Memorandum of Understanding: accessing HMRC information to assist the King’s Award for Enterprise Committees to make recommendations about awards to UK companies
Published 19 October 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/sharing-hmrc-information-to-assist-the-kings-award-for-enterprise-committees-recommendations/memorandum-of-understanding-accessing-hmrc-information-to-assist-the-kings-award-for-enterprise-committees-to-make-recommendations-about-awards-to-u--4
1. Introduction
This Memorandum of Understanding (‘MoU’) sets out the information sharing arrangement between HMRC and the Department for Business and Trade. For the context of this MoU ‘information’ is defined as a collective set of data and/or facts that when shared between the participants through this MoU will support the participants in delivering the purpose of the data sharing activity described below.
Information will only be exchanged where it is lawful to do so. The relevant legal bases are detailed within this agreement. It should be noted that ‘exchange covers all transfers of information between the participants, including where one participant has direct access to information or systems in the other.
This MoU is not intended to be legally binding. It documents the respective roles, processes, procedures, and agreements reached between HM Revenue and Customs (HMRC) and the participants. This MoU should not be interpreted as removing, or reducing, existing legal obligations or responsibilities of each participant, for example as Controllers under the UK General Data Protection Regulations (UK GDPR).
2. Purpose and benefits of the data sharing agreement
The Commissioners believe that disclosure of HMRC information to Department for Business and Trade to inform the Kings Award Office, supports HMRC functions of collecting and managing revenue and is necessary and proportionate because it supports wider government aims and fulfils HMRC functions by:
-
increasing the likelihood that companies who may be subject to the HMRC check will ensure that their tax affairs are in order and up to date
-
increasing the likelihood that other companies in a similar position will be influenced to rectify their tax affairs if they become aware that poor tax behaviour is not consistent with receiving a King’s Award
-
increasing the likelihood that taxpayers at large will maintain their trust in the integrity of tax administration by HMRC and comply with their tax obligations voluntarily if tax behaviour is seen as a factor when considering public reward and recognition via the King’s Awards system
-
reducing the likelihood that taxpayers at large will lose their trust in the integrity of tax administration by HMRC and so fail to comply with their tax obligations voluntarily. Trust would likely be lost if a King’s Award for Enterprise was awarded to a company with negative tax behaviours and those behaviours became linked to the positive recognition that accompanies a King’s Award
The purpose of this MoU is to set out the arrangements for the exchange of information between HMRC and the Department of Business and Trade, in relation to due diligence checks undertaken by the King’s Awards Office prior to making recommendations to the Prime Minister and the King for the award of a King’s Award for Enterprise.
The King’s Award Office requests government departments and agencies including HMRC to undertake due diligence checks and file a risk rating return to the King’s Award Office on business entities (referred to as companies for the purposes of the MOU) in order to inform recommendation on the suitability of a company for a King’s Award for Enterprise.
The benefits of disclosure by HMRC are enhanced by the guidance on GOV.UK for those considering applying for a King’s Award clearly stating that an eligibility requirement is that Company Tax Returns must be filed with HMRC.
The on-line application form includes a declaration as follows: “I am not aware of any matter which might cast doubt on the worthiness of my organisation to receive a King’s Award for Enterprise. I consent to all necessary enquiries being made by the King’s Awards Office in relation to this entry. This includes enquiries made of government departments and agencies in discharging its responsibilities to vet any business unit which might be granted a King’s Award to ensure the highest standards of probity”.
Shortlisted applicants are made aware that the King’s Award Office will undertake due diligence checks with government departments and agencies including HMRC. Those applying for an award, companies in a similar position and taxpayers at large may become aware that HMRC carries out checks to inform the decision to present a King’s Award for Enterprise.
The benefits to HMRC functions outlined in the above sections can be achieved through minimal disclosure of information in the form of a risk rating of low, medium and high reflecting the categories in the Annex to this MoU and without disclosing any underlying detail about the tax affairs of an individual being considered for an award.
3. Relationships under UK GDPR in respect of any personal data being exchanged under this agreement
HMRC and the Department for Business and Trade
Status of HMRC under UK GDPR in respect of any personal data being processed under this agreement
HMRC will be disclosing and receiving personal data under this agreement.
Where personal data is being disclosed under this agreement, HMRC status will be a controller because HMRC alone determines the purpose and means of the processing of personal data.
