Customer Service Manual - Section 12 : Data Protection Act (DPA)

Previous PageSection ContentsNext Page

The Data Protection Act 1998

Introduction test

The Data Protection Act 1998 (DPA) came into force on 1 March 2000, although the mandatory right to see manual records did not come into force until 24 October 2001. The DPA 1998 replaced the DPA 1984 and the main change is that it now allows individuals to see their manual records as well as those held electronically. The DPA was enacted to ensure that personal information is accurate, used properly and that it’s privacy is protected.

The DPA sets out the principles by which we handle personal data and gives living individuals the right of access to their personal data.

Who has access?

The DPA is concerned with the processing of personal data relating to living individuals. This means requests for personal information can only be made by a living individual. For example - an executor cannot obtain information about a deceased person under the subject access provisions contained within the Act. It is worth noting that companies, trusts and partnerships are not living individuals under this act. Although please consider their rights under ‘Freedom of Information Act 2000’ (FOIA).

What is personal data?

Personal data is information that relates to a ‘living individual’ who can be identified from that data, or from that, together with other information that we hold. Data means information which is recorded as part of a relevant filing system. A relevant filing system is a set of information structured by reference to individuals or in such a way that specific information relating to individuals is readily accessible.

Background

The Information Commissioner’s Office (ICO) has provided guidance on the definition of personal data. This is available on their website via a Technical Guidance Note - What is data (28/01/09). Section 5 is headed, “Is the data used, or is it to be used, to inform or influence actions or decisions affecting an identifiable individual?” [There is an example (under 5.1) which says: “Where the value of a particular house is used to determine an individual liability for Council Tax, or is used to determine the assets of an individual or individuals in proceedings following divorce, then this will be personal data because the data about the house is clearly linked to the individual or individuals concerned.” In other words, information that relates purely to a property and does not refer explicitly to an individual may still be personal data.] In addition, someone doing a title search at HM Land Registry can often connect a property to its current and previous owners. This, too, can lead to information about a property being classified as personal data. Please note the Information Commissioner has confirmed this approach in Decision Notice reference FS50090387, that the DPA can be engaged when considering the release of sales information from Particulars Delivered (PDs). See paragraphs 5.9 to 5.11.

Most of our records are categorised by number (or address). The Act says our records are still personal data if they relate to a living individual who can be identified from other information we hold. By using the operational databases it is often possible to trace the record of an individual, for example via our Stamp Duty Land Tax or Particulars Delivered records for a Mr & Mrs Z in Xtown. But if it is impossible to trace a record by name only e.g. Mr Smith and he refuses to give an address which he may have bought or sold then the information becomes impossible to trace and so is not classed as personal data.

Therefore in order to carry out our functions we identify there are three types of Personal Data and these are:

Property Personal, People Personal and Sensitive Personal Data

On receipt of information from a taxpayer, claimant, customer or third party you must consider whether the information provided is:

  • People Personal Data – this includes data that can directly identify an individual such as name, address and contact details.
  • Property Personal Data - this represents the vast majority of the data we collect and includes such information as number of bedrooms, the area and type of a property.

It may seem strange that that property data is classed as personal as it is often in the public domain. For example, it’s very easy to determine that a property is a semi-detached house by simply viewing it from the street. However, we collect or receive information specifically for the purpose of carrying out our statutory functions and we should only disclose such information if the disclosure is linked to performing our statutory functions. An example of when it could be appropriate to disclose property attribute data might be to assist in the progression of an appeal, however, this disclosure would not be appropriate in the handling of a general enquiry.

  • Sensitive Personal Data – this is information that we usually don’t need to know about to do the job but may be inadvertently provided to us. It also includes personnel data held about us as employees of the VOA. The DPA classifies the following information as sensitive personal data:

(a)the racial or ethnic origin of the data subject,
(b)the individual’s political opinions,
(c)the individual’s religious beliefs or other beliefs of a similar nature,
(d)whether the individual is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e)the individual’s physical or mental health or condition,
(f)the individual’s sexual life,
(g)the commission or alleged commission by the individual of any offence, or
(h)any proceedings for any offence committed or alleged to have been committed by the individual, the disposal of such proceedings or the sentence of any court in such proceedings.

