A guide to what information Revenue Scotland holds and how you can access it.
- Privacy Notice
This Privacy Notice aims to give you the information on how Revenue Scotland collects and processes your data, what information we hold and how you can access it.
Revenue Scotland is registered as a Data Controller with the Information Commissioner’s Office (ICO) Our registration number is ZA095120. You can view it on the ICO Website. This complies with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR).
Our Data Protection Officer makes sure we respect your rights and follow the law. If you have any concerns or questions about how we look after your personal information, please email the Data protection officer at: firstname.lastname@example.org
Who are we?
Revenue Scotland was established as a Non-Ministerial Department on 1 January 2015 and is the tax authority responsible for the administration and collection of Scotland’s devolved taxes
What is Personal Data?
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, may also constitute personal data.
Revenue Scotland also has legal obligations under Part 3 of the RSTPA 2014 (information) which provides special legislative protection for taxpayer information held by Revenue Scotland.
PTI means information relating to a person in connection with a function of Revenue Scotland and by which a person may be identified. This protection does not just apply to individuals but includes companies, partnerships and other organisations. It is additional and complementary to the protections in respect of personal data as set out in this this privacy notice.
The data we collect and how we will collect it:
Revenue Scotland will generally collect personal data either directly from taxpayers or via their agent. There are six main ways personal data can be collected by Revenue Scotland.
- Where the taxpayer, or their agent, submits a return directly through the online tax portal
- Where the taxpayer or their agent contacts Revenue Scotland directly by telephone or written correspondence (this will include electronic and paper)
- The taxpayer, or their agent, sends in a completed paper return form
- Where the taxpayer registers for the payment of SLfT, and the subsequent submission of quarterly returns
- Where RS uses its third party information powers
- Where RS obtains information through formal information sharing agreements with other tax authorities or public bodies.
All information that Revenue Scotland holds, whether gathered, directly or indirectly from its delegates, will sit either within RS systems, Scottish Government systems or, temporarily, within our delegate partners systems.
On 3 April 2023, Revenue Scotland launched an Enhanced Support service aiming to provide adjustments to our service offering. The service is voluntary and intended to support users who otherwise may be susceptible to detriment or disadvantage.
The type of data processed to enable this service will depend on the needs of the user. In certain circumstances, the processing of special categories of more sensitive personal such as health data may be required. Special categories of more sensitive personal data require further justification for processing. Where this is required to provide enhanced support, Revenue Scotland will ask for your explicit consent to process this data. Where we have not been able to obtain your explicit consent, we will not process special categories of more sensitive data unless this is necessary to respond to a medical emergency in which your consent could not be sought.
The data we collect includes but is not limited to:
Names, relevant property addresses, email addresses, telephone numbers (Personal telephone number or Business telephone number in relation to SLFT), National Insurance Number (or other tax reference or unique identifier from the country in which the buyer is based), bank account details and case Notes linking both tax payer and transactions such as complaints, compliance, investigations etc.
This section explains how we use recording of phones calls within Revenue Scotland.
Calls made to Revenue Scotland Support Desk are recorded on the Contact Management system. Similarly all calls made to taxpayers and/or their agents may be recorded.
When a call is recorded we collect:
- A digital recording of the telephone conversation
- The telephone number of both parties (internal and external)
Personal data revealed during a telephone call will be digitally recorded, for example name and contact details, and information in these recordings may relate to the updating of taxpayer record or when advice / guidance is sought on the taxes we administer.
Call recordings will be used to:
- establish the existence of facts relevant to the business of Revenue Scotland for purposes including investigating and resolving complaints and in connection with reviews and appeals
- for staff training purposes
- to take actions to protect staff from abusive callers
- to ensure Revenue Scotland is able to monitor and adhere to quality standards
All call recordings are held securely within our Contact Management System. Access to these recordings are controlled via the system and is restricted to a specific management group who must have justification for accessing the recording.
Use of Email
Email is not considered a secure method of communication for PTI. Whilst we can email you, we will not be able to discuss personal tax information unless you tell us that you are willing to accept the risks of doing so. Revenue Scotland uses a Secure messaging Service (SMS) with agents instead of direct email.
- If you would like to use email we will share with you the risks associated with the use of email and ask you to confirm in writing:
- That you understand and accept the risks of using e-mail
- That you are content for tax and financial information to be sent by email
- That attachments can be included
Further information on the risks can be found here.
Our legal basis for processing for the personal data:
The lawful basis for processing of the Scottish devolved taxes is article 6(1)(e) of the General Data Protection Regulation (GDPR).
“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
The legal basis for processing personal data in connection with email addresses is consent.