Where personal data is being received under this agreement, HMRC status will be a controller because HMRC alone determines the purpose and means of the processing of personal data.
Department for Business Trade under UK GDPR in respect of any personal data being processed under this agreement
Department for Business Trade will be disclosing and receiving personal data under this agreement.
Where personal data is being received under this agreement, Department for Business and Trade status will be a controller because they alone determine the purpose and means of the processing of personal data
Where personal data is being disclosed under this agreement, Department for Business and Trade status will be a controller because they alone determine the purpose and means of the processing of personal data.
4. Handling of Personal Data and Security
Where participants bear the responsibility of a Data Controller they must ensure that any personal data received pursuant to this MoU is handled and processed in accordance with the current seven UK GDPR principles.
Additionally as part of the Government, HMRC and Department for Business and Trade must process personal data in compliance with the mandatory requirements set out in HM Government Security Policy Framework guidance issued by the Cabinet Office when handling, transferring, storing, accessing or destroying Information assets.
Participants must ensure effective measures are in place to protect personal data in their care and manage potential or actual incidents of loss of the personal data. Such measures will include, but are not limited to:
-
personal data should not be transferred or stored on any type of portable device unless absolutely necessary, and if so, it must be encrypted, and password protected to an agreed standard
-
participants will take steps to ensure that all staff involved in the data sharing activities are adequately trained and are aware of their responsibilities under the Data Protection Act, UK GDPR and this MoU
-
access to personal data received by participants pursuant to this MoU must be restricted to personnel on a legitimate need-to-know basis, and with security clearance at the appropriate level
-
participants will comply with the Government Security Classifications Policy (GSCP) where applicable
Duration of the data sharing
Start date of agreement: 01 July 2022
End of date agreement: 0 July 2027
A review will take place on 20 April 2024
Frequency and Volume of data being shared
Annually 400 entities.
5. Legal basis and lawful basis
HMRC has specific legislation within the Commissioners for Revenue and Customs Act (2005) which covers the confidentiality of information held by the department, when it is lawful to disclose that information and legal sanctions for wrongful disclosure. For HMRC, disclosure of information is precluded except in certain limited circumstances (broadly, for the purposes of its functions, where there is a legislative gateway or with customer consent. Unlawful disclosure relating to an identifiable person constitutes a criminal offence. The criminal sanction for unlawful disclosure is detailed at section 19 of the Commissioners for Revenue and Customs Act 2005.
Data can only be shared where there is a legal basis for the exchange and for the purposes described in this MoU. No data should be exchanged without a legal basis and all exchanges must comply with our legal obligations under both the Data Protection Act 2018 and Human Rights Act (HRA) 1998.
Section 18 of the Commissioners for Revenue and Customs Act 2005 (CRCA) places HMRC under a statutory duty of confidentiality not to disclose information it holds in connection with its functions except in the circumstances permitted by section 18. Unlawful disclosure relating to an identifiable person constitutes a criminal offence. The criminal sanction for unlawful disclosure is detailed at section 19 of the CRCA.
Section 18(2)(a) of CRCA provides HMRC with the lawful authority to make a disclosure of HMRC information where it is for a function of HMRC and does not contravene any restriction imposed by the Commissioners. This enables HMRC to disclose information in order for HMRC to carry out its functions of collecting and managing revenue.
Personal data can only be processed (transferred, disclosed) where there is a valid lawful basis/bases as set out in Article 6 of UK GDPR – see ICO guidance ‘Lawful basis – Article 6 (1) (e) of the UK GDPR, Public task’.
6. Details about the data sharing
Information identifying companies, sole proprietors, and partnerships to be checked by HMRC is provided by the King’s Awards Office, Department for Business and Trade. Upon receipt of the information, HMRC will identify award applicants and commission reports on the tax behaviour of such applicants. The reports are presented to senior HMRC officials who comprise the checking panel for the purpose of arriving at a risk rating. The checking panel use the behaviours contained within the Annex C – Risk rating matrix as a guide to determine a rating based on the level of potential reputational risk to HMRC and the likely adverse impact on tax compliance should the applicants tax behaviour become generally known.
The data fields to be shared
Department for Business and Trade to HMRC:
- company name
- registration number
- address
- description of the business
HMRC to Department for Business and Trade:
- rating of low/medium/high – no reasons given for that rating
Source systems
For Department for Business and Trade: data primarily from applicants.
For HMRC: data held within HMRC compliance and head of duty systems.
