Memorandum of Understanding: accessing HMRC information to assist Foreign, Commonwealth and Development Office honours committees in making recommendations about awarding honours to individuals
Published 19 October 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/sharing-hmrc-information-to-assist-the-honours-committees-recommendations/memorandum-of-understanding-accessing-hmrc-information-to-assist-foreign-commonwealth-and-development-office-honours-committees-in-making-recommend
1. Introduction
This Memorandum of Understanding (MoU) sets out the information sharing arrangement between HMRC and the Foreign, Commonwealth and Development Office. For the context of this MoU ‘information’ is defined as a collective set of data and/or facts that when shared between the participants through this MoU will support the participants in delivering the purpose of the data sharing activity described below.
Information will only be exchanged where it is lawful to do so. The relevant legal bases are detailed within this agreement. It should be noted that ‘exchange’ covers all transfers of information between the participants, including where one participant has direct access to information or systems in the other.
This MoU is not intended to be legally binding. It documents the respective roles, processes, procedures, and agreements reached between HM Revenue and Customs (HMRC) and the participants. This MoU should not be interpreted as removing, or reducing, existing legal obligations or responsibilities of each participant, for example as Controllers under the UK General Data Protection Regulations (UK GDPR).
2. Purpose and benefits of the data sharing agreement
HMRC considers that the disclosure of information to the Foreign, Commonwealth and Development Office is necessary and proportionate because it fulfils HMRC functions of collecting and managing revenue by:
- increasing the likelihood that the individual subject to the HMRC check will ensure that their tax affairs are in order and up to date
- increasing the likelihood that other individuals in a similar position will be influenced to rectify their tax affairs if they become aware that poor tax behaviour is not consistent with the award of an honour
- increasing the likelihood that taxpayers at large will maintain their trust in the integrity of tax administration by HMRC and comply with their tax obligations voluntarily if tax behaviour is seen as a factor when considering public reward and recognition via the honours system
- reducing the likelihood that taxpayers at large will lose their trust in the integrity of tax administration by HMRC and so fail to comply with their tax obligations voluntarily. Trust would likely be lost if an honour was awarded to someone with negative tax behaviours and those behaviours became linked to the positive recognition that accompanies the award of an honour
The Foreign, Commonwealth and Development Office considers that the disclosure of information to HMRC is necessary and proportionate because as part of the honours nomination process, probity checks are carried out to minimise the risk that prospective candidates have behaved in ways likely to bring the system into disrepute. This is intended to ensure recipients are in good standing and to protect the integrity of the honours system.
The purpose of this MoU is to set out the arrangements for the exchange of information between HMRC and the Foreign, Commonwealth and Development Office in relation to checks undertaken prior to making decisions about Honours awards. This MoU is not a contract or intended to create legally binding obligations.
Where a check has been carried out, the independent Main Honours Committees will take the risk rating from HMRC into account together with other information in order to reach a decision on whether to recommend the award of an honour to an individual.
The Foreign, Commonwealth and Development Office requests government departments including HMRC to undertake checks on individuals in order to inform the Honours committees’ recommendations on the suitability of individuals for an honour. Honours are given to reward outstanding service in a given field or area.
As part of the nomination process, the Foreign, Commonwealth and Development Office tries to minimise the risk that prospective candidates have behaved in ways likely to bring the system into disrepute. The Foreign, Commonwealth and Development Office protects the integrity of the Honours system by carrying out probity checks with other Government departments before names are submitted to the Prime Minister and HM The Sovereign for approval.
Nominees are not aware that they have been nominated or which specific checks may be carried out to validate their particular nomination. It should be clear to the public – both nominators and potential nominees – that poor tax behaviour is not consistent with the award of an Honour. Information on gov.uk is clear that checks with HMRC form part of the probity process for Honours assessments.
All information about an Honours nominee, received from any source, is treated in the strictest confidence by the Foreign, Commonwealth and Development Office Honours Secretariat and others involved in the assessment and selection of Honours nominees.
The benefits of disclosure by HMRC are enhanced by the existence of these checks being in the public domain on GOV.UK, so that those nominated for an honour (and hence subject to an HMRC check), individuals in a similar position and taxpayers at large may become aware that HMRC carries out checks to inform the decision to award an honour.
The benefits to HMRC functions outlined in the above section can be achieved through minimal disclosure of information in the form of a risk rating of low, medium and high reflecting the categories in Annex to this MoU and without disclosing any underlying detail about the tax affairs of an individual being considered for an honour.
