Privacy Notice and Cookie Policy

Privacy Notice and Cookie Policy

A guide to what information Revenue Scotland holds and how you can access it.

Privacy Notice

Revenue Scotland respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data and tell you about your privacy rights and how the law protects you.

This Privacy Notice aims to give you the information on how Revenue Scotland collects and processes your data, what information we hold and how you can access it.

Responsibilities

Revenue Scotland is registered as a Data Controller with the Information Commissioner’s Office (ICO) Our registration number is ZA095120.   You can view it on the ICO Website.  This complies with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR).

Our Data Protection Officer makes sure we respect your rights and follow the law.  If you have any concerns or questions about how we look after your personal information, please email the Data protection officer at: DPO@revenue.scot

Who are we?

Revenue Scotland was established as a Non-Ministerial Department on 1 January 2015 and is the tax authority responsible for the administration and collection of Scotland’s devolved taxes

What is Personal Data?

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, may also constitute personal data.

Revenue Scotland also  has legal obligations under Part 3 of the RSTPA 2014 (information) which provides special legislative protection for taxpayer information held by Revenue Scotland.

PTI means information  relating to a person  in connection with a function of Revenue Scotland and by which a person may be identified.   This protection does not just apply to individuals but includes companies, partnerships and other organisations.  It is additional and complementary to the protections in respect of personal data as set out in this this privacy notice.  

The data we collect and how we will collect it:

Revenue Scotland will generally collect personal data either directly from taxpayers or via their agent. There are six main ways personal data can be collected by Revenue Scotland.

1. Where the taxpayer, or their agent, submits a return directly through the online tax portal
2. Where the taxpayer or their agent contacts Revenue Scotland directly by telephone or written correspondence (this will include electronic and paper)
3. The taxpayer, or their agent, sends in a completed paper return form
4. Where the taxpayer registers for the payment of SLfT, and the subsequent submission of quarterly returns
5. Where RS uses its third party information powers
6. Where RS obtains information through formal information sharing agreements with other tax authorities or public bodies.

All information that Revenue Scotland holds, whether gathered, directly or indirectly from its delegates, will sit either within RS systems,  Scottish Government systems or, temporarily, within our delegate partners systems.

The data we collect includes but is not limited to:

Names, relevant property addresses, email addresses, telephone numbers (Personal telephone number or Business telephone number in relation to SLFT), National Insurance Number (or other tax reference or unique identifier from  the country in which the buyer is based), bank account details and case Notes linking both tax payer and transactions such as complaints, compliance, investigations etc.

In addition, Information is sometimes gathered without you actively providing it, through the use of cookies, Internet Protocol (IP) addresses and web statistics. These methods do not collect or store personal information or protected taxpayer information. Details on our use of cookies can be found here.

Call recording

This section explains how we use recording of phones calls within Revenue Scotland.

Calls made to Revenue Scotland Support Desk are recorded on the Contact Management system. Similarly all calls made to taxpayers and/or their agents may be recorded.

When a call is recorded we collect:

• A digital recording of the telephone conversation
• The telephone number of both parties (internal and external)

Personal data revealed during a telephone call will be digitally recorded, for example name and contact details, and information in these recordings may relate to the updating of  taxpayer record or when advice / guidance is sought on the taxes we administer.

Call recordings will be used to:

• establish the existence of facts relevant to the business of Revenue Scotland for purposes including investigating and resolving complaints and in connection with reviews and appeals
• for staff training purposes
• to take actions to protect staff from abusive callers
• to ensure Revenue Scotland is able to monitor and adhere to quality standards

All call recordings are held securely within our Contact Management System. Access to these recordings are controlled via the system and is restricted to a specific management group who must have justification for accessing the recording. 

Use of Email

Email is not considered a secure method of communication for PTI.  Whilst we can email you, we will not be able to discuss personal tax information unless you tell us that you are willing to accept the risks of doing so. Revenue Scotland uses a Secure messaging Service (SMS) with agents instead of direct email.   

• If you would like to use email we will share with you the risks associated with the use of email and ask you to confirm in writing:
• That you understand and accept the risks of using e-mail
• That you are content for tax and financial information to be sent by email
• That attachments can be included

Further information on the risks can be found here.

Our legal basis for processing for the personal data:

The lawful basis for processing of the Scottish devolved taxes is article 6(1)(e) of the General Data Protection Regulation (GDPR).

