Welsh Revenue Authority information and data management strategy

Vision statement

Information and data are at the heart of our organisation.

Strategic principles

1. We will nurture trust in our data by investing in its quality and its value.
2. We will continue to innovate in the way we process our information throughout its lifecycle.
3. We will proactively collaborate with others to:
   • improve our understanding of tax and tax risk
   • create efficient, fair and easy to use services
4. We will share and be open as much as we can.

In addition to the data collected for Land Transaction Tax and Landfill Disposals Tax, we’ll ingest data and information from external sources, such as:

• HM Revenue and Customs
• HM Land Registry
• Natural Resources Wales

To:

• support and enhance our services and the way we manage the taxes
• provide a richer picture of tax related activity in Wales that can be used to inform policy development

This document replaces our previous Information Management Strategy. This sets out our approach to managing our data and information assets over the next 3 years to achieve the right balance between:

• making these assets more widely available to other public sector organisations and the public
• ensuring that adequate protection is in place, particularly around sensitive taxpayer data

We’ll review regularly and update as needed. This will assist us to achieve our objectives.

Throughout the information asset lifecycle, we’ll use systems and processes aligned with legislative requirements and transparency, supported by effective policies, procedures and guidance.

All employees of the WRA need data and information to do their jobs. The WRA cannot function or meet its objectives without it. This strategy is not just for those working in ‘information roles’. It’s for all WRA people, for every role, every grade, in all parts of the organisation.

It outlines what our people need to do to:

• manage our information assets better
• support Welsh Ministers
• support our customers

This strategy provides a framework for managing our data and information throughout its lifecycle. It aligns with The National Archives Information Principles and our strategic objectives in our 3 year corporate plan:

• easy
• fair
• capable
• efficient

The data and information we hold are a valuable corporate resource that provides the basis for:

• decision making
• providing services
• developing and communicating policies

These assets are needed to:

• inform policy development
• make evidence-based decisions
• ensure accountability to The Welsh Parliament and the public

To maximise the potential benefit from our information assets, we need to:

• manage them effectively through their lifecycle
• reuse them where we can
• share appropriately
• ensure they’re adequately protected

Information assets that are not managed properly may be lost or shared with the wrong people.

This strategy promotes the culture we have around protecting and using our information assets and is supported by senior management and the Board.

Decisions being taken across the organisation that affect our information assets should align to this strategy and its aims and should be reconsidered if they do not.

Good information asset management is crucial to how we work and brings benefits for staff:

• being able to find the information we need quickly and easily and being able to have confidence in the information and data
• knowing what to keep and what to dispose of – removing duplication and the “I’ll keep it just in case” approach
• knowing where to keep data and information assets and how to save them
• working more efficiently, making best use of resources – re-using data, information and knowledge created by you or others and not re-inventing the wheel
• working more collaboratively – making best use of skills and knowledge
• knowing what we can share and with whom
• knowing what information assets need to be protected and what should be made available to the public
• ensuring knowledge is captured and passed on to those that need it
• providing assurance that risks are reduced and the WRA is complying with its legislative responsibilities

Good information asset management enables us to:

• remain compliant with legal requirements, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act, and our obligations as a public records body under the Public Records Act with regards to the permanent preservation of WRA records of historical interest
• provide a more effective service to stakeholders and the public with greater transparency around the data and information we hold, whilst maintaining appropriate privacy and security around sensitive taxpayer data
• keep data and information safe by only allowing the right people access to it where it’s appropriate for their role
• preserve our reputation with the public and to meet expectations of how we’ll manage their information
• build trust in the quality and value of our information assets both for staff and the public
• manage our information to the Information Commissioner’s best practice standards to reduce levels of information-related risk and ensure that our information assets are protected and secure
• manage our information assets through the Information Asset Owner role
• provide confidence and assurance to our Senior Information Risk Owner, Accounting Officer and the Board that we’re managing information risk

Putting trust in the WRA from our many different stakeholders is integral to ‘Our Approach’ and to achieving our objectives.

Leading to:

• delivery of more efficient, cost effective services
• ensuring that we make the best use of our information assets
• increased understanding of what we do
• increased understanding and accountability of our performance
• confidence in the way we handle information they share with us
• reliability of our data and information
• increased collaboration on areas of common interest and secondary benefits from the data we collect and manage

Trust: we’ll nurture and build trust of our data, as well as its quality and its value

We value our data and information and will protect it to the highest standards. We will maintain and build on the high level of trust, quality and value we’ve already achieved.