Our approach to Personal Sensitive Data

  • We will not record sensitive personal data on the cdb, other than individual’s contact details. The cdb is a property database and data should be property related.
  • We will not redact written information or e-mails. However, when we are provided with information that we do not need to carry out our work we will return this to the provider.
  • When information is provided verbally only appropriate, non-sensitive elements should be recorded on the database and any initial notes of the conversation should be disposed of as restricted.
  • We do record property personal data.
  • We do record people personal data when it is relevant to the case.
  • When disclosing sensitive information about your colleagues, consider what is reasonable and proportionate to the circumstances and is it necessary to make a detailed permanent record of what is said.

For guidance on how to register the details of Potentially Violent People (PVP) please refer to the HR Manual.

Do not write or record any information to a clerical or electronic file unless it is required for and relevant to the case

Individuals’ Rights of Access

The Act gives an individual the right to request a copy of the personal data on him or her held by a data controller. The Valuation Office Agency (VOA), as an executive agency of HM Revenue and Customs (HMRC), comes under HMRC for the implementation of the DPA. For most VOA data HMRC is the “data controller” and their reference number is Z9034158. There may be areas of work within our Commercial Services (DVS), which we undertake on behalf of our clients, rather that HMRC. In these circumstances we can be a “data processor” and it is the client who is the “data controller” rather than HMRC. If this is the case, it will affect how we respond to the requester, as the request should be directed to the relevant data controller.

The legal term for a request for personal information is a ‘Subject Access Request’ (SAR). All such requests should be made in writing (this can include emails), but they do not have to mention the DPA 1998.

Under the Act an individual only has a right to see his or her own personal information. However it is our policy is to allow someone to see information related to his or her property, providing this does not breach any third party’s right to confidentiality under DPA or the Commissioners for Revenue and Customs Act 2005 (CRCA). We do have to be very careful as documents may mention confidential information about a third party which the individual can’t see.

This means that all documents will need to be carefully sifted, before copying or viewing is allowed. Even then if say the content of a neighbour’s letter could make it easy to work out who was the author with their name and address deleted (redacted), this letter (data) is exempt from the SAR, under section 7(4) DPA, and must not be released.

Processing and handling a Data Protection Act (DPA) Request (know as a Subject Access Request (SAR))

The VOA has a dedicated email address on its website for requests, under DPA, under Access to Information and these requests are received by the VOA Customer Service Team (CST) who will log them on Customer Contact Record (CCR), acknowledge them as appropriate, and pass then to the relevant business unit. If a SAR is received in one of our local offices it should be logged on CCR, main subject “DPA 1998” acknowledged and allocated to the relevant business unit /area. The full reply should be overseen by the CSM.

It is very important first to verify the identity of the person making the SAR. This is to prevent unauthorised access to taxpayers’ personal records. We need to be satisfied that the request is made by the Data Subject, or have written verifiable consent of the Subject. The DP Act allows a data controller to ask for sufficient information to verify the authenticity of the person making the subject access request.

There are a number of ways to verify the identity:

  • the person full name and address
  • any other names by which they may have been known.
  • their date of birth
  • their previous addresses in the past 5 years (if applicable)
  • any personal reference number(s) that HMRC may have given them, for example their National Insurance number, tax reference number or VAT registration number
  • ask to see a copy of a council tax or business rates bill, tenancy agreement as proof of connection with the property and match it with sufficient verifiable information e.g. driving licence / passport that enables you to verify who they say they are.

If required the CST can verify information through HM Revenue & Customs’ FOI and DPA Policy Team at 100 Parliament Street, London, SW1A 2BQ. When verification has taken place a record of what has been seen should be recorded in CCR and the actual information can be returned or destroyed, as appropriate.

Once a request has been made our records are ‘frozen’ and we can’t destroy or weed out any undesirable information. However section 8 (6) of the DPA says that “The information to be supplied pursuant to a request under section 7 must be supplied by reference to the data in question at the time when the request is received, except that it may take account of any amendment or deletion made between that time and the time when the information is supplied, being an amendment or deletion that would have been made regardless of the receipt of the request”. So it is important that our current policy on disposal of the specific record is followed.

Also when a member of staff is recording information, for example notes of a meeting with a taxpayer, it is important to record facts, i.e. what is said and to avoid recording opinions, which could be very embarrassing for the Agency. See the Third Principle Data Protection PrincipleLet the facts speak for themselves.

