Privacy notice and cookie policy

Revenue Scotland Privacy Notice

Introduction

Revenue Scotland respects your privacy and is committed to protecting your personal data. This privacy policy explains how we look after your personal data and tells you about your privacy rights and how the law protects you.

This Privacy Notice gives you information on how Revenue Scotland collects and processes your data, what information we hold and how you can access it. It also provides you with our contact details if you want any further information.

Who are we?

Revenue Scotland was established as a Non-Ministerial Office on 1 January 2015 and is the tax authority responsible for the administration and collection of Scotland’s devolved taxes. Taxation policy is developed by the Scottish Government and any future taxes which would be collected and managed by Revenue Scotland will be notified on our website. Revenue Scotland is registered as a Data Controller with the Information Commissioner’s Office (ICO). Our registration number is ZA095120. You can view our registration on the ICO Website. This complies with the Data Protection Act 2018 and the UK General Data Protection Regulations (UK GDPR).

Our Data Protection Officer ensures that we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please email the Data Protection Officer at: dpo@revenue.scot.

What is Personal Data?

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information which, when collected, can lead to the identification of a particular person can also be personal data.

Protected Taxpayer Information (PTI)

In addition to the requirements under data protection legislation, Revenue Scotland also has legal obligations under Part 3 of the RSTPA 2014 (Information) which provides special legislative protection for taxpayer information held by Revenue Scotland.

PTI means information relating to a person in connection with a function of Revenue Scotland and by which a person may be identified. This protection does not just apply to individuals but includes companies, partnerships and other organisations. It is additional and complementary to the protections in respect of personal data as set out in this Privacy Notice.

Why do we need your personal information?

We may need to use some information about you to:

process your tax return
ensure you have paid the correct amount of tax
carry out enquiries to ensure compliance with legislation
contact you or your agent if there are any issues or if we need to clarify any detail
help investigate any worries or complaints you have about our processes
prepare for new taxes that Revenue Scotland may be required to administer
check the quality of our support and to improve our services, and
perform our statutory duties
conduct research or statistical analysis

The data we collect and how we will collect it:

Revenue Scotland will primarily collect personal data either directly from taxpayers or their agents. Revenue Scotland collects personal data in the following ways:

Where anyone registers for the payment of taxes and submits returns.
Where the taxpayer, or their agent, submits a return directly through the online tax portal or submits a completed paper return form.
Where the taxpayer or their agent contacts Revenue Scotland directly by telephone or written correspondence.
Where Revenue Scotland uses its information powers to obtain information from third parties.
Where Revenue Scotland obtains information through formal information-sharing agreements with other tax authorities or public bodies.
Where Revenue Scotland directly receives relevant unsolicited information relating to tax compliance.
Where Revenue Scotland identifies publicly available information relevant to tax compliance.
We collect data from other organisations to ensure compliance with tax obligations.
Surveys of taxpayers and stakeholders.
We will collect data for the purpose of providing Enhanced Support. Further details are in the following section.

All information that Revenue Scotland holds, whether gathered directly or indirectly, will sit either within Revenue Scotland systems, Scottish Government systems or within secure, approved, third party systems.

As part of our tax compliance work, some of the data from other public bodies or third parties may be cross-referenced or matched to data held by Revenue Scotland.

The data we collect includes, but is not limited to:

Names, relevant property addresses, email addresses, telephone numbers (Personal telephone number or Business telephone number), National Insurance Number (or other tax reference or unique identifier from the country in which the taxpayer is based), bank account details, credit reference data, relevant health data (for the purpose of providing Enhanced Support, with consent) and case notes linking both taxpayers and transactions such as complaints, or compliance work.

Additionally, information is sometimes gathered without you actively providing it, using cookies, Internet Protocol (IP) addresses and web statistics. These methods do not collect or store personal information or Protected Taxpayer Information. Details on our use of cookies can be found here.

Enhanced Support Service & Special Category Data

Revenue Scotland has an Enhanced Support Service aiming to provide adjustments to our service offering. The service is voluntary and intended to support users who otherwise may be susceptible to detriment or disadvantage.

