Taxpayers, Data Protection and Revenue procedure
by Robin Williamson
This article follows on from The Right to Know which appeared in Tax Adviser, August 2001. In that article, I described how the data protection laws would assist taxpayers who asked to see data held about them by the Revenue departments after 24 October 2001. The purpose of this article, then, is twofold: to update the earlier discussion on gaining access to one’s personal records under DPA 1998 ; and to report on how the Revenue will deal with requests for subject access from taxpayers, contributors and tax credit claimants. Also discussed is the role of the Information Commissioner in policing DPA1998 , and the timetable for implementing the Freedom of Information Act 2000 (FIA 2000) that was announced in November 2001.
Article by Robin Williamson, a Senior Technical Editor with CCH. He gratefully acknowledges the assistance of Inland Revenue Policy Division who kindly contributed to and reviewed the material on Revenue practice. Published in February 2002 issue of Tax Adviser. KEY POINTS:
Taxpayers, data protection and Revenue procedure
- The Data Protection Act 1998 has extended an individual’s right to see data held on them by ‘data controllers’ to paper records held in filing systems, with effect from 24 October 2001
- The Inland Revenue have provided Tax Adviser with information about the procedure they will follow when an individual taxpayer, contributor or tax credit claimant asks to see personal data held on them by the Department
- The Information Commissioner oversees the operation of the data protection laws, and has certain powers when it is alleged that a data controller has not complied with the Act
- The Freedom of Information Act 2000 extends the right of access to paper records to personal data in ‘unstructured form’, but this is not expected to come into force until 2005
This article follows on from The Right to Know which appeared in Tax Adviser, August 2001. In that article, I described how the data protection laws would assist taxpayers who asked to see data held about them by the Revenue departments after 24 October 2001. The significance of that date was that it marked the beginning of the ‘second transitional period’ under the Data Protection Act 1998 (DPA 1998 Act), in which the so-called ‘right of subject access’ was extended from computer records to manual records held in structured filing systems.
In The Right to Know, I was able to report on how Customs & Excise proposed to handle their new responsibilities under DPA1998 . The Revenue were not then in a position to give any such details, but have now provided a helpful resume. The purpose of this article, then, is twofold: to update the earlier discussion on gaining access to one’s personal records under DPA 1998 ; and to report on how the Revenue will deal with requests for subject access from taxpayers, contributors and tax credit claimants.
Also discussed is the role of the Information Commissioner in policing DPA1998 , and the timetable for implementing the Freedom of Information Act 2000 (FIA 2000) that was announced in November 2001.
Data protection: the ‘right of subject access’
References here to ‘the right of subject access’ are to the rights given by DPA 1998 to individuals desiring access to personal data held about them by ‘data controllers’. Access may be had to data held in automated (computer) form and, since 24 October 2001, manual records kept in filing systems arranged by reference to individuals, or to criteria relating to individuals.
The right of subject access is but one of a number of rights under the data protection legislation, enshrined in eight ‘data protection principles’. These were summarised in The Right to Know. To recap briefly, they include the obligation on data controllers:
- to process personal data fairly and lawfully;
- to obtain data only for specified and lawful purposes;
- to ensure that data are accurate, relevant and not excessive;
- not to keep data longer than necessary;
- to guard against unauthorised processing, loss, destruction and damage of data; and
- not to transfer data outside the European Economic Area (EEA) unless similar data protection measures are in force in the country of destination.
The right of subject access consists of the right for an individual (the subject) to be told whether a data controller processes personal data about them, and if so, to have it communicated to them in an intelligible form. Usually the data controller must supply a copy of the data. The subject also has the right to be told for what purpose the personal data is processed, to whom it is to be disclosed, and to be given information about its source. There are provisions safeguarding confidentiality where a data controller cannot comply with such a request except by disclosing information about another identifiable individual.
The subject’s request must be in writing, and must give enough information to enable the data controller to locate the data. Under DPA1998, the data controller has a maximum of 40 days in which to comply with a subject access request (see below).
The subject has the right to stop processing of personal data where such processing is likely to cause substantial and unwarranted damage or distress, either to the subject or to another.