3. Relationships under UK GDPR in respect of any personal data being exchanged under this agreement
HMRC and the Foreign, Commonwealth and Development Office
Status of HMRC under UK GDPR in respect of any personal data being processed under this agreement
HMRC will be disclosing and receiving personal data under this agreement.
Where personal data is being disclosed under this agreement, HMRC status will be a controller because HMRC alone determines the purpose and means of the processing of personal data.
Where personal data is being received under this agreement, HMRC status will be a controller because HMRC alone determines the purpose and means of the processing of personal data.
The Foreign, Commonwealth and Development Office under UK GDPR in respect of any personal data being processed under this agreement
The Foreign, Commonwealth and Development Office will be disclosing and receiving personal data under this agreement.
Where personal data is being received under this agreement, the Foreign, Commonwealth and Development Office status will be a controller because they alone determine the purpose and means of the processing of personal data
Where personal data is being disclosed under this agreement, the Foreign, Commonwealth and Development Office status will be a controller because they alone determine the purpose and means of the processing of personal data.
4. Handling of personal data and this will
Where participants bear the responsibility of a Data Controller they must ensure that any personal data received pursuant to this MoU is handled and processed in accordance with the current 7 UK GDPR principles.
Additionally as part of the government, HMRC and the Foreign, Commonwealth and Development Office must process personal data in compliance with the mandatory requirements set out in HM Government Security Policy Framework guidance issued by the Cabinet Office when handling, transferring, storing, accessing or destroying information assets.
Participants must ensure effective measures are in place to protect personal data in their care and manage potential or actual incidents of loss of the personal data. Such measures will include, but are not limited to:
- personal data should not be transferred or stored on any type of portable device unless absolutely necessary, and if so, it must be encrypted, and password protected to an agreed standard
- participants will take steps to ensure that all staff involved in the data sharing activities are adequately trained and are aware of their responsibilities under the Data Protection Act, UK GDPR and this MoU
- access to personal data received by participants pursuant to this MoU must be restricted to personnel on a legitimate need-to-know basis, and with security clearance at the appropriate level
- participants will comply with the Government Security Classifications Policy (GSCP) where applicable
Duration of the data sharing
Start date of agreement: 1 November 2021
End of date agreement: 22 April 2026
A review will take place on 22 April 2024.
Frequency and Volume of data being shared
Up to 100 nominees annually.
5. Legal basis and lawful basis
HMRC has specific legislation within the Commissioners for Revenue and Customs Act (2005) which covers the confidentiality of information held by the department, when it is lawful to disclose that information and legal sanctions for wrongful disclosure.
For HMRC, disclosure of information is precluded except in certain limited circumstances (broadly, for the purposes of its functions, where there is a legislative gateway or with customer consent.
Unlawful disclosure relating to an identifiable person constitutes a criminal offence. The criminal sanction for unlawful disclosure is detailed at section 19 of the Commissioners for Revenue and Customs Act 2005.
Data can only be shared where there is a legal basis for the exchange and for the purposes described in this MoU. No data should be exchanged without a legal basis and all exchanges must comply with our legal obligations under both the Data Protection Act 2018 and Human Rights Act (HRA) 1998.
Section 18 of the Commissioners for Revenue and Customs Act 2005 (CRCA) places HMRC under a statutory duty of confidentiality not to disclose information it holds in connection with its functions except in the circumstances permitted by section 18. Unlawful disclosure relating to an identifiable person constitutes a criminal offence. The criminal sanction for unlawful disclosure is detailed at section 19 of the CRCA.
Section 18(2)(a) of CRCA provides HMRC with the lawful authority to make a disclosure of HMRC information where it is for a function of HMRC and does not contravene any restriction imposed by the Commissioners. This enables HMRC to disclose information in order for HMRC to carry out its functions of collecting and managing revenue.
Article 6 (1) (e) of the UK GDPR: public task – the processing is necessary to perform a task in the public interest.
6. Details about the data sharing
Information identifying the individuals to be checked by HMRC is provided by named contacts in the Foreign, Commonwealth and Development Office Secretariat (‘Honours and Appointments Secretariat’).
Upon receipt of the information, HMRC will identify honours nominees and commission reports on the tax behaviour of such nominees. The reports are presented to senior HMRC officials who comprise the checking panel for the purpose of arriving at a risk rating. The checking panel use the behaviours contained within ‘Annex C – Risk rating matrix’ as a guide to determine a rating based on the level of potential reputational risk to HMRC and the likely adverse impact on tax compliance should the individual’s tax behaviour become generally known.
