DPIA Kirklees Council And HMRC Digital Economy Act Data .
Official SensitiveDPIA –Kirklees Council and HMRC DigitalEconomy Act Data Sharing Pilot.Step 1: Identify the need for a DPIAExplain broadly what project aims to achieve and what type of processing it involves. You mayfind it helpful to refer or link to other documents, such as a project proposal. Summarise whyyou identified the need for a DPIA.Kirklees Council has a strategic objective each year to improve the Council Tax collection rate.For 2017/18, the Council issued approx. 185,000 bills to resident households demanding 188.2m Council Tax, with an average collection rate of 96.0% (national average is 97.1%),leaving a shortfall of Liability Order debt of 7.53mThe Council obtained 22,614 Liability Orders at the Magistrates Court, of which over 50% ofthese liability orders were eventually passed to Enforcement Agents, with only approx. 18%resulting in Attachment of Earnings (AOE) - a process where direct deductions are made fromsalary at a percentage set by Local Government Finance Act 1992 (LGFA 1992).The Council have identified that sharing Council Tax debt data with Her Majesty's Revenues andCustoms (HMRC) to obtain PAYE and self-assessment information could support: managing overall Council Tax arrears and further developing its recovery procedures, byanalysing the employment and income information of individuals provided by HMRC to: identify customers whose circumstances make them vulnerable and providingappropriate support; contact customers identified as having a propensity to pay and offering them theopportunity to pay, and support when needed ; For those that still do not engage and are in employment, recovering individualCouncil Tax debts by Attachment to Earnings Orders overall reducing use of Enforcement Agents and associated costs to customers ofapprox. 310 ( 75 compliance, 235 enforcement) per customer p.a. On averagesavings will be approx. 187 per customer.Kirklees Council and Her Majesty’s Revenues and Customs are both joint data controllers.The purpose of the pilot is to gather evidence that the data shared from HMRC will increase theCouncil’s Council Tax recovery rate and reduce costs associated with recovery.DPIA template20180209v0.31
Official SensitiveThe DPIA is needed as we will be collecting new information from HMRC to enable Council Taxrecovery which may have a significant impact on the individuals concerned, for example: Financially vulnerable individuals may be identified and offered debt supportAoE’s may be implemented where the individual will have no choice regarding paymentof the debt.Individuals may be contacted to discuss the new information provided by the HMRCThis may also raise privacy concerns as this data was originally collected for the purposes ofcalculating income tax liability.Step 2: Describe the processingDescribe the nature of the processing: how will you collect, use, store and delete data?What is the source of the data? Will you be sharing data with anyone? You might find it useful torefer to a flow diagram or other way of describing data flows. What types of processingidentified as likely high risk are involved?Kirklees Council will supply to HMRC customer names and addresses for a sample of up to 4,000Council customers, who are subject to Liability Orders. HMRC will match against HMRC data andmatching cases will be supplied to the Council with PAYE and self-assessment data.The data will be used to enable management and recovery of Council Tax debt, via:Where financial vulnerability is identified, discussions around the use of debt supportAOE where employment information has been providedFurther discussion with the individual where self-assessment information has beenprovidedThe data will be stored in a secure folder within the Councils It system. HMRC will destroy their data once the Council has confirmed receipt.The relevant data will only be kept for the period it is needed for the pilot.The data will not be shared with anyone else. Example below ( will be same as Brighton &Hove)DPIA template20180209v0.32
Official SensitiveDescribe the scope of the processing: what is the nature of the data, and does it includespecial category or criminal offence data? How much data will you be collecting and using? Howoften? How long will you keep it? How many individuals are affected? What geographical areadoes it cover?The nature of the data is customer name, address and liability order date from Kirklees Counciland for matching records and if applicable, PAYE and self-assessment information will includeDOB and NINO from HMRC.There are no special categories or criminal offence data.A sample of up to 4,000 records will be collected and used. This will be a mix of years, somemultiple years, these will be selected from our caseload of recovery cases at different stages ofrecovery ir enforcement, attachment, arrangements, GNA etc.Data sent will include:This is a one off pilot to inform the next phaseHMRC will destroy the records supplied by the Council after processing, return to the Counciland receive confirmation of receipt from the Council.The Council will keep the data for duration of pilot. The standard data retention period for thepilot is one year. However, data that is being used operationally to recover debt, e.g. via anAttachment of Earnings, bankruptcy action or supporting identified vulnerable customers willbe retained in line with local Council Tax data retention policies for each pilot authority andDPIA template20180209v0.33
