Skip to main content

Our data protection policy and how we manage your personal information.

This policy with our privacy notices explain how we collect, use, disclose, transfer and store your personal data under the:

By ‘personal information’ or ‘personal data’, we mean any information that can identify you as a person. It does not include data where you cannot be identified (anonymous data).

About our policy

We’re committed to protecting the privacy and security of your personal information. 

As a data controller we’re responsible for deciding why and how we hold and use personal information about you.

This policy with our privacy notices describe how we collect and use personal information, such as:

  • for tax collection and management
  • about our staff to do with their employment
  • from who we get goods and services
  • we collect from social media interaction
  • saved as files (known as ‘cookies’) from our online services

Data protection legislation requires us to let you know about the information contained in our privacy notices.

You should read all notices that apply to you when we’re processing your personal data, so you know how and why we’re using your information. We may sometimes need to provide you with extra privacy notices.

As a statutory body, we have statutory functions and a legal duty of confidentiality. This is set out in the Tax Collection and Management (Wales) Act 2016 (TCMA).

We’ll only share your personal data with third parties where we’re legally allowed to do so.

Data protection principles

We’ll always comply with data protection law. Personal information we hold about you must be:

  • used lawfully, fairly and in a transparent way
  • collected only for valid purposes that we’ve clearly explained to you and not used in any way that is incompatible with those purposes
  • adequate, relevant and limited to what’s needed for the purpose of the processing
  • accurate and kept up to date
  • kept in a form that identifies you for only as long as needed for the purposes we’ve told you about
  • kept securely

Information we hold about you

We process data about:

  • members of the public
  • customers and clients
  • businesses
  • suppliers and service providers
  • advisers, consultants and other professional experts
  • complainants and enquirers
  • taxpayer agents and representatives
  • relatives, children, guardians, dependents and associates
  • offenders and suspected offenders
  • job applicants
  • workers
  • tax payments and liabilities

Depending on the reason for our processing, we may collect, store and use specific categories of information about you. This includes:

  • your contact details, such as name, title, address, email addresses and phone numbers
  • gender
  • marital status
  • National Insurance number, passport, driving licence and other identification
  • bank account details
  • your employment
  • your business activities
  • your domestic and business properties
  • civil findings and your convictions
  • tracking and monitoring data, for example, cookies, when you use our digital services or social media

We’ll also collect, store and use special categories of more sensitive information, where relevant to our role, such as:

  • about your health
  • about criminal activities and investigations

How we collect your personal information

We collect personal information directly from you, such as when:

  • you, your representative or agent use our services
  • you submit tax returns to us
  • you contact us and correspond with us
  • we communicate with you
  • we undertake checks on tax returns and transactions
  • you use GOV.WALES and our social media (also see Cookies)
  • you attend an event or webinar

We may also receive your personal information directly from third parties such as:

  • other government departments
  • public authorities
  • publicly available sources
  • your agent or representative (if applicable)
  • intelligence sources
  • whistleblowing

How we use your information

We’ll only use your personal information when the law allows us to.

Most commonly, we’ll use your personal information where needed:

  • to comply with a legal obligation
  • to carry out a task in the public interest or in the exercise of our official authority as a government department
  • to assess or collect tax, including civil investigations and proceedings
  • for the prevention, investigation, detection or prosecution of crime

We may sometimes ask you for consent to use your personal information. But your consent is not required for the common uses mentioned.

When we’ll use your personal information

We need all the categories of information mentioned in this policy for us to comply with legal obligations and carry out our role.

But we’ll only collect and use your personal data when we need to. In our case as a revenue authority, for the collection and management of devolved Welsh taxes:

  • Land Transaction Tax
  • Landfill Disposals Tax

We’ll also process your personal data:

  • when carrying out any of our lawful functions
  • to check that data we hold about you is accurate and up to date
  • to compare it against other information to help reduce tax risk, as well as combat tax avoidance and evasion
  • to help us confirm your identity when you contact us or access our services
  • to provide and improve services to you (including testing our systems)
  • to produce statistics, but we’ll never publish details about an individual taxpayer
  • to conduct analysis which helps us to improve our services
  • to contact you about our functions and activities
  • to enable you to access our services
  • when gathering information from other sources (for example banks or financial reporting services)

Sharing your data

In some circumstances, we’ll lawfully share your data with:

  • third-party service providers
  • UK and Welsh government departments
  • public authorities
  • law enforcement agencies in the UK and European Union (EU)
  • debt collection agencies

We’ll also share your data with your consent when you authorise us to do so, such as with your agent or representative. We require third parties to respect the security of your data and to handle it lawfully too.