“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”

The legal basis for processing personal data in connection with email addresses is consent.

For information such as contact details that doesn’t relate to tax collection or management, we have sought consent for the use and holding of this information (e.g. stakeholder lists for general communication and news/information)

You have the right to withdraw consent at any time by contacting us.

The legal basis for processing all other personal data is that it’s necessary:

• to perform a task in the public interest
• in the exercise of our functions as a statutory tax authority

Why do we need your personal information?

We may need to use some information about you to:

• ensure you have paid the correct amount of tax
• contact you or your solicitor if there are any issues or if we need to clarify any detail
• help investigate any worries or complaints you have about our processes
• check the quality of our support, and
• help with research and planning of new provisions.

How the law allows us to use your personal information:

We need to collect and use your personal information for a number of legal reasons. Each business area within Revenue Scotland might have a different legal reason for processing your data. Generally, we collect and use personal information where:

• it is required by law
• it is necessary to perform our statutory duties
• to help us process your tax return
• it is necessary for employment purposes
• you have made your information publicly available
• we need it for legal cases
• we need it for archiving, research, or statistical purposes.

Disclosure

Personal and/or personal sensitive information in the possession of Revenue Scotland, for the exercise of its functions,  may be shared with  other organisations where legally required or permitted.  We will never sell your personal information to commercial companies.

All sharing of personal data occurs only in clearly defined circumstances and within the legislative bounds set by the RSTPA, the GDPR and other relevant legislation. Information disclosed will be proportionate, relevant and appropriate for the purpose it is being shared for and will be transferred in a secure manner, making it available to authorised users only.

In these cases the overarching principles that will apply will be:

• All information sharing shall occur within the existing bounds of the three Tax Acts;
• the Data Protection Act 2018 GDPR and the European Convention on Human Rights (ECHR) and will be proportionate, relevant and appropriate for the purpose it is being shared
• All sharing shall be evidenced, accounted for and recorded
• Sharing will take place within the bounds of Data Sharing Protocols/Information Sharing Agreements
• Revenue Scotland may have a legal obligation to share information, for example with Registers of Scotland or HMRC. Where the sharing of personal data is discretionary this shall be done in full compliance with data protection legislation
• Confidentiality and respect for a taxpayer’s right to privacy shall be the default position in respect of any decision to share information with others

The table below sets out who has access to the information and whom we may share it with:

Group	Interest
Revenue Scotland staff	Have responsibility for the collection and management of the devolved taxes and so have a high level of exposure to protected taxpayer information (PTI)  which may include Personal Data (add in links to explanations)
Registers of Scotland (ROS)	Registers of Scotland have a statutory obligation to check a return has been made before they register a property.  We allow them access to our system so they can make these checks so  they can accept the application for registration
SEPA	Revenue Scotland will share with SEPA as part of their delegation arrangement
SG	Scottish Government provide a range of services to Revenue Scotland including our electronic records and document management system (eRDM)
HMRC	The Scotland Act 2012 (Schedule 3, Part 2) requires the Scottish Administration to provide HMRC with ‘relevant information’, meaning information corresponding to any of the particulars required by Schedule 2 of the Finance Act 1931 in relation to Scottish land transactions Data may also be shared with HMRC on a discretionary basis under the article 4(3) of the Revenue Scotland and Tax Powers Act 2014 (Consequential Provisions and Modifications) Order 2014.
Welsh Revenue Authority	Revenue Scotland(RS) and the Welsh Revenue Authority (WRA) have entered into an Information Sharing Agreement (ISA) which sets out the terms between WRA and Revenue Scotland in relation to the sharing of relevant information for RS’s and WRA’s functions.  This potentially includes information in respect of all taxes within the responsibility of RS and WRA and information from a variety of internal and external sources, including tax returns, payments and intelligence. Section 15(3)(b) of the RSTPA gives RS the power to disclose Protected Taxpayer if it is made in accordance with any provision made by or under the Revenue Scotland and Tax Powers act (Ancillary Provision) Order 2018  or any other enactment requiring or permitting the disclosure.
Audit Scotland	Has have the power to request information for fraud prevention or account matching exercise according to the Section 26c of the Public finance and accountability (Scotland) act 2000.  In addition, for audit account purposes, As has the right to request or access any document under the control of Revenue Scotland according to section 24 of the Public finance and accountability (Scotland) act 2000 and as a result may access individuals personal details
Police Scotland	Revenue Scotland share with Police Scotland for investigation and crime detection and prevention purposes section 15(3)(e) of the RSTPA gives Revenue Scotland the power to disclose information for crime purposes http://www.legislation.gov.uk/asp/2014/16/part/3/enacted
Crown Office and Procurator Fiscal Service	As above.   COPFS carry out our proceeds of crime work.
Scottish courts and Tribunal Service	section 15(3)(d) of the RSTPA gives Revenue Scotland the power to disclose information for civil proceedings http://www.legislation.gov.uk/asp/2014/16/part/3/enacted
Scottish Public Service Ombudsman	Personal Taxpayers Information may be shared with SPSO in an attempt to resolve a complaint.  It is also a legal requirement by law to share data with SPSO according to Section 13 of the Scottish Public service ombudsman act 2002 https://www.legislation.gov.uk/asp/2002/11/contents
Mediation Companies	Revenue Scotland may share data with mediation companies working on a taxpayers case for the purposes of acquiring mediation services.
Service Providers and Contractors	We use a range of organisations to help deliver our obligations to you. Where we have these arrangements, there is always an agreement in place to make sure that the organisation complies with data protection law.  We carry out data protection impact assessments (DPIAs) before we share personal information to make sure we protect your privacy and comply with the law.