We will:

• protect our data to the highest standards, investing in building and maintaining the right culture and controls, so that protecting our information is embedded throughout the WRA (capable, efficient)
• ensure our information assets are accurate and fit for their intended purpose, using technical controls, assurance and analysis to maintain and improve quality (capable, efficient)
• have an in-depth understanding of our information assets, supporting by a consistently high level of knowledge and expertise across the WRA (capable, efficient)
• use feedback to increase our understanding of our information, to improve our services and make it easier for people to get their tax right first time (easy, capable, efficient)
• continue our visible and effective leadership overseeing the corporate strategic direction of information management and information security within the WRA to build a strong culture of information governance across the WRA (capable, efficient)

Innovate: we’ll continue to innovate in the way we process our information throughout its lifecycle

We will increase the value of our data and information by thinking outside traditional silos and proactively looking for opportunities to re-use it and exploit it throughout its lifecycle.

We will:

• develop our culture of ‘collect once, use many times’, fully but safely exploiting our data and information via a risk based approach (capable, efficient)
• use innovation and technology to reduce inefficiencies around records management (efficient)
• develop and improve our Information Technology skills, particularly around cyber security, to ensure our systems are as robust as possible to protect them from harm (capable, efficient)
• continue and expand our use of agile working using service teams to leverage better outcomes from our information and staff resources (capable, efficient)
• ensure our data analysis environment supports wide ranging and coherent analysis, providing appropriate tools and skills for our analysts to continually develop our investigative capability (capable, efficient)

Collaborate: we’ll proactively collaborate with others to:

• improve our understanding of tax and tax risk
• create efficient, fair and easy to use services

Joining up with other organisations and sharing data and information will enable us to make it easier for our customers to get it right first time. Greater understanding of tax and tax risk will help us reduce tax debt. This collaboration will help us collectively meet our objectives as effectively and efficiently as possible.

We will:

• use our data and information to identify those who have not paid the right amount of tax and take appropriate action, identifying risks in the tax system, mitigating them and taking action where people have got things wrong. This is core to our tax risk approach (fair, capable, efficient)
• aim to be a trusted partner for the design of revenue services, using our information and knowledge to support the improvement of existing functions and the development of new services (easy, fair, capable, efficient)
• use behavioural insights and user research to design better ways to collect data and information to make it easier for customers to use our services and encourage increased digital filing and payment (easy, fair, efficient)
• look for opportunities to share information with other organisations, where legally allowed, to improve our services and make them easier to use (easy, fair, capable, efficient)
• actively seek out opportunities to work with our partners to maximise the benefits from sharing information so we can all achieve our objectives (fair, capable, efficient)

Share: we’ll share and be open as much as we can

We will actively work together to share and respond to requests as far as we can.

We will:

• actively work together to make sure we have the right processes in place to respond to requests for information (capable, efficient)
• allow people to access their information, unless there is a good reason why we cannot (fair, efficient)
• let you know if we need to share your information with other organisations to give you better public services, and whether you can say no to this (fair, efficient)
• work openly and transparently, building on our experiences of agile development such as the service teams and data platform work (capable, efficient)
• issue publications and research reports on our website. Details of our publications will be added to the Welsh Government publications catalogue (efficient)

• Our Board and Tîm Arwain (Executive Team) provide strategic oversight of the performance and management of WRA functions, including management and security of information. They ensure the WRA has the right framework in place for identifying and managing its risks effectively.
• Tîm Arwain is supported to manage information and security across the WRA through the following arrangements and roles.
• The Information Management and Security (IMS) group is comprised of the main Information and Security roles and those IAOs that hold the more valuable/higher risk assets for the WRA. The group is chaired by the Lead IAO, who also sits on Tîm Arwain and the Board to create a clear link through the organisational leadership teams.
• The IMS Group will produce a quarterly report covering information management and security (including cyber) for Tîm Arwain, ARAC, our Data Protection Officer (DPO) and our Senior Information Risk Owner (SIRO). The IMS Group receives monthly reports on Cyber Security, Data Breaches, and manages workplans for both areas, and will meet to discuss this. The entire IAO network will also meet quarterly.
• IAOs identify their assets and the risks and opportunities associated to those assets, managing those locally (within function) where possible, and escalating to the IMS Group where appropriate (for example, it’s a material risk or cross-cutting risk). 
• The Technical Design Group, along with departmental risk registers is used to identify and manage specific technical risks and issues, that may escalate to IMS if this represents a risk to WRA’s information management and security
• Quarterly update meetings, based on the quarterly IMS report, are held with the DPO with the Lead IAO and Head of Information Governance. Internal audit activity is agreed with the DPO and Tîm Arwain around information management assurance.
• Quarterly update meetings, based on the quarterly IMS report, are held with the Chief Security Officer (on behalf of the WRA’s SIRO) with the Lead IAO, Cyber Security Manager and Head of Information Governance. A programme of internal audit is agreed with the SIRO for IT Security.