The type of data processed to enable this service will depend on the needs of the user. In certain circumstances, the processing of special categories of more sensitive personal information such as health data may be required. Special categories of more sensitive personal data require further justification for processing. Where this is required to provide enhanced support, Revenue Scotland will ask for your explicit consent to process this data. Where we have not been able to obtain your explicit consent, we will not process special categories of more sensitive data unless this is necessary to respond to a medical emergency in which case your consent would not be sought.

Call recording:

This section explains how we use recordings of telephone calls within Revenue Scotland.

Calls made to Revenue Scotland are recorded on our Contact Management system. Similarly, all calls made to taxpayers and/or their agents may be recorded.

When calls are recorded, we collect:

A digital recording of the telephone conversation
Telephone numbers of parties
Where relevant, personal data required to pass telephone security procedures and/or update our records

Call recordings will be used to:

establish the existence of information relevant to the business of Revenue Scotland for purposes including investigating and resolving complaints and in connection with reviews and appeals
for staff training purposes
take actions to protect staff from abusive callers
ensure Revenue Scotland can monitor and adhere to quality standards

All call recordings are held securely within our Contact Management System and access restricted.

Secure Messaging Service (SMS)

Revenue Scotland uses a Secure Messaging Service (SMS) as a secure platform for taxpayers and agents to communicate with Revenue Scotland. SMS is a tool within our tax collection system and can be used by anyone registered as a user. We encourage the use of SMS as personal taxpayer information can be discussed securely on this platform and attachments may also be included. Information contained within SMS is attached to the relevant transaction and will be stored and used for the purposes noted above.

Use of Secure Messaging Service (SMS) and Email

Email is not considered a secure method of communication for PTI. Whilst we can email you, we will not be able to discuss personal tax information unless you tell us that you are willing to accept the risks of doing so. If you would like to use email, we will share with you the risks associated with the use of email and ask you to confirm in writing:

That you understand and accept the risks of using e-mail
That you are content for tax and financial information to be sent by email
That attachments can be included

Further information on the risks can be found here.

Our lawful basis for processing personal data:

The lawful basis for processing personal data is article 6(1)(e) of the General Data Protection Regulation (UK GDPR):

“Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

The lawful basis for processing personal data in connection with email addresses is article 6(1)(a) UKGDPR:

“the data subject has given consent to the processing of his or her personal data for one or more specific purposes”

For information such as contact details that do not relate to tax collection or management, we have sought consent for the use and holding of this information (e.g. stakeholder lists for general communication and news/information).

You have the right to withdraw consent at any time by contacting us.

Disclosure

Personal and/or personal sensitive information in the possession of Revenue Scotland, for the exercise of its functions, may be shared with other organisations where legally required or permitted. We will never sell your personal information to commercial companies.

All sharing of personal data occurs only in clearly defined circumstances and within the legislative bounds set by the RSTPA, the GDPR and other relevant legislation. Information disclosed will be proportionate, relevant and appropriate for the purpose it is being shared for and will be transferred in a secure manner, making it available to authorised users only.

In these cases, the overarching principles that will apply will be:

All information sharing shall occur within the existing bounds of the relevant legislation including: the relevant Tax Acts, the Data Protection Act 2018, UK GDPR and the European Convention on Human Rights (ECHR) proportionate, relevant and appropriate for the purpose it is being shared
All sharing shall be evidenced, accounted for and recorded
Sharing will take place within the bounds of Data Sharing Protocols/Information Sharing Agreements
Revenue Scotland may have a legal obligation to share information, for example with Registers of Scotland or HMRC. Where the sharing of personal data is discretionary this shall be done in full compliance with data protection legislation
Confidentiality and respect for a taxpayer’s right to privacy shall be the default position in respect of any decision to share information with others

Further detail on who has access to the information and whom we may share it with includes but is not limited to:

Group	Interest
Revenue Scotland staff	Have responsibility for the collection and management of the devolved taxes and so have an elevated level of exposure to protected taxpayer information (PTI) which may include Personal Data (add in links to explanations)
Registers of Scotland (ROS)	Registers of Scotland have a statutory obligation to check a return has been made before they register a property. We allow them limited access to our system so they can make these checks so they can accept the application for registration
SEPA	Revenue Scotland will share with SEPA as part of their delegation arrangement
SG (Scottish Government)	Scottish Government provide a range of services to Revenue Scotland including our electronic records and document management system (eRDM)
HMRC & its agencies	The Scotland Act 2012 (Schedule 3, Part 2) requires the Scottish Administration to provide HMRC with ‘relevant information’, meaning information corresponding to any of the particulars required by Schedule 2 of the Finance Act 1931 in relation to Scottish land transactions Data may also be shared with HMRC on a discretionary basis under the article 4(3) of the Revenue Scotland and Tax Powers Act 2014 (Consequential Provisions and Modifications) Order 2014.
Welsh Revenue Authority	Revenue Scotland (RS) and the Welsh Revenue Authority (WRA) have an Information Sharing Agreement (ISA) which sets out the terms between WRA and Revenue Scotland in relation to the sharing of relevant information for RS’s and WRA’s functions. This potentially includes information in respect of all taxes within the responsibility of RS and WRA and information from a variety of internal and external sources, including tax returns, payments, and intelligence. Section 15(3)(b) of the RSTPA gives RS the power to disclose Protected Taxpayer if it is made in accordance with any provision made by or under the Revenue Scotland and Tax Powers Act (Ancillary Provision) Order 2018 or any other enactment requiring or permitting the disclosure.
Audit Scotland	Audit Scotland has the power to request information for fraud prevention or account matching exercise in accordance with the Section 26c of the Public Finance and Accountability (Scotland) Act 2000. In addition, for audit account purposes, Audit Scotland has the right to request or access any document under the control of Revenue Scotland in accordance with section 24 of the Public Finance and Accountability (Scotland) Act 2000 and as a result may access individual's personal details.
Police Scotland	Revenue Scotland shares with Police Scotland for investigation and crime detection and prevention purposes. Section 15(3)(e) of the RSTPA gives Revenue Scotland the power to disclose information for crime purposes. http://www.legislation.gov.uk/asp/2014/16/part/3/enacted
Crown Office and Procurator Fiscal Service	As above. COPFS carry out our proceeds of crime work.
Scottish courts and Tribunal Service	Section 15(3)(d) of the RSTPA gives Revenue Scotland the power to disclose information for civil proceedings http://www.legislation.gov.uk/asp/2014/16/part/3/enacted
Scottish Public Service Ombudsman	Personal Taxpayers Information may be shared with SPSO to resolve a complaint. It is also a legal requirement by law to share data with SPSO according to Section 13 of the Scottish Public Service Ombudsman Act 2002 https://www.legislation.gov.uk/asp/2002/11/contents
Mediation Companies	Revenue Scotland may share data with mediation companies working on a taxpayer's case for the purposes of acquiring mediation services.
Service Providers and Contractors	We use a range of organisations to help deliver our obligations to you. Where we have these arrangements, there is always an agreement in place to make sure that the organisation complies with data protection law. We carry out data protection impact assessments (DPIAs) before we share personal information to make sure we protect your privacy and comply with the law.

Retention period

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we believe there is a prospect of litigation in respect of our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Details of retention periods for various aspects of your personal data are available on request.