Data fields to be shared
The Foreign, Commonwealth and Development Office to HMRC:
- name
- address
- date of birth
HMRC to the Foreign, Commonwealth and Development Office:
- rating of low/medium/high – no reasons given for that rating
Source systems
For the Foreign, Commonwealth and Development Office: information provided from the nominee.
For HMRC: data held within HMRC compliance and head of duty systems.
Government security classification
Official sensitive – there is no special category data, sensitive data or criminal offence data being shared.
Method by which data will be transferred under this agreement
Both to and from Foreign, Commonwealth and Development Office and HMRC will be via Transport Layer Security email. Ratings are returned on a password protected document. The password is sent by separate email.
Accuracy of the data being shared
Before sharing data both participants must take all reasonable steps to ensure that the data being shared is both accurate and up to date.
The exporting department will ensure that data integrity meets their own department’s standards, unless more rigorous or higher standards are set out and agreed at the requirements stage.
Participants will notify each other of any inaccuracies of the data as they are identified.
Retention and destruction of data
HMRC
HMRC will hold the data in a restricted access-controlled SharePoint site and will retain the data in line with its policy. Data retention policy is either the standard default standard retention period for HMRC records, which is 6 years plus current, (otherwise known as 6 years + 1), unless there is another clear legal, statutory, regulatory, or business exception in place.
HMRC will delete data received from the Foreign, Commonwealth and Development Office via its O365 process.
The Foreign, Commonwealth and Development Office
Will only hold the information while there is a business need to keep it and in any event for a maximum of 12 months following the publication of the final honours list (with the exception that they may hold a record of the fact that a check was carried out and when).
The data held by HMRC is accessed only by those specific personnel who work on honours and who have BPSS clearance or above. This also includes those involved in tracing work, and report writing, who will have basic security checks or higher. They are also bound by the Official Secrets Act and HMRC Data Security.
The Foreign, Commonwealth and Development Office will keep the data disclosed by HMRC confidential and without limiting its legal obligations under Data Protection legislation.
Onward disclosure to third parties
The Foreign, Commonwealth and Development Office agrees to seek permission from HM Revenue & Customs before any onward disclosure of information to a third party and will only disclose any information if permission is granted.
The Foreign, Commonwealth and Development Office Honours Secretariat will keep the information disclosed by HMRC confidential and without limiting its legal obligations under Data Protection legislation or otherwise, will ensure that:(a) it only uses the information for the purposes that it is provided for namely, to inform a decision about whether to confer an honour on an individual ;(b) any individual’s HMRC risk rating of low/medium or high is not shared beyond the members of the Foreign, Commonwealth and Development Office Honours Secretariat and Main Honours Committee, the named honours contact in the No.10 Appointments Team and the Prime Minister; and (c) it does not onwardly disclose the information to any other parties.
The Foreign, Commonwealth and Development Office Honours Secretariat must approach HMRC first if they wish to onwardly disclose any data.
7. Role of each participant to the MoU
Role of HMRC:
-
identify the appropriate data required from HMRC IT systems/records
-
provide the data to participant 2 in as described transferred by secure Transport Layer Security Email from and to agreed contact points
-
only allow access to that data by the team requiring it
-
ensure that staff handle this data in line with the approved secure transfer method agreed by both departments and within HMRC data security instructions
-
only store the data for as long as there is a business need to do so
-
move, process and destroy data securely in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
-
comply with the requirements in the Security Policy Framework, and in particular prepare for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
Role of the Foreign, Commonwealth and Development Office:
-
identify the appropriate data required from HMRC
-
only use the information for purposes that are in accordance with the legal basis under which it was received
-
only hold the data for as long as there is a business need to do so
-
ensure that only people who have a genuine business need to see the data will have access to it
-
on receipt, store data received securely and in accordance with the prevailing central government standards, for example in secure premises and on secure IT systems
-
move, process and destroy data securely in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
-
comply with the requirements in the Security Policy Framework, and in particular prepare for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
-
if participant 2 adheres to a different set of security standards they must inform HMRC what these standards are and comply with any additional security requirements specified by HMRC
-
seek permission from HMRC before onward disclosing information to a third party other than those agreed
-
seek permission from HMRC if you are considering offshoring any of the personal data shared under this agreement
-
mark information assets with the appropriate government security classification and apply the baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, issued by the Cabinet Office, and as a minimum the top level controls framework – Security Controls Framework to the GSC
8. Monitoring, reviewing and arrangements
This MoU relates to a regular exchange that must be reviewed annually to assess whether the MoU is still accurate and fit for purpose.