Official Sensitivedeleted in accordance with said policies.Up to 4,000 individuals may be affectedThe geographical area covers the Kirklees boundary.Describe the context of the processing: what is the nature of your relationship with theindividuals? How much control will they have? Would they expect you to use their data in thisway? Do they include children or other vulnerable groups? Are there prior concerns over thistype of processing or security flaws? Is it novel in any way? What is the current state oftechnology in this area? Are there any current issues of public concern that you should factorin? Are you signed up to any approved code of conduct or certification scheme (once any havebeen approved)?The individuals reside or have resided within the Kirklees Council boundary, are liable to payCouncil Tax to the Council and have not paid.The individuals will have no control.Council Tax is covered by the Local Government Finance Act 1992 and individuals are requiredto pay their Council Tax and would expect Kirklees Council to pursue recovery of their debt.Children and other vulnerable groups ie SMI are not included.There are no prior concerns over this type of processing and security flaws.It is novel in that this is the first piloted use of data in this manner; however, the use of datasharing to manage and reduce debt is well established throughout the debt industry.There is no new technology in this area for this type of pilot.There are no issues of public concern to be factored in.The Council and HMRC are required to adhere to the DEA Code of Practice, DPA 2018 and LGFA1992 (as amended).DPIA template20180209v0.34
Official SensitiveDescribe the purposes of the processing: what do you want to achieve? What is theintended effect on individuals? What are the benefits of the processing – for you, and morebroadly?The pilot is aimed at:Increasing recovery of Council Tax debt from individuals who have not paid and debt support forthose individuals identified as financially vulnerable.The intended effect on individuals will be to, for those who are able to pay and choose not topay, manage and recover their debt. For those who are identified as vulnerable, the effect willbe to help them via debt support. It will also be fairer for those who do pay their Council Tax.The benefits of the processing are: Identified financially vulnerable debtors can be signposted for assistance within oroutside of the Council.Increase in Council Tax debt recoveredIncrease take up of reliable Attachment of Earnings,Increase in debt recovery due to knowledge of customers self-assessmentinformationReduce failure rate of Attachment of Earnings,Reduce need for using Enforcement Agents as a first port of call and increasingdebt with fees. Thus reducing the costs for individuals especially vulnerablecustomersA fairer approach to reducing debt with ability to pay over a regular period.Improve our effectiveness in debt recovery, reducing pressure on budgetsThose in regular employment will avoid expensive and stressful EnforcementAgent visits.Customers, knowing that we have access to HMRC data, will be encouraged inearlier take up to contact and make arrangements to pay.Efficiency savings by reducing time/court hearings on committal or insolvencycases.Efficiency savings on not transferring cases to Enforcement Agents.Earlier repayment of debt to the CouncilDPIA template20180209v0.35
Official SensitiveStep 3: Consultation processConsider how to consult with relevant stakeholders: describe when and how you will seekindividuals’ views – or justify why it’s not appropriate to do so. Who else do you need to involvewithin your organisation? Do you need to ask your processors to assist? Do you plan to consultinformation security experts, or any other experts?Individuals’ views will not be sought for this pilot, the Council already has the power to requestemployment details from individuals when a liability order has been obtained under Regulation36 of the Council Tax (Administration & Enforcement) Regulations 1992 and employment detailsare already held in many cases where an attachment of earnings order has been served.Consultation is not therefore necessary on this occasion.Additionally the Digital Economy Act 2017 has undergone a public consultation process.Within Kirklees Council, the DPO, SIRO, senior decision makers, analysts and debt agents needto be involved.Processors will be asked to