Your rights as a data subject

At any point while we are in possession of, or processing your personal data, you, the data subject, have the following rights:

Right of access	You have the right to request a copy of the information that we hold about you. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Right of rectification	You have a right to correct data that we hold about you that is inaccurate or incomplete. We may need to verify the accuracy of the new data you provide to us.
Right to be forgotten	In certain circumstances you can ask for the data we hold about you to be erased from our records. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Right to restriction of processing	Where certain conditions apply to have a right to restrict the processing. This enables you to ask us to suspend the processing of your personal data in the following scenarios: If you want us to establish the data's accuracy Where our use of the data is unlawful, but you do not want us to erase it Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims. You have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
Right to portability	You have the right to have the data we hold about you transferred to yourself or another organisation. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Right to object	You have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing, including profiling	You also have the right to be subject to the legal effects of automated processing or profiling.
Right to judicial review	If Revenue Scotland refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined below [NF8] . All the above requests will be forwarded on should there be a third party involved (as detail in table above) in the processing of your personal data. If you are an organisation seeking Revenue Scotland information which is not publicly available, please email us at info@revenue.scot.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

All data stored on the Revenue Scotland systems will be held in line with the requirements set out in the General Data Protection Regulation (GDPR) Principles. Business and IT systems and processes have been developed in accordance with the RSTPA 2014 and tax-specific legislation.

Complaints

If you wish to make a complaint about how your personal data is being processed by Revenue Scotland (or third parties as described above), or how your complaint has been handled, you have the right to lodge an initial complaint directly with Revenue Scotland’s Data Protection Officer. However, if the matter is not resolved, it can be subsequently raised with the Information Commissioner’s Office (Scotland). Contact details for both are shown below.

Contact Details

If you have any questions or wish to raise a complaint about this privacy policy or our privacy practices, please contact our Data Protection Officer as follows::

Revenue Scotland

PO Box 24068

Victoria Quay

Edinburgh

EH6 9BR

email: dpo@revenue.scot

tel: 03000 200 310

The Information Commissioner’s Office (Scotland) can be contacted as follows:

The Information Commissioner’s Office (Scotland)

Queen Elizabeth House

Sibbald Walk

Edinburgh

EH8 8FT

Telephone: 0303 123 1115

Email: Scotland@ico.org.uk

ICO website: https://www.ico.org.uk

Cookie Policy

This Cookie Policy explains how Revenue Scotland uses cookies and similar technologies to recognise you when you visit our websites. It explains what these technologies are and why we use them, as well as your rights to control our use of them.

In some cases, we may use cookies to collect personal information, or that becomes personal information if we combine it with other information.

What are cookies?

Cookies are small data files that are placed on your computing device when you visit a website. Cookies are widely used by website owners to make their websites work, or to work more efficiently, as well as to provide reporting information.

Cookies set by the website owner (in this case, Revenue Scotland) are called "first party cookies". Cookies set by parties other than the website owner are called "third party cookies". Third party cookies enable third party features or functionality to be provided on or through the website (e.g., like advertising, interactive content, and analytics). The parties that set these third-party cookies can recognise your computer both when it visits the website in question and when you visit certain other websites.

Why do we use cookies?

We use first-party and third-party cookies for several reasons. Some cookies are required for our website to operate, and we refer to these as "essential" or "strictly necessary" cookies. Other cookies also enable us to track and target the interests of our users to enhance their experience. Third parties serve cookies through our websites for analytics and other purposes. This is described in more detail below.

Our cookies do not collect or store personal information or protected taxpayer information.

The specific types of first-party and third-party cookies served through our websites and the purposes that they perform are described below:

How can I control cookies?

You have the right to decide whether to accept or reject cookies. You can exercise your cookie rights by setting your preferences in your Cookie Consent Manager. The Cookie Consent Manager allows you to select which categories of cookies you accept or reject. Essential cookies cannot be rejected as they are strictly necessary to provide you with services.

The Cookie Consent Manager can be found in the notification banner and on our website. If you choose to reject cookies, you may still use our website though your access to some functionality and areas of our website may be restricted. You can also set or amend your web browser controls to accept or refuse cookies.

These browser controls will usually be found in the "options" or "preferences" menu.

Our Cookies and their purposes

The specific types of first-party and third-party cookies served through our website and the purposes that they perform are described in the table below (please note that the specific cookies served may vary depending on the specific Online Properties you visit).