Reviews outside of the proposed review period can be called by representatives of either participant. Any changes needed as a result of that review may be agreed in writing and appended to this document for inclusion at the formal review date. Technical changes necessary to improve the efficiency of the exchange that do not change the overarching purpose can be made without the requirement to review formerly the MoU during its life cycle but must be incorporated at the formal review stage.
A record of all reviews will be created and retained by each participant.
9. Assurance arrangements
HMRC has a duty of care to assure any data that is passed on to others. Processes covered by this MoU will be subject to annual reviews, from the date of sign off. HMRC may also choose to introduce ad hoc reviews.
Assurance will be provided by the annual completion of a Certificate of Review and Assurance. The assurance processes should include checking that any information sharing is achieving its objectives (in line with this MoU) and that the security arrangements are appropriate given the risks.
The Foreign, Commonwealth and Development Office agrees to provide HMRC with a signed Certificate of Review and Assurance within the time limits specified upon request.
HMRC reserves the right to review the agreed risk management, controls, and governance in respect of this specific agreement.
10. Security
The designated points of contact within each department are responsible for notifying the other participant in writing in the event of loss or unauthorised disclosures of information within 24 hours of the event.
The designated points of contact will discuss and agree the next steps relating to the incident, taking specialist advice where appropriate. Such arrangements will include (but will not be limited to) containment of the incident and mitigation of any ongoing risk, recovery of the information, and notifying the Information Commissioner and the data subjects. The arrangements may vary in each case, depending on the sensitivity of the information and the nature of the loss or unauthorised disclosure.
11. Subject access requests
In the event that a Subject Access Request (SAR) is received by either participant they will issue a formal response on the information that they hold following their internal procedures for responding to the request within the statutory timescales. There is no statutory requirement to re-direct SARs or provide details of the other participant in the response.
12. Freedom of Information Act 2000
Both participants are subject to the requirements of the Freedom of Information Act (FoI) 2000 and shall assist and co-operate with each other to enable each organisation to comply with their information disclosure obligations.
In the event of one participant receiving an FoI request that involves disclosing information that has been provided by the other participant, the organisation in question will notify the other to allow it the opportunity to make representations on the potential impact of disclosure.
All HMRC FoI requests must be notified to the Central HMRC FOI Team: foi.team@hmrc.gov.uk.
Signatories
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
Annex A – Glossary of terms
| Definition | Interpretation |
|---|---|
| Ad hoc transfer | Defined as being bulk data with a protective marking of restricted or above and the transfer is part of a pilot or project with a definitive end date. |
| Data controller | Has the meaning set out in Article 4 UK GDPR or, in respect of processing of personal data for a law enforcement purpose to which Part 3 of the Data Protection Act 2018 applies, the meaning in that part if different. |
| Data processor | Has the meaning set out in Article 4 UK GDPR or, in respect of processing of personal data for a law enforcement purpose to which Part 3 of the Data Protection Act 2018 applies, the meaning in that part if different. |
| Data Protection legislation | Means the General Data Protection Regulation, the UK GDPR, the Data Protection Act 2018 and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner. |
| Direct access | Covers an information sharing instance where the receiving department accesses the information via direct, or browser, access to the source system rather than as an extracted information transfer. This agreement will require specific terms and conditions ensuring that access is appropriate and correctly applied, managed and recorded. |
| Freedom of Information Act (FOI) | Freedom of Information Act 2000 and any subordinate legislation made under this Act together with any guidance and/or codes of practice issued by the Information Commissioner or Ministry of Justice in relation to such legislation. |
| Granting access | The governance and authority surrounding the authorisation of a person to have access to a system. |
| Human Rights Act 1998 | An Act to give further effect to rights and freedoms guaranteed under the European Convention on Human Rights. Public authorities like HMRC must follow the Act. |
| Information Asset Owner (IAO) | Means the individual within a directorate, normally the director, responsible for ensuring that information is handled and managed appropriately. |
| Law | Means any applicable law, statute, bye-law, regulation, order, regulatory policy, guidance or industry code, rule of court or directives or requirements of any regulatory body, delegated or subordinate legislation or notice of any regulatory body. |
| Provisioning access | The technical channels through which access is made possible, including the request tools associated with this. |
| Public sector body | This will generally be an other government department (OGD) but could be another public sector body (such as a local authority). Information sharing with a private sector body with which HMRC has a commercial relationship needs to be covered by a commercial contract, not a MoU. |
| Regulatory bodies | Means those government departments and regulatory statutory and other entities, committees and bodies which, whether under statute, rules, regulations, codes of practice or otherwise, are entitled to regulate, investigate, or influence matters dealt with in this agreement and ‘regulatory body’ shall be construed accordingly. |
| Senior Information Risk Owner (SIRO) | Provides high level assurance of compliance with HMRC’s Information Asset data protection obligations. HMRC’s SIRO is the HMRC Chief Digital and Information Officer, Director of Chief Digital and Information Officer Group. |
Annex B – Data protection processor relationships
What are data controllers and processors?