Government security classification
Official sensitive – there is no special category data, sensitive data or criminal offence data being shared.
The method by which data will be transferred under this agreement
Both to and from Department for Business and Trade and HMRC will be via Transport Layer Security email. Ratings are returned on a password protected document. The password is sent by separate email.
Accuracy of the data being shared
Before sharing data both participants must take all reasonable steps to ensure that the data being shared is both accurate and up to date. The exporting department will ensure that data integrity meets their own department’s standards, unless more rigorous or higher standards are set out and agreed at the requirements stage. Participants will notify each other of any inaccuracies of the data as they are identified.
Retention and destruction of data
HMRC will hold the data in a restricted access-controlled SharePoint site.
King’s Awards Office, Department for Business and Trade, will hold the data while there is a business need to keep it and in any event for a maximum of 12 months following the publication of the annual list of winners of the King’s Awards for Enterprise. The standard default standard retention period will be followed.
HMRC will retain the data in line with its policy. Data retention policy is either the standard default standard retention period for HMRC records, which is 6 years plus current, (otherwise known as 6 years + 1), unless there is another clear legal, statutory, regulatory, or business exception in place.
The data held by HMRC is accessed only by those personnel that work on Awards and have BPSS clearance or above. This also includes those involved in tracing work, and report writing, who will have basic security checks or higher. They are also bound by the Official Secrets Act and HMRCs Data Security.
The King’s Awards Office will keep the data disclosed by HMRC confidential and without limiting its legal obligations under Data Protection legislation. The data held by Department for Business and Trade is accessed only by those personnel involved in the secretariat duties of the annual Awards programme and the ratings will only be shared with the Permanent Secretaries who chair the Award Judging Panels.
Onward disclosure to third parties
Both parties will only use the data they receive for the purposes that it is provided for namely, to inform a recommendation to the Prime Minister and the King that a King’s Award is awarded to a company.
Any HMRC risk rating of a company of Low, Medium or High is not shared beyond the King’s Awards Office.
However, in the rare circumstances that a company is put forward in a shortlist to the Prime Minister’s Advisory Committee before due diligence has been completed, that committee will be informed that due diligence has not been completed but will not be informed which government departments and agencies have not filed a due diligence return.
King’s Award Office and HMRC will not onwardly disclose the data to any other parties.
HMRC will not:
- disclose to King’s Awards Office any details other than the rating (low, medium or high)
- will not engage directly with a company to explain any rating, or disclose it
- will not engage with any other interested party to explain the rating
Department for Business and Trade will not:
- disclose to the King’s Award applicant or any other party which department gave the rating that prevented the award
Department for Business and Trade will:
- agree a form of generic wording with HMRC to provide to applicants who do not meet the eligibility criteria
7. Role of each participant to the MoU
Role of HMRC:
-
identify the appropriate data required from HMRC IT systems / records
-
provide the data to participant 2 in as described transferred by secure TLS Email from and to agreed contact points
-
only allow access to that data by the team requiring it
-
ensure that staff handle this data in line with the approved secure transfer method agreed by both departments and within HMRC data security instructions
-
only store the data for as long as there is a business need to do so
-
move, process and destroy data securely, ie in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
-
comply with the requirements in the Security Policy Framework, and in particular prepare for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
Role of the Department for Business and Trade:
-
identify the appropriate data required from HMRC
-
only use the information for purposes that are in accordance with the legal basis under which it was received
-
only hold the data for as long as there is a business need to do so
-
ensure that only people who have a genuine business need to see the data will have access to it
-
on receipt, store data received securely and in accordance with the prevailing central government standards, for example in secure premises and on secure IT systems
-
move, process and destroy data securely, ie in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
-
comply with the requirements in the Security Policy Framework, and in particular prepare for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
-
if participant 2 adheres to a different set of security standards they must inform HMRC what these standards are and comply with any additional security requirements specified by HMRC
-
seek permission from HMRC before onward disclosing information to a third party other than those agreed
-
seek permission from HMRC if you are considering offshoring any of the personal data shared under this agreement
-
mark information assets with the appropriate government security classification and apply the baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, issued by the Cabinet Office, and as a minimum the top level controls framework – Security Controls Framework to the GSC
8. Monitoring and reviewing and arrangements
This MoU relates to a regular exchange that must be reviewed annually to assess whether the MoU is still accurate and fit for purpose.