Retention period

We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Details of retention periods for different aspects of your personal data are available in our Data Retention, Storage and Disposal Policy of which you can request a copy by contacting us.

Your rights as a data subject

At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

Right of access:

You have the right to request a copy of the information that we hold about you. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. (Link to section on SAR and FOI below)

Right of rectification

You have a right to correct data that we hold about you that is inaccurate or incomplete. We may need to verify the accuracy of the new data you provide to us.

Right to be forgotten

In certain circumstances you can ask for the data we hold about you to be erased from our records. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Right to restriction of processing

Where certain conditions apply to have a right to restrict the processing.  This enables you to ask us to suspend the processing of your personal data in the following scenarios:

• If you want us to establish the data's accuracy
• Where our use of the data is unlawful but you do not want us to erase it
• Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
• You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Right of portability

You have the right to have the data we hold about you transferred to yourself or  another organisation. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.

Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Right to object

You have the right to object to certain types of processing such as direct marketing.

Right to object to automated processing, including profiling

You also have the right to be subject to the legal effects of automated processing or profiling.

Right to judicial review

In the event that Revenue Scotland refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause below.

All of the above requests will be forwarded on should there be a third party involved (as detail in table above) in the processing of your personal data.

If you are an organisation seeking Revenue Scotland information which is not publicly available, please email us at info@revenue.scot.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

All data stored on the  Revenue Scotland systems will be held in line with the security requirements set out in the General Data Protection Regulation (GDPR) Principles. Business and IT systems and processes have been developed in accordance with the  RSTPA 2014 and tax specific legislation.

Complaints

In the event that you wish to make a complaint about how your personal data is being processed by Revenue Scotland (or third parties as described above), or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and Revenue Scotland’s data protection representatives Data Protection Officer.

Contact Details

If you have any questions about this privacy policy or our privacy practices Our Data Protection Officer and data protection representatives can be contacted here:

Revenue Scotland

PO Box 24068

Victoria Quay

Edinburgh

EH6 9BR

email: DPO@revenue.scot

tel: 03000 200 310

 

by email: DPO@revenue.scot

by phone: 03000 200 310

Information Commissioner’s Office Scotland

45 Meville Street

Edinburgh

EH3 7HL

Helpline number: 0303 123 1115

Email: Scotland@ico.org.uk

ICO website: https://www.ico.org.uk

Publication of Non-personal Information

As an open and transparent organisation, we are committed to making much of our information (data) publicly available on the Revenue Scotland website  Statistics Page. 

Our statistics are published as Official Statistics, providing assurance that we adhere to the Code of Practice for Official Statistics.

Public reporting of information by Revenue Scotland will be in accordance with the following principles:

Protection of confidential taxpayer information

Revenue Scotland will apply statistical disclosure control techniques to protect taxpayer information for all statistical data (including that in aggregate form) which will be published.

Transparency and accessibility

Revenue Scotland will not charge for data or analysis. Aggregate statistics will be published on-line, under Open Government License, in a format that makes the information easily discoverable, accessible, and re-usable.