For information such as contact details that doesn’t relate to tax collection or management, we have sought consent for the use and holding of this information (e.g. stakeholder lists for general communication and news/information)
You have the right to withdraw consent at any time by contacting us.
The legal basis for processing all other personal data is that it’s necessary:
- to perform a task in the public interest
- in the exercise of our functions as a statutory tax authority
Why do we need your personal information?
We may need to use some information about you to:
- ensure you have paid the correct amount of tax
- contact you or your solicitor if there are any issues or if we need to clarify any detail
- help investigate any worries or complaints you have about our processes
- check the quality of our support, and
- help with research and planning of new provisions.
How the law allows us to use your personal information:
We need to collect and use your personal information for a number of legal reasons. Each business area within Revenue Scotland might have a different legal reason for processing your data. Generally, we collect and use personal information where:
- it is required by law
- it is necessary to perform our statutory duties
- to help us process your tax return
- it is necessary for employment purposes
- you have made your information publicly available
- we need it for legal cases
- we need it for archiving, research, or statistical purposes.
Personal and/or personal sensitive information in the possession of Revenue Scotland, for the exercise of its functions, may be shared with other organisations where legally required or permitted. We will never sell your personal information to commercial companies.
All sharing of personal data occurs only in clearly defined circumstances and within the legislative bounds set by the RSTPA, the GDPR and other relevant legislation. Information disclosed will be proportionate, relevant and appropriate for the purpose it is being shared for and will be transferred in a secure manner, making it available to authorised users only.
In these cases the overarching principles that will apply will be:
- All information sharing shall occur within the existing bounds of the three Tax Acts;
- the Data Protection Act 2018 GDPR and the European Convention on Human Rights (ECHR) and will be proportionate, relevant and appropriate for the purpose it is being shared
- All sharing shall be evidenced, accounted for and recorded
- Sharing will take place within the bounds of Data Sharing Protocols/Information Sharing Agreements
- Revenue Scotland may have a legal obligation to share information, for example with Registers of Scotland or HMRC. Where the sharing of personal data is discretionary this shall be done in full compliance with data protection legislation
- Confidentiality and respect for a taxpayer’s right to privacy shall be the default position in respect of any decision to share information with others
The table below sets out who has access to the information and whom we may share it with:
Revenue Scotland staff
Have responsibility for the collection and management of the devolved taxes and so have a high level of exposure to protected taxpayer information (PTI) which may include Personal Data (add in links to explanations)
Registers of Scotland (ROS)
Registers of Scotland have a statutory obligation to check a return has been made before they register a property. We allow them access to our system so they can make these checks so they can accept the application for registration
Revenue Scotland will share with SEPA as part of their delegation arrangement
Scottish Government provide a range of services to Revenue Scotland including our electronic records and document management system (eRDM)
The Scotland Act 2012 (Schedule 3, Part 2) requires the Scottish Administration to provide HMRC with ‘relevant information’, meaning information corresponding to any of the particulars required by Schedule 2 of the Finance Act 1931 in relation to Scottish land transactions
Data may also be shared with HMRC on a discretionary basis under the article 4(3) of the Revenue Scotland and Tax Powers Act 2014 (Consequential Provisions and Modifications) Order 2014.
Welsh Revenue Authority
Revenue Scotland(RS) and the Welsh Revenue Authority (WRA) have entered into an Information Sharing Agreement (ISA) which sets out the terms between WRA and Revenue Scotland in relation to the sharing of relevant information for RS’s and WRA’s functions. This potentially includes information in respect of all taxes within the responsibility of RS and WRA and information from a variety of internal and external sources, including tax returns, payments and intelligence.
Section 15(3)(b) of the RSTPA gives RS the power to disclose Protected Taxpayer if it is made in accordance with any provision made by or under the Revenue Scotland and Tax Powers act (Ancillary Provision) Order 2018 or any other enactment requiring or permitting the disclosure.
Has have the power to request information for fraud prevention or account matching exercise according to the Section 26c of the Public finance and accountability (Scotland) act 2000. In addition, for audit account purposes, As has the right to request or access any document under the control of Revenue Scotland according to section 24 of the Public finance and accountability (Scotland) act 2000 and as a result may access individuals personal details
Revenue Scotland share with Police Scotland for investigation and crime detection and prevention purposes section 15(3)(e) of the RSTPA gives Revenue Scotland the power to disclose information for crime purposes
Crown Office and Procurator Fiscal Service
As above. COPFS carry out our proceeds of crime work.
