Feeds

Draft law lets council bods snoop your tax records

Powers extend well beyond justification for data-sharing

Top three mobile application threats

Opinion The Local Government Finance Bill, now before Parliament, is drafted in such a way that it could permit the routine disclosure of tax records and other personal data held by HMRC to council officers for several council tax-related purposes.

The powers also allow HMRC to disclose such details directly to contractors of the council (eg, perhaps those IT service providers based overseas or in the cloud); this could permit tax details to go to many interesting destinations outside the European Economic Area.

Having said that there is one very important surprise in the legislation, which I explain at the end of this blog.

So how can we be confident that routine data sharing between councils and HMRC is a possible outcome? As readers know, there is an exemption from the non-disclosure provisions in section 29 of the Data Protection Act that covers the “assessment or collection of any tax or duty...”; clearly "council tax" is a “tax” as required by section 29.

This exemption from the non-disclosure provisions permits the disclosure of personal data by HMRC to a council assessing/collecting Council Tax, on a case-by-case basis, without the need to consider the Principles and the data subject rights that could interfere with such a disclosure (eg, right to object to disclosure). However, the HMRC has to be satisfied that failure to disclose to a council “would prejudice” the collection of council tax.

So, if the current law allows for disclosure in these important tax avoidance circumstances (eg, a case-by-case disclosure where prejudice to the collection of council tax exists), it follows that the new statutory gateway can permit disclosure in circumstances where these tax avoidance factors are not relevant to any decision by the HMRC on whether or not to disclose to a council. For instance, those disclosures which are not “case by case” (eg, routine) and where there is no “prejudice” to the collection or assessment of council tax.

Also note that the word “relate” is unqualified, so “purposes relating to council tax” could easily extend to any council purpose that depends on the collection of council tax; in this way many council functions become arguably related to council tax. This risk would not be present if the legislation stated that the disclosure was restricted to the “council tax purpose”.

For completeness I provide an annotated example of the data-sharing provisions (from clause 15 of the Bill):

(1) A Revenue and Customs official may supply information which is held by the Revenue and Customs in connection with a function of the Revenue and Customs to a qualifying person for prescribed purposes relating to council tax. (My emphasis)

(2) The following are qualifying persons for the purpose of this paragraph:

(a) a billing authority in England; (Comment: this is the council tax function; below are the powers to disclose directly to contractors);
(b) a person authorised to exercise any function of such an authority relating to council tax; and
(c) a person providing services to such an authority relating to council tax.

(3) Information supplied under this paragraph may be used for another prescribed purpose relating to council tax. (Comment: note the word “relating” means that the purpose has to have some relationship with council tax purpose – eg, purposes based on the need to collect council tax).

(4) Information supplied under this paragraph may be supplied to another qualifying person for a prescribed purpose relating to council tax (whether or not that is a purpose for which it was supplied). (Comment: this is a general provision to negate the protection offered by the Second Data Protection Principle – incompatibility of the purpose of disclosure to the purpose of collection of personal data). It also negates the Third Data Protection Principle if the data items to be disclose were to be specified in regulations.)

So how does the government explain the need for these data sharing provisions. The “Explanatory Notes” accompanying the Bill state:

Local authorities will need to use information held by HMRC to determine whether a person is entitled to a reduction in council tax. These provisions will reduce the need for authorities to collect information from persons claiming a reduction when it has already been supplied to HMRC and will help to ensure the information used to calculate a reduction is accurate. These information sharing powers are therefore needed to ensure local authorities are able to administer council tax efficiently and to help prevent fraudulent claims for a council tax reduction (Paragraph 127).

In other words, the justification proffered falls within the existing section 29 exemption. It amounts to a check on whether the HMRC and Local Authority agree that a person claiming a single person's council tax reduction also relates to a single person in relation to Child Benefit (what remains of it, I mean) or tax credit claims. You simply do not need general data-sharing powers relating to data subjects who are NOT claiming this reduction; you do not need powers that link to purposes that can extend well beyond the official justification.

Now we come to the really interesting bit I promised. There is a provision that states: “Regulations under this paragraph must not be made except with the consent of the Commissioners for Her Majesty’s Revenue and Customs”. This is the first time I have seen that the exercise of Ministerial Powers is to become subject to a veto by someone who is not the minister.

I think this has broken the ice in a very important way. Wouldn’t it be nice to see the following in ALL data-sharing powers similarly subject to an independent review – for instance, “Regulations under this paragraph must not be made except with the consent of the Information Commissioner”?

Now we can dream on, but such a provision would be real data protection from the excess of ministerial powers; and I can think of a number of places where I would put it! ®

References:

The Bill and its Explanatory Notes (at the time of presentation to the House of Lords) can be found here.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Combat fraud and increase customer satisfaction

More from The Register

next story
EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?
Wait 'til this one hits your pension fund where it hurts
Systems meltdown plunges US immigration courts into pen-and-paper stone age
Massive outage could last four weeks, sources claim
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Judge halts spread of zombie Nortel patents to Texas in Google trial
Epic Rockstar patent war to be waged in California
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.