We may share your personal information with third parties

  • When required or allowed by law.
  • When you authorise us to do so.
  • Required for the performance of our role as a government department.

We’ll also share your personal information with the police and other law enforcement agencies where needed. This will sometimes involve sharing special categories of personal data. For example, data about criminal convictions or allegations.

Use of third-party service providers

We use or work with contractors and other third-party service providers who will process personal data on our behalf. Those third parties are usually our data processors. They can only process your personal data on our instruction or agreement for specified purposes. We do not allow our data processors to use your personal data for their own or other purposes.

We also have some situations where third-party service providers will process personal data as a data controller, for example, our auditors. In these circumstances, we still have strict controls over how the third party can use your data.

Securing your data

We follow strict security standards and treat the security of your data very seriously.

We have robust procedures to safeguard and secure the information we collect about you. All our staff get regular training to keep data safe. Anyone who process personal data on our behalf has to demonstrate they have training and procedures in place to keep data safe.

We also limit access to your personal information to those who have a business or legal need to do so, or have access authorised by you.

Our third-party service providers will only process your personal information:

  • on our instruction
  • with our agreement
  • where they've agreed to secure and treat the information confidentially and keep it secure

We've taken steps to make sure there's an appropriate level of security for personal data processed via our services.

There are procedures in place to deal with any suspected data security breach. We’ll notify you and the regulator of a suspected breach where we’re legally required to do so.

Storing your data

We store all your personal information in the UK and will not transfer it outside the UK. We require third-party service providers who process data on our behalf to do the same. Third parties not under our direct control may store your data in the UK and EU.

Retaining your data

We keep your personal information:

In some circumstances, we’ll anonymise your personal information so that it can no longer link to you. We’ll use such information without further notice to you.


Our Data Protection Officer oversees compliance with data protection obligations.

For any questions about this policy, related privacy notices, or how we handle your information, contact our Data Protection Officer. Complains should also be directed to this contact in the first instance:

Data Protection Officer

Welsh Revenue Authority
PO Box 108
Merthyr Tydfil
CF47 7DL

Rydym yn croesawu gohebiaeth yn Gymraeg / We welcome correspondence in Welsh.

You can also complain directly to the Information Commissioner’s Office (ICO). The ICO is the UK supervisory authority for data protection issues.

Information Commissioner’s Office Wales

Churchill House
17 Churchill Way
CF10 2HH

Telephone: 029 2067 8400 / 0303 123 1113

Rydym yn croesawu galwadau a gohebiaeth yn Gymraeg / We welcome calls and correspondence in Welsh.

Changes to this policy

Any changes to this policy will be updated on this page; for example, any new uses of personal data.

Revisit this page and any privacy notices that apply as you use our services to make sure you’re aware:

  • of what information we collect
  • how we use personal data
  • when we may share data with other organisations

From time to time, we may also contact you through other means about the processing of your personal data.

Our privacy notices

Please read privacy notices that apply to you and to see your rights for each type of processing.

Tax data

Find out how we process data for taxes we’re responsible for.

See our tax data privacy notice.

summary version of this privacy notice is also available.

Agents should provide a copy of this notice to clients paying a devolved tax to know what personal information is being collected and used.

Transaction monitoring

To protect your data and our services, we operate transaction monitoring capabilities. This records how you connect to our systems, and what you do while you are on them.

See our transaction monitoring privacy notice.

National Fraud Initiative

How we’ll use your personal information at the Welsh Revenue Authority for the National Fraud Initiative (NFI).

See our National Fraud Initiative privacy notice.

Young people

See how we manage young people’s personal information at the Welsh Revenue Authority for tax purposes.

Communication and engagement

Find out how we we manage personal data when you communicate and engage with us.

See our privacy notice for communicating and engaging with us.

Website and Cookies

Our website and content such as our guidance is hosted by GOV.WALES.

See website privacy notice to find out how your information is gathered when you interact with this website.

We also use cookies to store information when you use our online tax services and these need to be set separately from those for GOV.WALES.

Photos, videos and audio

See how we manage photos, videos and audio recordings taken or received by us for publications.

Human Resources (HR)

We collect lots of information about the people who work for us, including special category data.

See our HR privacy notice on how we process it.


We collect personal data as part of our procurement process.

See our procurement privacy notice.

Third party privacy notices

We receive personal data from and give personal data to other organisations. Most organisations put their privacy notices on their website in the footer.

We’re not responsible for the content of third party privacy notices and policies.