Scottish courts and Tribunal Service
section 15(3)(d) of the RSTPA gives Revenue Scotland the power to disclose information for civil proceedings
Scottish Public Service Ombudsman
Personal Taxpayers Information may be shared with SPSO in an attempt to resolve a complaint. It is also a legal requirement by law to share data with SPSO according to Section 13 of the Scottish Public service ombudsman act 2002
Revenue Scotland may share data with mediation companies working on a taxpayers case for the purposes of acquiring mediation services.
Service Providers and Contractors
We use a range of organisations to help deliver our obligations to you. Where we have these arrangements, there is always an agreement in place to make sure that the organisation complies with data protection law.
We carry out data protection impact assessments (DPIAs) before we share personal information to make sure we protect your privacy and comply with the law.
We will only retain your personal data for as long as reasonably necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
Details of retention periods for different aspects of your personal data are available in our Data Retention, Storage and Disposal Policy of which you can request a copy by contacting us.
Your rights as a data subject
At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:
Right of access:
You have the right to request a copy of the information that we hold about you. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. (Link to section on SAR and FOI below)
Right of rectification
You have a right to correct data that we hold about you that is inaccurate or incomplete. We may need to verify the accuracy of the new data you provide to us.
Right to be forgotten
In certain circumstances you can ask for the data we hold about you to be erased from our records. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Right to restriction of processing
Where certain conditions apply to have a right to restrict the processing. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data's accuracy
- Where our use of the data is unlawful but you do not want us to erase it
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Right of portability
You have the right to have the data we hold about you transferred to yourself or another organisation. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Right to object
You have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing, including profiling
You also have the right to be subject to the legal effects of automated processing or profiling.
Right to judicial review
In the event that Revenue Scotland refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in clause below.
All of the above requests will be forwarded on should there be a third party involved (as detail in table above) in the processing of your personal data.
If you are an organisation seeking Revenue Scotland information which is not publicly available, please email us at email@example.com.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
All data stored on the Revenue Scotland systems will be held in line with the security requirements set out in the General Data Protection Regulation (GDPR) Principles. Business and IT systems and processes have been developed in accordance with the RSTPA 2014 and tax specific legislation.
In the event that you wish to make a complaint about how your personal data is being processed by Revenue Scotland (or third parties as described above), or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and Revenue Scotland’s data protection representatives Data Protection Officer.
PO Box 24068
tel: 03000 200 310
by email: firstname.lastname@example.org
by phone: 03000 200 310
Information Commissioner’s Office Scotland
45 Meville Street
Helpline number: 0303 123 1115
ICO website: https://www.ico.org.uk
Publication of Non-personal Information
As an open and transparent organisation, we are committed to making much of our information (data) publicly available on the Revenue Scotland website Statistics Page.
Our statistics are published as Official Statistics, providing assurance that we adhere to the Code of Practice for Official Statistics.
Public reporting of information by Revenue Scotland will be in accordance with the following principles:
Protection of confidential taxpayer information
Revenue Scotland will apply statistical disclosure control techniques to protect taxpayer information for all statistical data (including that in aggregate form) which will be published.
Transparency and accessibility
Revenue Scotland will not charge for data or analysis. Aggregate statistics will be published on-line, under Open Government License, in a format that makes the information easily discoverable, accessible, and re-usable.
Impartiality and objectivity
Revenue Scotland will publish regular reports according to a published timetable. All statistics will be presented impartially and objectively and will be published according to schedule in a manner that will enhance public trust in the impartiality and objectivity of the reporting.
Quality statements for all data sources will be developed which will set out the provenance of the data and the risks to error at each stage and mitigating actions. Published data will be labeled as ‘provisional’ and revised according to a schedule to reflect the right of taxpayers to amend returns and allow for most processes to complete. Errors to published figures will be corrected as soon as possible following identification and clearly noted in the corrected version. Snapshots of the data warehouse used for analysis and reporting will be saved to allow for all analysis to be rerun and the same results produced for up to 5 years.
Co-ordination and consistency
Management, use and reporting of Management and Financial Information will be co-ordinated and consistent with each other, and Revenue Scotland reporting will be co-ordinated and consistent with reporting of similar information by other organisations.
All of our published statistical information is available on the Statistics section of the website.
If you are an organisation seeking Revenue Scotland information which is not publicly available, please email us at email@example.com.
What are cookies?
Cookies are small data files that are placed on your computer or mobile device when you visit a website. Cookies are widely used by website owners in order to make their websites work, or to work more efficiently, as well as to provide reporting information.
Cookies set by the website owner (in this case, Revenue Scotland) are called "first party cookies". Cookies set by parties other than the website owner are called "third party cookies". Third party cookies enable third party features or functionality to be provided on or through the website (e.g. like advertising, interactive content and analytics). The parties that set these third party cookies can recognize your computer both when it visits the website in question and also when it visits certain other websites.