The Data Protection Act 2018, which draws on the definitions in Article 4 GDPR, defines these as:
The ‘data controller’ – a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
The ‘data processor’ – in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
When processing data there will always be a data controller. This controller can establish a 3rd party relationship to assist in processing their data or process the data themselves. Should the controller establish a data processing relationship, this could take the form of a controller-processor, a controller-controller, or a joint controller relationship. Understanding the different 3rd party relationships and their respective requirements is essential to comply with data protection regulations.
It is important to note that the controller can process data but retain the title of controller. You are called a processor only when you are processing with entirely no qualities of a controller.
In summary, the data controller exercises overall control over the ‘why’ and the ‘how’ of a data processing activity, whilst the processor has no involvement in deciding the why and how.
What are the types of data protection 3rd party relationships?
There are 3 types of relationships between controllers and 3rd parties when carrying out the processing of data:
- controller – processor
- controller – controller
- joint controllers
Where personal data is processed there will always be a ‘controller’ – for example, a person (body/individual) who determines the purpose and means of the processing (Article 4(7)). They may do so alone or jointly with others.
How do I begin to define my processor relationship?
It can be challenging to understand both your role and the role of the party you are processing data with. There are different administrative requirements which need to be complied with depending on which type of relationship it is. Without complying you expose yourself to legal risk.
When assessing whether a party is a processor, data controller or a joint controller, the key question is who is determining the purpose and means of processing? In more user friendly terms, who is it that decides why and how personal data is processed?
How do I identify a data controller?
The term data controller is defined by Article 4 of the GDPR as the body/person which determines the means and purposes of processing, and processor is defined as a person/body who carries out processing on behalf of a controller.
To identify a data controller, consider:
- who establishes the lawful basis for collecting the personal data
- who decides what personal data to collect (for example, content of the data)
- who decides the purpose or purposes the data are to be used for
- who decides which individuals to collect data about
- who makes decisions about whether to disclose the data, and if so, who to
- who reviews and decides whether subject access and other individuals’ rights apply (such as applications of exemptions)
- who decides how long the data is kept for and whether to make routine amendments to the data
The above actions are those which would be undertaken by a data controller.
Who is the data controller when an organisation is required by law to process personal data?
When personal data is processed only for the purpose and means for which it is required by legislation to be processed, the person who has the obligation under that legislation to process the data is the controller, regardless of whether they appoint another party to carry out the processing. See s.6(2) of the DPA 2018, which is dealt with in less specific terms in the last part of the definition in Article 4(7) of the GDPR. This provision replicates section 1(4) of the 1998 Act.
Annex C – Risk rating matrix
The behaviour types listed are indicative only and not limited to these areas. Categorisation of an individual does not necessarily mean that HMRC considers the individual to have committed the example behaviour traits listed.
HMRC looks back over the last 5 years and seeks to apply the same objective standard to all candidates irrespective of individual circumstances or the nature or status of their vocation or achievements.