assist.Security, data protection and analyst experts will be involved and consulted.Step 4: Assess necessity and proportionalityDescribe compliance and proportionality measures, in particular: what is your lawfulbasis for processing? Does the processing actually achieve your purpose? Is there another wayto achieve the same outcome? How will you prevent function creep? How will you ensure dataquality and data minimisation? What information will you give individuals? How will you help tosupport their rights? What measures do you take to ensure processors comply? How do yousafeguard any international transfers?The statutory gateway is: Local Government Finance Act 1992Digital Economy Act 2017, part 5, Chapter 3.The lawful basis for processing is the:Performance of a task carried out in the public interest or in the execution of official authorityvested in the controllerThe processing will achieve the purpose and there is no other way of obtaining the sameoutcome.The pilot will adhere to the DEA Code of Practice, DPA 2018 and LGFA 1992 and the project aimand processing will prevent function creep.Data minimisation is achieved by adhering to the LGFA 1992, in that only the informationsupplied by the individual can be supplied to HMRC.DPIA template20180209v0.36
Official SensitiveData quality will be achieved by in-house processing by HMRC to ensure only matched individualdata is returned to the Council that reaches HMRC matching criteria.Information given to the individual will take the form of a Privacy Notice outlining the potentialuses that may be made of their data for the purposes of Council Tax collection and in the eventof non-payment. The Privacy Notice will also include details or reference to details of how toexercise data subject rights under the legislation.Information given to individuals as a consequence of the matching activity will depend on thematch data returned by HMRC, and for those with: PAYE data supplied, they will be informed that an AOE will commenceSelf-assessment data, they will be informed by letter or phone conversation.For those identified as financially vulnerable they will be helped by signposting for debtsupportThe Council will apply its fairness principles to the pilot.All staff involved in the pilot have been suitably trained and have signed relevant data securitypolicies.Data will not be sent outside the UK.DPIA template20180209v0.37
Official SensitiveStep 5: Identify and assess risksDescribe source of risk and nature of potentialimpact on individuals. Include associated complianceand corporate risks as necessary.Risk - Data is shared with other sections ororganisations for which there is no authorisation or legaljustification.Impact - Possibility of information being sharedinappropriatelyCompliance and corporate risk Non-compliance with the DPA Non-compliance with sector specific legislation orstandards Non-compliance with human rights legislation Non-compliance with the DPA or other legislationcan lead to sanctions, fines and reputationaldamage Public distrust about how information is used candamage the council’s reputation Data losses which damage individuals could leadto claims for compensationRisk – The data being collected may be consideredsensitive as it shows employment details includinglevels of earnings, self-employment and incomeImpact – Attachments to earnings that areimplemented as a result of collectinginformation about them and possible customerinteraction might be seen as intrusiveCompliance and corporate risk Public distrust about how information is used candamage the Council’s reputationLikelihoodof harmSeverityof harmOverallriskRemote,possible orprobableMinimal,significantor severeLow,mediumor isk – Data concerning vulnerable customers may bedivulged without authorisation putting individuals at riskImpact – Vulnerable people may be particularlyconcerned about the risks of identification or thedisclosure of informationCompliance and corporate risk Non-compliance with the DPA Non-compliance with human rights legislation Non-compliance with the DPA or other legislationDPIA template20180209v0.38
Official Sensitive can lead to sanctions, fines and reputationaldamagePublic distrust about how information is used candamage the Council’s reputationData losses which damage individuals could leadto claims for compensationRisk – Data held may be out of dateImpact – If a retention period is not establishedinformation might be held for longer than necessaryCompliance and corporate risk Non-compliance with the DPA Non-compliance with sector specific legislation orstandards Non-compliance with human rights legislation Non-compliance with the DPA or other legislationcan lead to sanctions, fines and reputationaldamage Public distrust about how information is used candamage the Council’s reputationDPIA gnificantMedium9