If someone approaches us and asks for all the personal information we hold on them, there are a number of places where the information’ may be held. Generally requests are made following contact with one of our business areas/units within the VOA and relate to what has been undertaken and should be handled by that business area/unit. However, a request may simply ask “for all the information you hold about me”, if there is no clear link to a business unit/area it will be necessary to carry out a wider search. It may be appropriate for the business area receiving the request to collate the information held on behalf of the Agency and consider whether joint or separate responses are required, seek further advice from the CSM/CST if this is unclear.

It does not matter whether these are manual records or held in some form of electronic record – we must print the electronic record and provide a copy. However, there is no need to provide both manual and electronic records unless they are different (in any way). Also as the DPA allows access to information, rather than documents, it may be more appropriate to provide an extract with context or possibly an explanation rather than just a print out of a series of codes, which only the VOA understands (for example dwelling house codes).

Possible VOA sources: -

Particulars Delivered (PDs)/ Stamp Duty Land Tax SDLTs)

District Valuer Services (DVS) or Housing Allowances (HA) cases

Council Tax / NDR proposals/ appeals

Customer Contact Record (CCR)

Complaint file

Forms of Return (FOR, Other Rental Information (ORI), Notice Requesting Statutory Information (NRSI)

If a business (sole Trader) check rating file for personal information

Central Databases (CDB) (EDRM) (VICTER)

Stored emails – anywhere in the VOA

Time limit and cost.

We have up to 40 days from the date the request is received by the Department together with enough details to allow us to locate the information and satisfy ourselves about the identity of the person making the request to reply. We do not charge for this service.

Storage of request and reply

We need to keep a record of SARs and a clear record of what has been provided with the relevant records / papers and in CCR in case of any further queries, requests, review and to enable us to produce accurate statistics for HMRC.

Please ensure for each SAR we have a clear record of, the date the SAR received; a record (notes) of any searches to establish what is held and / or handling issues about what should be provided; date response issued; and set out what information has been provided. The information provided can be documented in the SAR reply and if extensive as an appendix.

Staff – Personnel requests

All requests made by either past or present VOA staff for personal information held by the VOA should be sent to either Chief Executive’s Office Human Resources Team (HR) (unless there is someone designated to deal with Personnel at a local / business area / unit level). It may reassure staff to know that any personal information held by VOA is processed together with all customers’ data in accordance with the Principles.

VOA requesting information from the Billing Authorities (BAs)

There are statutory gateways which enable the VOA to request taxpayers’ names from a BA, when we are undertaking under our statutory functions. These are contained in S27(1) of the Local Government Finance Act 1992 for Council Tax and paragraphs 5H and 6 of Schedule 9 to The Local Government Finance Act 1988 for Rating. The DPA does not prevent a BA from disclosing this information to us. This is because Section 29(1)(c) of the DPA exempts personal data from the DPA’s non-disclosure provisions where it is to be used for the purpose of the assessment or collection of any tax or duty or any imposition of a similar nature.

In 2004 the Office of the Deputy Prime Minister (ODPM) sought the advice of the Information Commissioner in respect of the BAs providing the VOA with the names of "sole traders", as individuals. Subsequently ODPM gave BAs guidance in the Business Rates Information Letter (reference 4/2004).  This says, in essence, that such disclosures do not breach the DPA because the release of names is being used for the benefit of the ratepayer. Also the VOA uses the information for the same purpose that it was collected, i.e. the administration of the non-domestic rating system.

Billing Authorities (BAs) requesting information from the VOA

We sometimes receive requests from BAs for information we may have obtained from PDs, SDLTs and FORs. The DPA does not present any obstacles to such disclosure, for the reasons noted in the previous section. However, VOA staff have a separate statutory duty of confidentiality which prevents us from disclosing any information relating to taxpayers unless:

  • There is a lawful authority to disclose (see section 18 (2) or (3) CRCA 2005) sometimes called a “statutory Gateway”
  • There is consent from “each person to whom the information relates” the relevant taxpayer (section 18 (2) (h) CRCA 2005)
  • The information is already in the public domain – we can point them to its source

This means whilst the BA has a statutory duty to supply us with certain information we cannot reciprocate. This is because we all have an individual duty to comply with the Commissioners for Revenue and Customs Act 2005 (CRCA 2005) and there is no statutory gateway.

