Feeds

Draft law lets council bods snoop your tax records

Powers extend well beyond justification for data-sharing

Internet Security Threat Report 2014

Opinion The Local Government Finance Bill, now before Parliament, is drafted in such a way that it could permit the routine disclosure of tax records and other personal data held by HMRC to council officers for several council tax-related purposes.

The powers also allow HMRC to disclose such details directly to contractors of the council (eg, perhaps those IT service providers based overseas or in the cloud); this could permit tax details to go to many interesting destinations outside the European Economic Area.

Having said that there is one very important surprise in the legislation, which I explain at the end of this blog.

So how can we be confident that routine data sharing between councils and HMRC is a possible outcome? As readers know, there is an exemption from the non-disclosure provisions in section 29 of the Data Protection Act that covers the “assessment or collection of any tax or duty...”; clearly "council tax" is a “tax” as required by section 29.

This exemption from the non-disclosure provisions permits the disclosure of personal data by HMRC to a council assessing/collecting Council Tax, on a case-by-case basis, without the need to consider the Principles and the data subject rights that could interfere with such a disclosure (eg, right to object to disclosure). However, the HMRC has to be satisfied that failure to disclose to a council “would prejudice” the collection of council tax.

So, if the current law allows for disclosure in these important tax avoidance circumstances (eg, a case-by-case disclosure where prejudice to the collection of council tax exists), it follows that the new statutory gateway can permit disclosure in circumstances where these tax avoidance factors are not relevant to any decision by the HMRC on whether or not to disclose to a council. For instance, those disclosures which are not “case by case” (eg, routine) and where there is no “prejudice” to the collection or assessment of council tax.

Also note that the word “relate” is unqualified, so “purposes relating to council tax” could easily extend to any council purpose that depends on the collection of council tax; in this way many council functions become arguably related to council tax. This risk would not be present if the legislation stated that the disclosure was restricted to the “council tax purpose”.

For completeness I provide an annotated example of the data-sharing provisions (from clause 15 of the Bill):

(1) A Revenue and Customs official may supply information which is held by the Revenue and Customs in connection with a function of the Revenue and Customs to a qualifying person for prescribed purposes relating to council tax. (My emphasis)

(2) The following are qualifying persons for the purpose of this paragraph:

(a) a billing authority in England; (Comment: this is the council tax function; below are the powers to disclose directly to contractors);
(b) a person authorised to exercise any function of such an authority relating to council tax; and
(c) a person providing services to such an authority relating to council tax.

(3) Information supplied under this paragraph may be used for another prescribed purpose relating to council tax. (Comment: note the word “relating” means that the purpose has to have some relationship with council tax purpose – eg, purposes based on the need to collect council tax).

(4) Information supplied under this paragraph may be supplied to another qualifying person for a prescribed purpose relating to council tax (whether or not that is a purpose for which it was supplied). (Comment: this is a general provision to negate the protection offered by the Second Data Protection Principle – incompatibility of the purpose of disclosure to the purpose of collection of personal data). It also negates the Third Data Protection Principle if the data items to be disclose were to be specified in regulations.)

So how does the government explain the need for these data sharing provisions. The “Explanatory Notes” accompanying the Bill state:

Local authorities will need to use information held by HMRC to determine whether a person is entitled to a reduction in council tax. These provisions will reduce the need for authorities to collect information from persons claiming a reduction when it has already been supplied to HMRC and will help to ensure the information used to calculate a reduction is accurate. These information sharing powers are therefore needed to ensure local authorities are able to administer council tax efficiently and to help prevent fraudulent claims for a council tax reduction (Paragraph 127).

In other words, the justification proffered falls within the existing section 29 exemption. It amounts to a check on whether the HMRC and Local Authority agree that a person claiming a single person's council tax reduction also relates to a single person in relation to Child Benefit (what remains of it, I mean) or tax credit claims. You simply do not need general data-sharing powers relating to data subjects who are NOT claiming this reduction; you do not need powers that link to purposes that can extend well beyond the official justification.

Now we come to the really interesting bit I promised. There is a provision that states: “Regulations under this paragraph must not be made except with the consent of the Commissioners for Her Majesty’s Revenue and Customs”. This is the first time I have seen that the exercise of Ministerial Powers is to become subject to a veto by someone who is not the minister.

I think this has broken the ice in a very important way. Wouldn’t it be nice to see the following in ALL data-sharing powers similarly subject to an independent review – for instance, “Regulations under this paragraph must not be made except with the consent of the Information Commissioner”?

Now we can dream on, but such a provision would be real data protection from the excess of ministerial powers; and I can think of a number of places where I would put it! ®

References:

The Bill and its Explanatory Notes (at the time of presentation to the House of Lords) can be found here.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Providing a secure and efficient Helpdesk

More from The Register

next story
WHY did Sunday Mirror stoop to slurping selfies for smut sting?
Tabloid splashes, MP resigns - but there's a BIG copyright issue here
Spies, avert eyes! Tim Berners-Lee demands a UK digital bill of rights
Lobbies tetchy MPs 'to end indiscriminate online surveillance'
How the FLAC do I tell MP3s from lossless audio?
Can you hear the difference? Can anyone?
Google hits back at 'Dear Rupert' over search dominance claims
Choc Factory sniffs: 'We're not pirate-lovers - also, you publish The Sun'
Inequality increasing? BOLLOCKS! You heard me: 'Screw the 1%'
There's morality and then there's economics ...
While you queued for an iPhone 6, Apple's Cook sold shares worth $35m
Right before the stock took a 3.8% dive amid bent and broken mobe drama
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.