Dealing with a subject access request: Revenue practice
As might be expected, Revenue practice closely follows the procedure set out in DPA 1998 , but they will not levy the £10 charge allowed by the act. Every Revenue office has had at least one data protection officer since 1984, when the first DPA was passed. And, since August 2001, they have trained between 850 and 900 new and existing data protection officers in the new act.
When a Revenue office receives a subject access request from an individual taxpayer, contributor or tax credit claimant, they will fax it to the Data Protection Unit (DPU) in Longbenton on the day of receipt. The DPU will first carry out basic identity and security checks (details of name, any former names, address, National Insurance number (NINO) and tax office reference, if known, will generally be required). It will then consider whether the request contains enough information to enable the Revenue to trace the data, and will ask the applicant to provide any such further details that may be needed. Once the DPU has enough information to identify which offices might contain information about the applicant they ask each one to assemble the data. Each local office is responsible for reviewing their files and documents on a case by case basis to decide what information they may release under the Act. The local office will photocopy the appropriate papers and send them to the DPU. The DPU will collate all the information from the various offices and send it to the applicant with a leaflet explaining any jargon or acronyms, and – where the applicant has asked for copies of all his or her papers – a printout of the National Insurance Record.
When a file is particularly large, Revenue officers have been encouraged to let the applicant view the papers at the local office if this is mutually acceptable. But it has been made clear to them that even if an applicant takes up this offer, he or she may still ask for copies of the documents.
Although strictly DPA 1998 imposes a 40-day time limit to respond to a subject access request, data controllers are encouraged to reply as promptly as possible. The Revenue will aim to complete the whole process within the 40 days allowed. If the initial request does not contain enough information, and the DPU have to request further particulars, the Revenue will regard the 40-day time limit as starting to run only when the further particulars are supplied. But data controllers must not unduly delay in requesting further information. The Information Commissioner (see below) has made it known that she will regard as ‘unacceptable’ any delay by a data controller in:
‘requesting … the provision of any further details required to identify or locate the required information, where such delays resulted in the response to the subject access request being provided after forty days from receipt of the original subject access request.’
By 7 January 2002 the Revenue had received 324 requests and dealt with 238 within an average of 28 days.
Revenue staff are trained to recognise subject access requests when they come in. Their staff have been told that any request by an individual for his or her personal data is a potential subject access request. They have been told that requests do not have to be couched in any particular jargon, and it is not necessary to refer to any statutory provision although the Revenue have said it would be helpful if requests were clearly identified, e.g.using a clear heading. Nor will requests be rejected if they mistakenly refer to the wrong statutory provision, e.g. FIA 2000 rather than DPA 1998.
The Revenue require requests to be in writing (this is in any event a statutory requirement), and they must emanate from the applicant in person, not from an agent. But if a taxpayer specifically requests that copies of their personal data are sent to their agent the Revenue will do so. Although the Revenue will not accept subject access requests from agents, they will continue to provide copies of documents as part of their general commitment to customer service. For example an agent who takes on a new client often asks the Revenue for copies of the last tax return or accounts supplied. Subject to the relevant authority from the client the Revenue will continue to provide this service; they will not treat it as a request under DPA 1998.
The Data Protection Act 1998 requires that information is supplied in an intelligible form. The Revenue comply with this by providing a leaflet which explains the acronyms, jargon and technical expressions used.
Crime and taxation exemptions
Where personal data are processed for any of the ‘crime and taxation’ purposes, i.e:
- the prevention or detection of crime;
- the apprehension or prosecution of offenders; or
- the assessment or collection of any tax or duty, or of any imposition of a similar nature;
they are exempt from (inter alia) subject access, to the extent that allowing access ‘would be likely to prejudice’ such purposes.