Reviews outside of the proposed review period can be called by representatives of either participant. Any changes needed as a result of that review may be agreed in writing and appended to this document for inclusion at the formal review date.
Technical changes necessary to improve the efficiency of the exchange that do not change the overarching purpose can be made without the requirement to review formerly the MoU during its life cycle but must be incorporated at the formal review stage.
A record of all reviews will be created and retained by each participant.
9. Assurance arrangements
HMRC has a duty of care to assure any data that is passed on to others. Processes covered by this MoU will be subject to annual reviews, from the date of sign off. HMRC may also choose to introduce ad hoc reviews.
Assurance will be provided by the annual completion of a Certificate of Review and Assurance. The assurance processes should include checking that any information sharing is achieving its objectives (in line with this MoU) and that the security arrangements are appropriate given the risks.
Department for Business and Trade agrees to provide HMRC with a signed Certificate of Review and Assurance within the time limits specified upon request.
HMRC reserves the right to review the agreed risk management, controls, and governance in respect of this specific agreement.
10. Security
The designated points of contact within each department are responsible for notifying the other participant in writing in the event of loss or unauthorised disclosures of information within 24 hours of the event.
The designated points of contact will discuss and agree the next steps relating to the incident, taking specialist advice where appropriate. Such arrangements will include (but will not be limited to) containment of the incident and mitigation of any ongoing risk, recovery of the information, and notifying the Information Commissioner and the data subjects. The arrangements may vary in each case, depending on the sensitivity of the information and the nature of the loss or unauthorised disclosure.
11. Subject access requests
In the event that a Subject Access Request (SAR) is received by either participant they will issue a formal response on the information that they hold following their internal procedures for responding to the request within the statutory timescales. There is no statutory requirement to re-direct SARs or provide details of the other participant in the response.
12. Freedom of Information Act (FOI) 2000
Both participants are subject to the requirements of the Freedom of Information Act (FoIA) 2000 and shall assist and co-operate with each other to enable each organisation to comply with their information disclosure obligations.
In the event of one participant receiving an FoI request that involves disclosing information that has been provided by the other participant, the organisation in question will notify the other to allow it the opportunity to make representations on the potential impact of disclosure.
All HMRC FoI requests must be notified to the Central HMRC FOI Team inb: foi.team@hmrc.gov.uk
Signatories
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
Annex A – Glossary of terms
| Definition | Interpretation |
|---|---|
| Ad hoc transfer | Defined as being bulk data with a protective marking of restricted or above and the transfer is part of a pilot or project with a definitive end date. |
| Data controller | Has the meaning set out in Article 4 UK GDPR or, in respect of processing of personal data for a law enforcement purpose to which Part 3 of the Data Protection Act 2018 applies, the meaning in that part if different. |
| Data processor | Has the meaning set out in Article 4 UK GDPR or, in respect of processing of personal data for a law enforcement purpose to which Part 3 of the Data Protection Act 2018 applies, the meaning in that part if different. |
| Data Protection legislation | Means the General Data Protection Regulation, the UK GDPR, the Data Protection Act 2018 and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner. |
| Direct access | Covers an information sharing instance where the receiving department accesses the information via direct, or browser, access to the source system rather than as an extracted information transfer. This agreement will require specific terms and conditions ensuring that access is appropriate and correctly applied, managed and recorded. |
| Freedom of Information Act (FOI) | Freedom of Information Act 2000 and any subordinate legislation made under this Act together with any guidance and/or codes of practice issued by the Information Commissioner or Ministry of Justice in relation to such legislation. |
| Granting access | The governance and authority surrounding the authorisation of a person to have access to a system. |
| Human Rights Act 1998 | An Act to give further effect to rights and freedoms guaranteed under the European Convention on Human Rights. Public authorities like HMRC must follow the Act. |
| Information Asset Owner (IAO) | Means the individual within a directorate, normally the director, responsible for ensuring that information is handled and managed appropriately. |
| Law | Means any applicable law, statute, bye-law, regulation, order, regulatory policy, guidance or industry code, rule of court or directives or requirements of any regulatory body, delegated or subordinate legislation or notice of any regulatory body. |
| Provisioning access | The technical channels through which access is made possible, including the request tools associated with this. |
| Public sector body | This will generally be an other government department (OGD) but could be another public sector body (such as a local authority). Information sharing with a private sector body with which HMRC has a commercial relationship needs to be covered by a commercial contract, not a MoU. |
| Regulatory bodies | Means those government departments and regulatory statutory and other entities, committees and bodies which, whether under statute, rules, regulations, codes of practice or otherwise, are entitled to regulate, investigate, or influence matters dealt with in this agreement and ‘regulatory body’ shall be construed accordingly. |
| Senior Information Risk Owner (SIRO) | Provides high level assurance of compliance with HMRC’s Information Asset data protection obligations. HMRC’s SIRO is the HMRC Chief Digital and Information Officer, Director of Chief Digital and Information Officer Group. |
Annex B – Data protection processor relationships
What are data controllers and processors?