| Number | Low – No known tax behaviours considered likely to cause adverse public comment | Medium – Disclosure of tax affairs likely to cause adverse comment | High – Disclosure of tax affairs very likely to cause serious adverse comment | Summary |
|---|---|---|---|---|
| 1 | Past history of tax avoidance or evasion that relates to a tax year more than 3 years ago (or a shorter period at the panel’s discretion), that has since been fully settled. An open avoidance enquiry for just one year but relating to a period 5 or more years ago. At the Panel’s discretion, and in exceptional circumstances, where there is open avoidance that can’t currently be settled. In all cases no indication that the individual is engaged in further avoidance or evasion. | Currently has one or more open enquiry into use of avoidance where the customer has the opportunity to settle (unless assessed as low). | Currently has one or more open enquiry into use of avoidance, alongside a recent history of serial avoidance over 3 or more tax years. | Avoidance |
| 2 | Routine compliance checks, not more detailed investigations. Minor issues. Actively engaging with HMRC. | Currently or recently (closed within the last 3 years) subject to a COP 8 investigation into a serious tax loss and cooperating with HMRC. A lack of active engagement with HMRC in dealing with compliance checks, or other correspondence. | Not cooperating with a COP 8 investigation. Currently or recently (closed within the last 3 years) subject to a COP 9 investigation into serious tax fraud. Subject to a current or recent (closed within the last 10 years) criminal investigation. A historical and repetitive lack of active engagement with HMRC in dealing with compliance checks, or other correspondence. | Compliance checks and engagement with HMRC |
| 3 | All tax returns and payments up to date or where there are minor debts with active engagement to resolve them. | Outstanding returns, or payment arrears. No active engagement with HMRC to remedy the position. | A history of repeated outstanding returns, or payment arrears. No active engagement with HMRC to remedy the position. | Debt and returns compliance |
| 4 | No evidence of deliberate behaviour exhibited. | Deliberate behaviour exhibited. HMRC needs to or has needed to: use a production order/use a tribunal approved information notice/seek daily penalties for non-cooperation. | Currently within HMRC’s High Risk Wealthy Programme or High Risk Corporates Programme. Evidence of criminal activity, either current or recent. | Behaviours |
| 5 | Straightforward disputes involving technical or novel issues of contention. No evidence of boundary pushing. | Disputes where there is evidence of evasion. Evidence of boundary pushing, which goes beyond acceptable tax planning. | Evidence of offshore evasion. Currently within HMRC’s Managing Serious Defaulters Programme, or where the customer has been named on gov.uk following an HMRC intervention. | Tax planning arrangements and evasion |
| 6 | No involvement in illicit trades. | Not directly involved in illicit trades, but there is evidence to suggest was aware, or known or should have known of the possibility of such activity within their supply chain and does not take action to minimise it. | Direct involvement in illicit trades. | Illicit activity (for example: the commercial importation and/or distribution of counterfeit goods) |
| 7 | Errors identified that breach compliance with excise or customs legislation. Typically, those errors that are minor or where no attempt made to deliberately mislead or evade customs officials. | Importation of goods requiring an appropriate licence without that licence having been obtained. No steps taken to mislead or evade customs officials. Repeated breaches of excise or customs legislation and failure to correct procedures and processes. | Deliberate attempt to smuggle goods with intent to evade excise and customs duty. Includes seizure of goods, no criminal conviction necessary. Deliberate attempt to smuggle drugs and other goods subject to Prohibitions and Restrictions. Includes seizure of goods, no criminal conviction necessary. | Customs |
| 8 | Customs - previous (within last 3 years)/current (open) compliance issues with Strategic Exports and Sanctions and Embargoes – routine compliance issues only. | Customs - Current (open) compliance issues with Strategic Exports and Sanctions and Embargoes [no offence established]. | Customs - Offence (including Compound Penalty) for issues with Strategic Exports and Sanctions and Embargoes. | Customs - Strategic Exports and Sanctions |
| 9 | Engagements where no employment status issues arise or there are technical disputes about status, including where errors were found but were not careless. | Where there is an open enquiry on Engagement(s) where employment status found to be an issue, deemed careless or deliberate | Engagements involving historical and repeated employment status issues that are the subject of separate enquiries, where errors have been established and there is evidence of deliberate attempt not to comply. | Status |
| 10 | Money Laundering regulations - minor errors but no sanctions imposed, advice letter issued. | Money Laundering Regulations - errors and penalties imposed but not published on GOV.UK. | Money Laundering Regulations - errors and penalties imposed and published on GOV.UK. | Money laundering regulations |
| 11 | National Minimum Wage regulations - compliant with NMW regulations, or minor breach. | National Minimum Wage Regulations - failure to pay NMW established and there is evidence of attempts to obstruct officers and/or repeated examples where there has been a refusal to answer any questions, furnish information or produce documents when required to do so. Not published by DBT on GOV.UK. | National Minimum Wage Regulations - Failure to pay NMW established and named by DBT on GOV.UK. | National Minimum Wage |
| 12 | Errors in claims that have been rectified. | Overclaimed amount due to error that has not been repaid. | Fraudulent claims and/or evidence Deliberate behaviour. | HMRC administered Covid-19 schemes - Coronavirus Job Retention Scheme (CJRS), Self-Employment Income Support Scheme (SEISS), Eat Out to Help Out (EOHO) |