Clearly, there will be instances in which the Revenue departments will have to make use of this exemption. Its extent, as shown by the language of DPA 1998 quoted above, is highly subjective. It would be understandable if the enforcement agencies interpreted the exemption more liberally than the Information Commissioner, whose views are recorded on her website as follows:
‘With regard to the … crime and taxation exemptions, the data controller should note the limitations on the use of this exemption. The data controller must consider each of the provisions in turn and decide which, if any, would be likely to prejudice any of the crime and taxation purposes, if they were applied. The data controller can only disapply those provisions which would be likely to‘prejudice one or more of the crime and taxation purposes and then only to the extent to which prejudice would be likely to result. If challenged, the data controller must be prepared to defend the decision to rely upon the exemption either to the Commissioner or to the Court. It would, therefore, be advisable for the data controller to ensure that each such decision is taken at an appropriately senior level within the data controller’s organisation and for the reasons to be documented.’
A likely source of tension might be the question of release of a document, parts of which might be prejudicial to one of the crime and taxation purposes. In such a case it is possible that the enforcement agency might wish to suppress the entire document, while the Commissioner might encourage them to release those parts which she judged were not prejudicial and to withhold the remainder.
The Information Commissioner
The Freedom of Information Act 2000 created the office of Information Commissioner from the former Data Protection Commissioner. The Information Commissioner, Elizabeth France, oversees the operation of the data protection and freedom of information laws. She may be contacted at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, tel: 01625 545 700; fax: 01625 524510); website: www.dataprotection.gov.uk. The website is worth a visit: apart from detailed guidance about the operation of DPA 1998, it contains a host of generally useful information about the data protection register, and a frequently-asked-questions (FAQs) section deals with basic matters such as how to lodge a subject access request and how to get a copy of one’s credit file.
The Information Commissioner has power to intervene where an enquirer believes that the data controller has wrongfully withheld information, or has unjustifiably delayed releasing it. An enquirer in such a position has three options:
The Freedom of Information Act
- apply to the Court alleging that the data controller has failed to comply with DPA 1998, and asking for an order that they comply;
- ask for compensation for any damage they have suffered as a result of non-compliance, and for any associated distress; and
- write to the Information Commissioner, who may do one of three things:
(a) make an assessment as to whether it is likely that the data controller has complied with DPA 1998;
(b) issue enforcement proceedings if she is satisfied that the data controller has contravened one of the data protection principles; or
(c) recommend that the complainant applies to the court alleging a failure to comply with the subject access provisions of DPA 1998 .
Over the New Year break, we mourned the sad passing of Sir Nigel Hawthorne, who uniquely represented the nation’s favourite mandarin, the Machiavellian, waspish, but endearing, Sir Humphrey Appleby. The Freedom of Information Act 2000 (FIA 2000) could have been a fitting creation of Sir Humphrey’s Department of Administrative Affairs. Its purpose is not so much to give free access to information, as to restrict it. Having begun by stating the basic principle of openness, the rest of the act goes on to list exceptions to the principle, and to place conditions on its exercise.
The FIA 2000 was passed on 30 November 2000, but most of its provisions will be phased in over a period of five years (the creation of the office of Information Commissioner, discussed above, is already in force). The Lord Chancellor’s Department has responsibility for implementation – the Freedom of Information and Data Protection website is at http://www.lcd.gov.uk/foi/foiact2000.htm. Each body subject to the act is obliged to adopt a publication scheme, and under the timetable announced by the Lord Chancellor on 13 November 2001, Central Government bodies are required to produce their schemes by November 2002. It is intended that the individual right of access to information under FIA 2000 should come into force for all public authorities in January 2005. The Revenue are presently working on a scheme, which will be published on their website in due course.
The main change to subject access rights under DPA 1998 that is brought about by FIA 2000 will be the extension of those rights to ‘unstructured manual data’ – paper records not held in a filing system. In theory, the scope of this extension could be quite wide, covering a variety of sensitive data which may not be destined for filing. However, as discussed in my earlier article, rights of subject access to such data are circumscribed in the same way as access to manual records held in structured filing systems. In addition, the public authority concerned is not obliged to comply with a subject access request in respect of unstructured data if it estimates that the cost of doing so would exceed ‘the appropriate limit’. That limit is to be set by regulation.
Against that, it is intended that a general ‘culture of openness’ should permeate public authorities in advance of FIA being brought into force. Time will be the judge of how well it takes root.
020 7235 9381
February 2002 by