The Data Protection Act 2018, which draws on the definitions in Article 4 GDPR, defines these as:
The ‘data controller’ – a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
The ‘data processor’ – in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
When processing data there will always be a data controller. This controller can establish a 3rd party relationship to assist in processing their data or process the data themselves. Should the controller establish a data processing relationship, this could take the form of a controller-processor, a controller-controller, or a joint controller relationship. Understanding the different 3rd party relationships and their respective requirements is essential to comply with data protection regulations.
It is important to note that the controller can process data but retain the title of controller. You are called a processor only when you are processing with entirely no qualities of a controller.
In summary, the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity, whilst the processor has no involvement in deciding the why and how.
What are the types of data protection 3rd party relationships?
There are 3 types of relationships between controllers and 3rd parties when carrying out the processing of data:
- controller – processor
- controller – controller
- joint controllers
Where personal data is processed there will always be a ‘controller’ – for example, a person (body/individual) who determines the purpose and means of the processing (Article 4(7)). They may do so alone or jointly with others.
How do I begin to define my processor relationship?
It can be challenging to understand both your role and the role of the party you are processing data with. There are different administrative requirements which need to be complied with depending on which type of relationship it is. Without complying you expose yourself to legal risk.
When assessing whether a party is a processor, data controller or a joint controller, the key question is who is determining the purpose and means of processing? In more user friendly terms, who is it that decides why and how personal data is processed?
How do I identify a data controller?
The term data controller is defined by Article 4 of the GDPR as the body/person which determines the means and purposes of processing, and processor is defined as a person/body who carries out processing on behalf of a controller.
To identify a data controller, consider:
- who establishes the lawful basis for collecting the personal data
- who decides what personal data to collect (for example, content of the data)
- who decides the purpose or purposes the data are to be used for
- who decides which individuals to collect data about
- who makes decisions about whether to disclose the data, and if so, who to
- who reviews and decides whether subject access and other individuals’ rights apply (such as applications of exemptions)
- who decides how long the data is kept for and whether to make routine amendments to the data
The above actions are those which would be undertaken by a data controller.
Who is the data controller when an organisation is required by law to process personal data?
When personal data is processed only for the purpose and means for which it is required by legislation to be processed, the person who has the obligation under that legislation to process the data is the controller, regardless of whether they appoint another party to carry out the processing. See s.6(2) of the DPA 2018, which is dealt with in less specific terms in the last part of the definition in Article 4(7) of the GDPR. This provision replicates section 1(4) of the 1998 Act.
Annex C – Risk rating matrix
The behaviour types listed are indicative only and not limited to these areas. Categorisation of an individual does not necessarily mean that HMRC considers the individual to have committed the example behaviour traits listed.
HMRC looks back over the last 5 years and seeks to apply the same objective standard to all candidates irrespective of individual circumstances or the nature or status of their vocation or achievements.