Revenue.scot uses Drupal content management system (CMS). Drupal sets some cookies to improve the user experience and assist in the delivery of the site. We also use Google analytics to analyse the traffic using our site. The following cookies are set by Drupal and Google Analytics on this site:

Essential website cookies:

These cookies are strictly necessary to provide you with website services.

Cookie ID	Purpose	Service	Type	Lifespan
Has_js	Used by Drupal to indicate whether the visitor's browser has JavaScript enabled so that Drupal can more efficiently perform operations to enhance the user experience	Drupal CMS View Service Privacy Policy	http cookie	End of Session

Cookie ID

Purpose

Service

Type

Lifespan

Has_js

Used by Drupal to indicate whether the visitor's browser has JavaScript enabled so that Drupal can more efficiently perform operations to enhance the user experience

Drupal CMS

View Service Privacy Policy

http cookie

End of Session

Analytics and customisation cookies:

These cookies collect information that is used either in aggregate form to help us understand how our website is being used, how effective our marketing campaigns are, or to help us customise our website for you.

You can access the table by clicking the plus sign to the right hand side of the drop down menu.

Analytics and customisation cookies table

Cookie ID	Purpose	Service	Type	Lifespan
_gat#	Enables Google Analytics to regulate the rate of requesting. It is a HTTP cookie type that lasts for a session.	Google Analytics View Service Privacy Policy	http cookie	1 minute
_ga#	It records a particular ID used to produce data about website usage by the user. It is a HTTP cookie that expires after 2 years.	Google Analytics View Service Privacy Policy	http cookie	2 years
_gid	Keeps an entry of unique ID which is then used to produce statistical data on website usage by visitors. It is a HTTP cookie type and expires after a browsing session.	Google Analytics View Service Privacy Policy	http cookie	24 hours
_utmb#	Used by Google analytics to compute the duration a website is visited using the exact time that a user accesses a website. This is a HTTP cookie that expires after the session	Google Analytics View Service Privacy Policy	http cookie	30 minutes from set/update
_utma#	Used by Google Analytics to record the number of times a visitor accessed the website as well as the dates for the first and recent visit. It is a HTTP cookie and expires in 2 years.	Google Analytics View Service Privacy Policy	http cookie	2 years from set/update
_utmt#	Used to control the speed of requests to the website’s server. Expires after the session and is a HTTP type cookie.	Google Analytics View Service Privacy Policy	http cookie	10 minutes
_utmc#	The cookie registers the timestamp a user leaves a website to help calculate the duration of time spent on it using Google Analytics. The cookie activity lasts during the browsing session. It is a HTTP cookie type.	Google Analytics View Service Privacy Policy	http cookie	End of Browser session
respimg_ratio	Used for handling responsive layout	n/a	http cookie	1 day
revenue-scotland_cookiecontrol	Records the fact that you as a user have agreed to accept cookies from this site __________		http cookie	3 months
ccShowCookieIcon	Records whether to show the cookie control icon		http cookie	1 day

What about other tracking technologies?

When you visit our website or log in to your SETS account, we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We collect information about:

the pages you visit and how long you spend on each page
how you got to Revenue Scotland's websites
what you click on while you are visiting Revenue Scotland's websites.

The information we get from Google Analytics allows us to improve our service offering but does not identify anyone individually. For example, we never receive your name or address. You can opt out of Google Analytics at any time.

Use of Cookies on SETS

The Scottish Electronic Tax System (SETS) uses cookies. These cookies are used to:

remember settings and information that you have entered so that you do not have to keep entering them again
measure how you use the service so that we can make sure it meets your needs

How often will we update this Privacy Notice and Cookie Policy?

We update the Privacy Notice and Cookie Policy from time to time to reflect, for example, to reflect operational, legal, or regulatory changes or changes to the cookies we use.

The date at the top of this Privacy Statement indicates when it was last updated.

Where can I get further information?

If you have any questions about our Privacy Notice or use of cookies or other technologies, please contact us at the following:

By Post:

Revenue Scotland

PO Box 24068

Victoria Quay

Edinburgh

EH6 9BR

By email: dpo@revenue.scot

Last updated

10 October 2023