Official SensitiveStep 6: Identify measures to reduce riskIdentify additional measures you could take to reduce or eliminate risks identified asmedium or high risk in step 5RiskData is sharedwith othersections ororganisationsfor which thereis noauthorisationor legaljustificationThe data beingcollected maybe consideredsensitive as itshowsemploymentdetailsincludinglevels ofearnings, selfemploymentand incomedetailsDataconcerningvulnerablecustomersmay bedivulgedwithoutauthorisationputtingindividuals atriskData held maybe out of dateDPIA template20180209v0.3Options to reduce or eliminaterisk A legal gateway for sharing thisinformation has beenestablishedRestrict access to data throughsystem usernames/ passwordsGDPR training delivered to allexisting staff and incorporated ininduction procedures for newstaff providedEffect ucedLowReducedLowYesYesData only used by staffresponsible for administeringattachment of earningslegislation prescribes deductionpercentages depending onincome (section 6 of CT (adminand enforcement) regulations1992YesRestrict access to data throughsystem usernames/ passwordsGDPR training delivered to allexisting staff and incorporated ininduction procedures for newstaff providedCompliance with data retentionperiods that apply to serviceYes10
Official SensitiveStep 7: Sign off and record outcomesItemName/dateNotesMeasures approved by:Integrate actions back intoproject plan, with date andresponsibility for completionResidual risks approvedby:If accepting any residual highrisk, consult the ICO before goingaheadDPO advice provided:A legal gateway exists in theDigital Economy Act 2017 andthe Local Government FinanceAct 1992 (LGFA 1992) toobtain and use this datawithout public consultationDPO should advise oncompliance, step 6 measures andwhether processing can proceedSummary of DPO advice:DPO advice accepted oroverruled by:If overruled, you must explainyour reasonsComments:Consultation responsesreviewed by:N/AIf your decision departs fromindividuals’ views, you mustexplain your reasonsComments:This DPIA will kept underreview by:DPIA template20180209v0.3The DPO should also reviewongoing compliance with DPIA11
Official SensitiveDPIA template20180209v0.312
Kirklees Council has a strategic objective each year to improve the Council Tax collection rate. For 2017/18, the Council issued approx. 185,000 bills to resident households demanding 188.2m Council Tax, with an average collection rate of 96.0% (national average is 97.1%), leaving a shortfall of Liability Order debt of 7.53m
alertsonline@hmrc.co.uk info@hmrc.gov.uk rebate@hmrc.gov.uk HMRC does not use any of the above email addresses. 3 Phishing examples An example of a HMRC related phishing email / phishing website designed to trick people into disclosing personal information can be seen below:-4 .
COUNCIL KIRKLEES COUNCIL (BUDGET) At a Meeting of the Council of the Borough of Kirklees held at . subject to the calculation of any consequential changes to the Council Tax Base delegated to the Director of Resources:- 3 . Capital Investment Plan for 2013/2014 to 2017/2018, (including the endorsement .
Council Tax 2021/2022 The agreed Kirklees Council Tax rise for council services in 2021/22 is 4.99%, which is made up of 1.99% for services in general and a specific 3% extra which will go to Adult Social Care (ASC). There is a requirement to have a separate line on the bill to show the amount of Council Tax which is dedicated to
HC 726 SESSION 2016-17 10 JANUARY 2017. Our vision is to help the nation spend wisely. Our public audit perspective helps Parliament hold . 5 We reported on HMRC's management of the STEPS contract in 2004 and 2009.1 In our 2004 report, we identified significant risks with STEPS that HMRC needed to manage carefully. In 2009, we found that .
necessary, the DPIA. The Data Protection Officer or the Edinburgh Business School Compliance Manager, as appropriate, can provide advice and guidance to the person completing the toolkit, review the completed toolkit, endorse the recommended actions and gain assurance that these have been completed. We can also provide this document in Word format.
Title: Data Protection Impact Assessment Checklist Doc. No: F7526 Printed copies of this document are uncontrolled Page 3 of 38 A DPIA is mandatory in certain circumstances.Please tick each box where it likely that the proposal will meet the criteria:
Kirklees Elective Home Education information for parents July 2016, which covers arrangements for children in Kirklees that are educated at home. . Referrals are also checked against council tax records, local health services, Stronger Families/APSO involvement. In many cases, the Home office is contacted regarding Asylum Seeker families.
ASP/ASP.NET IIS platform is slowly losing popularity. At the same time, it is still not as robust and mature as we would hope. PHP is so popular because a lot of PHP sites are WordPress sites. WordPress sites are often unsafe but rather static. After you select the theme and plugins, you don’t change much. The attack surface changes only when you update WordPress, themes, and plugins. And .