Under the Commissioners for Revenue and Customs Act 2005 (CRCA 2005) people convicted of making an improper disclosure can be sentenced to up to 2 years in prison, or a fine not exceeding £5000, or both.

Exemptions

There are a number of DPA exemptions that may apply and because of the implications of the CRCA it is not the policy of the VOA, and would breach both DPA and the CRCA, to reveal the names of third parties who have brought it to our attention that some alteration has taken place to a property for whatever reason.

Section 7 (sub section 4) - This applies where it would be impossible to comply with the SAR without disclosing information relating to another identifiable individual (third party) —for example where even if we ‘blanked out’ any reference to the third party’s name (and address) the individual who supplied the information could still be identified from the information they had provided. Sub section 4 states we are not obliged to comply with the request unless (a) we have the third party’s consent or (b) it is reasonable to supply the information without the third party’s consent. If you believe the information requested would reveal who the third party is then please refer the subject access request, and the relevant papers via your CSM, to The Customer Service Team at CEO for advice on how to proceed.

Also we need to be in a position to obtain comprehensive legal advice and may need to fully explore the factors that affect a case. With this in mind the exceptions that may apply are:

Schedule 7 (Miscellaneous Exemptions), paragraph 10 – legal advice (Legal Professional Privilege (LPP). This is different from Section 35 as this relates to disclosure, when it is required by law or made in connection with legal proceedings etc.

Section 29(1) (c) – likely to prejudice the assessment or collection of any tax or duty;

Schedule 7 (Miscellaneous Exemptions), paragraph 7 – prejudice to negotiations (for example if there is an outstanding case)

The Data Protection Principles

The 1998 Act refer to eight principles. It is possible that a ‘subject access request’ reference is made to one of these ‘Principles’.

First principle - processed fairly and lawfully

Any use of personal data must meet one of the conditions in Schedule 2 of the DPA to be considered processed fairly and lawfully. One of the conditions in Schedule 2 is processing which is necessary for the exercise of any function of a public authority, so in almost all circumstances our need for information to carry out our function as a government agency will meet this condition.

The Act introduces categories of sensitive personal data and sets out the conditions (under Schedule 3 of the Act), which must be met in order for the recording/processing of this information to be lawful.

Note that the conditions in Schedules 2 and 3 are necessary but not sufficient for fair processing. In addition to meeting a relevant condition or conditions, the processing must also be “fair” generally, and provided for by law.

Second principle - obtained for one or more specified lawful processes

The customer must be told why the information is needed, and what we intend to do with it - this is the fair purposes code. Take a look at our Privacy Statement on our website.

Third principle - adequate, relevant and not excessive

Only information needed for our functions should be requested and retained. We should not record gratuitous personal comments or opinions.

Fourth principle - accurate and kept up to date

Data is classed as inaccurate if it is incorrect or misleading as to any matter of fact.

As most of our information is held for historical purposes we will not need to update,

and the need to keep it up to date under the fourth principle will not apply.

Fifth principle - Information should not be kept for any longer than necessary

The VOA’s information retention policy is being considered by our Data Team in the light of the Lord Chancellor’s Code Of Practice on the Management of Records under section 46 of the Freedom of Information Act. Further instructions pending

Sixth principle - processed in accordance with the individual’s rights under the Act

Customers are entitled to ask us if the VO is processing their personal information. They can ask and be given a description of that information, told why it is being collected and to whom it may be passed. They can ask us to stop the processing if it is likely to cause substantial harm however this is difficult to prove and it is very unlikely that we would be processing such information.

A request to stop processing is not a subject access request (SAR).

Seventh principle - keep secure

Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing, accidental loss, damage to, or destruction of personal data. The VOA handles data in accordance with our Security Policy Framework. For further guidance on data security take a look at the Data Security Homepage.(internal link)

Eighth principle - Personal data should not be transferred outside the European Economic Area (not the EEC) unless that country has adequate level of protection.

The VOA does not generally receive requests to transfer data outside the EEA.

Freedom of Information Act 2000 (FOIA)

Sections 67-73 of FOIA amended section 7 of the DPA with regard to access to unstructured data. FOIA was fully implemented on 1 January 2005 and is fully retrospective. (The implementation of the FOIA is covered in a separate section of this manual. Both DPA and FOIA requests should be considered, together, with full regard to your duty of confidentiality under the Commissioners of Revenue and Customs Act 2005.

Previous PageSection ContentsNext Page