We use first and third party cookies for several reasons. Some cookies are required for technical reasons in order for our Websites to operate, and we refer to these as "essential" or "strictly necessary" cookies. Other cookies also enable us to track and target the interests of our users to enhance the experience on our Online Properties. Third parties serve cookies through our Websites for, analytics and other purposes. This is described in more detail below.
Our Cookies do not collect or store personal information or protected taxpayer information.
The specific types of first and third party cookies served through our Websites and the purposes they perform are described below (please note that the specific cookies served may vary depending on the specific Online Properties you visit):
How can I control cookies?
You have the right to decide whether to accept or reject cookies. You can exercise your cookie rights by setting your preferences in the Cookie Consent Manager. The Cookie Consent Manager allows you to select which categories of cookies you accept or reject. Essential cookies cannot be rejected as they are strictly necessary to provide you with services.
- Firefox: How to change your cookie settings in Firefox
- Internet Explorer:
- How to change your cookie settings in Internet Explorer 9
- How to change your cookie settings in Internet Explorer 7 and 8
- Google Chrome: How to change your cookie settings in Google Chrome
- Safari (OS X): How to change your cookie settings in Safari (OS X)
- Safari (iOS): How to change your cookie settings in Safari (iOS)
Our Cookies and their purposes
The specific types of first and third party cookies served through our Websites and the purposes they perform are described in the table below (please note that the specific cookies served may vary depending on the specific Online Properties you visit):
Essential website cookies:
These cookies are strictly necessary to provide you with services available through our Websites and to use some of its features, such as access to secure areas.
End of Session
Analytics and customization cookies:
These cookies collect information that is used either in aggregate form to help us understand how our Websites are being used or how effective our marketing campaigns are, or to help us customize our Websites for you.
Enables Google Analytics regulate the rate of requesting. It is a HTTP cookie type that lasts for a session.
It records a particular ID used to come up with data about website usage by the user. It is a HTTP cookie that expires after 2 years.
Keeps an entry of unique ID which is then used to come up with statistical data on website usage by visitors. It is a HTTP cookie type and expires after a browsing session.
Used by Google analytics to compute the duration a website is visited using the exact time that a user accesses a website. This is a HTTP cookie that expires after the session
30 minutes from set/update
Used by Google Analytics to record the number of times a visitor accessed the website as well as the dates for the first and recent visit. It is a HTTP cookie and expires in 2 years.
2 years from set/update
Used to control the speed of requests to the website’s server. Expires after the session and is a HTTP type cookie.
The cookie registers the timestamp a user leaves a website to help calculate the duration of time spent on it using Google Analytics. The cookie activity lasts during the browsing session. It is a HTTP cookie type.
End of Browser session
used for handling responsive layout
Records the fact that you as a user have agreed to accept cookies from this site __________
Records whether or not to show the cookie control icon
What about other tracking technologies?
When you visit our website or log in to your SETS account, we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We collect information about:
- the pages you visit and how long you spend on each page
- how you got to Revenue Scotland's websites
- what you click on while you're visiting Revenue Scotland's websites.
The information we get from Google Analytics doesn’t allow us to identify anyone individually. For example, we never receive your name or address. We don’t make, and don’t allow Google to make, any attempt to find out the identities of people who visit our website
If you like, you can opt out of Google Analytics at any time.
- remember settings and information that you've entered so that you don't have to keep entering them again
- measure how you use the service so that we can make sure it meets your needs
Do we use Flash cookies or Local Shared Objects?
Websites may also use so-called "Flash Cookies" (also known as Local Shared Objects or "LSOs") to, among other things, collect and store information about your use of our services, fraud prevention and for other site operations.
If you do not want Flash Cookies stored on your computer, you can adjust the settings of your Flash player to block Flash Cookies storage using the tools contained in the Website Storage Settings Panel. You can also control Flash Cookies by going to the Global Storage Settings Panel and following the instructions (which may include instructions that explain, for example, how to delete existing Flash Cookies (referred to "information" on the Macromedia site), how to prevent Flash LSOs from being placed on your computer without your being asked, and (for Flash Player 8 and later) how to block Flash Cookies that are not being delivered by the operator of the page you are on at the time).
Please note that setting the Flash Player to restrict or limit acceptance of Flash Cookies may reduce or impede the functionality of some Flash applications, including, potentially, Flash applications used in connection with our services or online content.
Where can I get further information?
PO Box 24068
By email: firstname.lastname@example.org
By phone: 03000 200 310