering how best we can comply with those obligations in practice.’
While the breadth of the data protection legislation in its present form is welcome in the interests of openness, and in particular the forthcoming extension to personal files on paper, there remain quite formidable obstacles to individuals making full and efficient use of their rights under the DPA. It is likely that many difficulties will revolve around s. 7(3) of the DPA:
‘A data controller is not obliged to supply any information under this section unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks.’
The need to provide the data controller with enough information to enable it to locate the data requested may prove a stumbling block to the unassisted taxpayer, or even to the adviser with insufficient knowledge of the internal workings of the Revenue or Customs to know precisely how the information sought is maintained, and where it can be found. Vague requests for information would probably meet with a rebuff. The new, highly circumscribed right to unstructured manual data under the FOIA is likely to prove virtually worthless unless whoever seeks the information has a very clear idea of precisely what needle they are looking for in the haystack of paper records kept by Revenue and Customs. The need to prove the identity of the person making the request could prove even more difficult to meet. The Revenue departments are understandably cautious, even over-cautious, about security and taxpayer confidentiality; and in any attempts by them to balance their obligations under the DPA with their obligations to maintain security and confidentiality, the scales are likely to be tipped in favour of the latter. Hence, in all likelihood, the evasive nature of the Revenue’s statement
So in practice these rights are likely to be hard to gain access to, unless the person lodging the request has a sound knowledge of the internal working of the department they are dealing with; and even then the exigencies of taxpayer security and confidentiality are likely to prove a stumbling block. In short, accessing a taxpayer’s rights under the DPA, even after 23 October, is likely to prove a major challenge to the tax adviser, and – for the unrepresented taxpayer – one that may be all but impossible to surmount.
1 FOIA, s. 68-72
2 DPA, s. 4(4)
3 DPA, s. 1(1)(a)–(d)
4 DPA, Sch. 8
5 DPA, s. 1(1)
6 DPA, Sch. 1, Pt. I
7 DPA, Sch. 1, Pt. I, para. 6
8 DPA, s. 7
9 DPA, s. 8(6)
10 DPA, s. 10
11 DPA, s. 14
12 DPA, s. 13
13 DPA, Pt. IV
14 DPA, s. 27
15 DPA, s. 35
16 DPA, s. 29
17 DPA, s. 55
18 DPA s. 1, amended by FOIA, s. 68(2)(a)
19 Public authorities will also be bound by the fourth data protection principle (accuracy) in relation to unstructured manual data, but not until after the end of the second transitional period under the DPA – i.e. after 23 October 2007. See FOIA, s. 70(3), inserting DPA, Sch. 8, Pt. III, para. 14A.
20 FOIA, s. 69, inserting DPA, s. 33A.
020 7235 9381
August 2001 by