| Number | Low – No known tax behaviours considered likely to cause adverse public comment | Medium – Disclosure of tax affairs likely to cause adverse comment | High – Disclosure of tax affairs very likely to cause serious adverse comment | Summary |
|---|---|---|---|---|
| 1 | Past history of tax avoidance or evasion that relates to a tax year more than 3 years ago (or a shorter period at the panel’s discretion), that has since been fully settled. An open avoidance enquiry for just one year but relating to a period 5 or more years ago. At the Panel’s discretion, and in exceptional circumstances, where there is open avoidance that can’t currently be settled. In all cases no indication that the individual is engaged in further avoidance or evasion. | Currently has one or more open enquiry into use of avoidance where the customer has the opportunity to settle (unless assessed as low). | Currently has one or more open enquiry into use of avoidance, alongside a recent history of serial avoidance over 3 or more tax years. | Avoidance |
| 2 | Routine compliance checks, not more detailed investigations. Minor issues. Actively engaging with HMRC. | Currently or recently (closed within the last 3 years) subject to a COP 8 investigation into a serious tax loss and cooperating with HMRC. A lack of active engagement with HMRC in dealing with compliance checks, or other correspondence. | Not cooperating with a COP 8 investigation. Currently or recently (closed within the last 3 years) subject to a COP 9 investigation into serious tax fraud. Subject to a current or recent (closed within the last 10 years) criminal investigation. A historical and repetitive lack of active engagement with HMRC in dealing with compliance checks, or other correspondence. | Compliance checks and engagement with HMRC |
| 3 | All tax returns and payments up to date or where there are minor debts with active engagement to resolve them. | Outstanding returns, or payment arrears. No active engagement with HMRC to remedy the position. | A history of repeated outstanding returns, or payment arrears. No active engagement with HMRC to remedy the position. | Debt and returns compliance |
| 4 | No evidence of deliberate behaviour exhibited. | Deliberate behaviour exhibited. HMRC needs to or has needed to: use a production order/use a tribunal approved information notice/seek daily penalties for non-cooperation. | Currently within HMRC’s High Risk Wealthy Programme or High Risk Corporates Programme. Evidence of criminal activity, either current or recent. | Behaviours |
| 5 | Straightforward disputes involving technical or novel issues of contention. No evidence of boundary pushing. | Disputes where there is evidence of evasion. Evidence of boundary pushing, which goes beyond acceptable tax planning. | Evidence of offshore evasion. Currently within HMRC’s Managing Serious Defaulters Programme, or where the customer has been named on gov.uk following an HMRC intervention. | Tax planning arrangements and evasion |
| 6 | No involvement in illicit trades. | Not directly involved in illicit trades, but there is evidence to suggest was aware, or known or should have known of the possibility of such activity within their supply chain and does not take action to minimise it. | Direct involvement in illicit trades. | Illicit activity (for example: the commercial importation and/or distribution of counterfeit goods) |
| 7 | Errors identified that breach compliance with excise or customs legislation. Typically, those errors that are minor or where no attempt made to deliberately mislead or evade customs officials. | Importation of goods requiring an appropriate licence without that licence having been obtained. No steps taken to mislead or evade customs officials. Repeated breaches of excise or customs legislation and failure to correct procedures and processes. | Deliberate attempt to smuggle goods with intent to evade excise and customs duty. Includes seizure of goods, no criminal conviction necessary. Deliberate attempt to smuggle drugs and other goods subject to Prohibitions and Restrictions. Includes seizure of goods, no criminal conviction necessary. | Customs |
| 8 | Customs - previous (within last 3 years)/current (open) compliance issues with Strategic Exports and Sanctions and Embargoes – routine compliance issues only. | Customs - Current (open) compliance issues with Strategic Exports and Sanctions and Embargoes [no offence established]. | Customs - Offence (including Compound Penalty) for issues with Strategic Exports and Sanctions and Embargoes. | Customs - Strategic Exports and Sanctions |
| 9 | Engagements where no employment status issues arise or there are technical disputes about status, including where errors were found but were not careless. | Where there is an open enquiry on Engagement(s) where employment status found to be an issue, deemed careless or deliberate | Engagements involving historical and repeated employment status issues that are the subject of separate enquiries, where errors have been established and there is evidence of deliberate attempt not to comply. | Status |
| 10 | Money Laundering regulations - minor errors but no sanctions imposed, advice letter issued. | Money Laundering Regulations - errors and penalties imposed but not published on GOV.UK. | Money Laundering Regulations - errors and penalties imposed and published on GOV.UK. | Money laundering regulations |
| 11 | National Minimum Wage regulations - compliant with NMW regulations, or minor breach. | National Minimum Wage Regulations - failure to pay NMW established and there is evidence of attempts to obstruct officers and/or repeated examples where there has been a refusal to answer any questions, furnish information or produce documents when required to do so. Not published by DBT on GOV.UK. | National Minimum Wage Regulations - Failure to pay NMW established and named by DBT on GOV.UK. | National Minimum Wage |
| 12 | Errors in claims that have been rectified. | Overclaimed amount due to error that has not been repaid. | Fraudulent claims and/or evidence Deliberate behaviour. | HMRC administered Covid-19 schemes - Coronavirus Job Retention Scheme (CJRS), Self-Employment Income Support Scheme (SEISS), Eat Out to Help Out (EOHO) |