Impartiality and objectivity

Revenue Scotland will publish regular reports according to a published timetable. All statistics will be presented impartially and objectively and will be published according to schedule in a manner that will enhance public trust in the impartiality and objectivity of the reporting.

Quality

Quality statements for all data sources will be developed which will set out the provenance of the data and the risks to error at each stage and mitigating actions. Published data will be labeled as ‘provisional’ and revised according to a schedule to reflect the right of taxpayers to amend returns and allow for most processes to complete. Errors to published figures will be corrected as soon as possible following identification and clearly noted in the corrected version. Snapshots of the data warehouse used for analysis and reporting will be saved to allow for all analysis to be rerun and the same results produced for up to 5 years.

Co-ordination and consistency

Management, use and reporting of Management and Financial Information will be co-ordinated and consistent with each other, and Revenue Scotland reporting will be co-ordinated and consistent with reporting of similar information by other organisations.

Statistical Information

All of our published statistical information is available on the Statistics section of the website.

If you are an organisation seeking Revenue Scotland information which is not publicly available, please email us at info@revenue.scot.

Cookie Policy

This Cookie Policy explains how  Revenue Scotland uses cookies and similar technologies to recognize you when you visit our websites at https://www.revenue.scot,  It explains what these technologies are and why we use them, as well as your rights to control our use of them.

In some cases we may use cookies to collect personal information, or that becomes personal information if we combine it with other information.

What are cookies?

Cookies are small data files that are placed on your computer or mobile device when you visit a website. Cookies are widely used by website owners in order to make their websites work, or to work more efficiently, as well as to provide reporting information.

Cookies set by the website owner (in this case, Revenue Scotland) are called "first party cookies". Cookies set by parties other than the website owner are called "third party cookies". Third party cookies enable third party features or functionality to be provided on or through the website (e.g. like advertising, interactive content and analytics). The parties that set these third party cookies can recognize your computer both when it visits the website in question and also when it visits certain other websites.

Why do we use cookies?

We use first and third party cookies for several reasons. Some cookies are required for technical reasons in order for our Websites to operate, and we refer to these as "essential" or "strictly necessary" cookies. Other cookies also enable us to track and target the interests of our users to enhance the experience on our Online Properties. Third parties serve cookies through our Websites for, analytics and other purposes. This is described in more detail below.

Our Cookies do not collect or store personal information or protected taxpayer information.

The specific types of first and third party cookies served through our Websites and the purposes they perform are described below (please note that the specific cookies served may vary depending on the specific Online Properties you visit):

How can I control cookies?

You have the right to decide whether to accept or reject cookies. You can exercise your cookie rights by setting your preferences in the Cookie Consent Manager. The Cookie Consent Manager allows you to select which categories of cookies you accept or reject. Essential cookies cannot be rejected as they are strictly necessary to provide you with services.

The Cookie Consent Manager can be found in the notification banner and on our website. If you choose to reject cookies, you may still use our website though your access to some functionality and areas of our website may be restricted. You may also set or amend your web browser controls to accept or refuse cookies.

As the means by which you can refuse cookies through your web browser controls vary from browser-to-browser. These browser controls will usually be found in the "options" or "preferences" menu. For more help, you may take a look at the "Help" settings or review these website for more details:

• Firefox: How to change your cookie settings in Firefox
• Internet Explorer:
  • How to change your cookie settings in Internet Explorer 9
  • How to change your cookie settings in Internet Explorer 7 and 8
• Google Chrome: How to change your cookie settings in Google Chrome
• Safari (OS X): How to change your cookie settings in Safari (OS X)
• Safari (iOS): How to change your cookie settings in Safari (iOS)

Our Cookies and their purposes

The specific types of first and third party cookies served through our Websites and the purposes they perform are described in the table below (please note that the specific cookies served may vary depending on the specific Online Properties you visit):

This website is running on the Drupal content management system (CMS). Drupal sets some cookies in order to improve the user experience and assist in the delivery of the site (e.g. to test whether a user has JavaScript enabled). We also use Google analytics to analyse the traffic using our site.  The following cookies are set by Drupal  and Google Analytics on this site:

Essential website cookies:

These cookies are strictly necessary to provide you with services available through our Websites and to use some of its features, such as access to secure areas.

Cookie ID	Purpose	Service	Type	Lifespan
Has_js	Used by Drupal to indicate whether or not the visitor's browser has JavaScript enabled so that drupal can more efficiently perform operations to enhance the user experience	Drupal CMS View Service Privacy Policy	http cookie	End of Session

Analytics and customization cookies:

These cookies collect information that is used either in aggregate form to help us understand how our Websites are being used or how effective our marketing campaigns are, or to help us customize our Websites for you.

Cookie ID	Purpose	Service	Type	Lifespan
_gat#	Enables Google Analytics regulate the rate of requesting. It is a HTTP cookie type that lasts for a session.	Google Analytics  View Service Privacy Policy	http cookie	1 minute
_ga#	It records a particular ID used to come up with data about website usage by the user. It is a HTTP cookie that expires after 2 years.	Google Analytics  View Service Privacy Policy	http cookie	2 years
_gid	Keeps an entry of unique ID which is then used to come up with statistical data on website usage by visitors. It is a HTTP cookie type and expires after a browsing session.	Google Analytics View Service Privacy Policy	http cookie	24 hours
_utmb#	Used by Google analytics to compute the duration a website is visited using the exact time that a user accesses a website. This is a HTTP cookie that expires after the session	Google Analytics View Service Privacy Policy	http cookie	30 minutes from set/update
_utma#	Used by Google Analytics to record the number of times a visitor accessed the website as well as the dates for the first and recent visit. It is a HTTP cookie and expires in 2 years.	Google Analytics  View Service Privacy Policy	http cookie	2 years from set/update
_utmt#	Used to control the speed of requests to the website’s server. Expires after the session and is a HTTP type cookie.	Google Analytics  View Service Privacy Policy	http cookie	10 minutes
_utmc#	The cookie registers the timestamp a user leaves a website to help calculate the duration of time spent on it using Google Analytics. The cookie activity lasts during the browsing session. It is a HTTP cookie type.	Google Analytics  View Service Privacy Policy	http cookie	End of Browser session
respimg­_ratio	used for handling responsive layout	n/a	http cookie	1 day
revenue-scotland_cookiecontrol	Records the fact that you as a user have agreed to accept cookies from this site __________		http cookie	3 months
ccShowCookieIcon	Records whether or not to show the cookie control icon		http cookie	1 day

What about other tracking technologies?

When you visit our website or log in to your SETS account, we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We collect information about:

• the pages you visit and how long you spend on each page
• how you got to Revenue Scotland's websites
• what you click on while you're visiting Revenue Scotland's websites.

The information we get from Google Analytics doesn’t allow us to identify anyone individually. For example, we never receive your name or address. We don’t make, and don’t allow Google to make, any attempt to find out the identities of people who visit our website

If you like, you can opt out of Google Analytics at any time.

Use of Cookies on SETS

The Scottish Electronic Tax System (SETS) uses cookies. These cookies are used to:

• remember settings and information that you've entered so that you don't have to keep entering them again
• measure how you use the service so that we can make sure it meets your needs

Do we use Flash cookies or Local Shared Objects?

Websites may also use so-called "Flash Cookies" (also known as Local Shared Objects or "LSOs") to, among other things, collect and store information about your use of our services, fraud prevention and for other site operations.

If you do not want Flash Cookies stored on your computer, you can adjust the settings of your Flash player to block Flash Cookies storage using the tools contained in the Website Storage Settings Panel. You can also control Flash Cookies by going to the Global Storage Settings Panel and following the instructions (which may include instructions that explain, for example, how to delete existing Flash Cookies (referred to "information" on the Macromedia site), how to prevent Flash LSOs from being placed on your computer without your being asked, and (for Flash Player 8 and later) how to block Flash Cookies that are not being delivered by the operator of the page you are on at the time).

Please note that setting the Flash Player to restrict or limit acceptance of Flash Cookies may reduce or impede the functionality of some Flash applications, including, potentially, Flash applications used in connection with our services or online content.

How often will we update this Cookie Policy?

We may update this Cookie Policy from time to time in order to reflect, for example, changes to the cookies we use or for other operational, legal or regulatory reasons. Please therefore re-visit this Cookie Policy regularly to stay informed about our use of cookies and related technologies.

The date at the top of this Cookie Policy indicates when it was last updated.

Where can I get further information?

If you have any questions about our use of cookies or other technologies, please contact us at the following:

By Post:

Revenue Scotland

PO Box 24068

Victoria Quay

Edinburgh

EH6 9BR

By email: DPO@revenue.scot

By phone: 03000 200 310