Skip to main content

Key words and phrases

This document relates to the draft Visitor Accommodation (Register and Levy) Etc. (Wales) Bill and should be considered alongside it. The following key words and phrases are used throughout.

Exemptions

Accommodation types that will not be subject to a visitor levy.

Local authority/ local authorities

The 22 Principal Councils in Wales, also referred to as Unitary Authorities.

Nil rates

A stay in visitor accommodation which is levied at a rate of £0.

Refunds

When the visitor levy has been passed on to a visitor and the legislation permits them to have the amount subsequently refunded.

Sustainable tourism

Tourism that takes full account of its current and future economic, social and environmental impacts, addressing the needs of visitors, the industry, the environment and host communities. (United Nations World Tourism Organisation).

Visitor

A person who stays in visitor accommodation.

Visitor accommodation

Visitor accommodation that is defined in law that is subject to a visitor accommodation provider registration.

Visitor accommodation provider (VAP)

A person/business who provides or offers to provide visitor accommodation at premises in Wales in the course of trade or business.

Visitor levy

An additional charge on overnight visitor accommodation. This is also referred to in other countries as a tourism tax, accommodation tax, or hotel tax.

WRA

This stands for the Welsh Revenue Authority, a non-ministerial department of Welsh Government that currently deliver the 2 devolved taxes in Wales: Land Transaction Tax and Landfill Disposals Tax.

Step 1: Identifying the need for a DPIA

1.1. The Visitor Accommodation (Register and Levy) Etc. (Wales) Bill is primary legislation that establishes a register of people who provide visitor accommodation at premises in Wales. It also grants local authorities the power to introduce a levy on overnight stays in visitor accommodation, should they choose to do so.. This data protection impact assessment (DPIA) has been developed to assess the implications of these proposals.

1.2. The Information Commissioner’s Office (ICO) and Article 36(4) (of the UK GDPR) assessment confirms the proposals involve collecting personal and special category data. Therefore, it is appropriate that a DPIA is developed. The Article 36(4) form was submitted to the ICO on 10 November 2023 and the Welsh Government committed to providing further detail on the proposal (via a DPIA) ahead of the closure of the Article 36(4) process.

1.3. This assessment considers compliance risks, but also broader risks to the rights and freedoms of individuals. It assesses the level of risk - considering both the likelihood and the severity of any impact on individuals. It also helps to minimise risks and assess whether remaining risks are justified, necessary and proportionate. The assessment is a vital part of data protection by design. It aims to build in data protection compliance and influence how the proposal is developed and implemented.

1.4. This DPIA has been completed to describe what we consider the data protection and privacy implications of the legislative provisions to be. Many of the details will be provided for in subordinate legislation yet to be prepared (and which will be dependent upon the Bill receiving Royal Assent). This DPIA sets out in broad terms what is likely to be provided for in the subordinate legislation. Provisions in the Bill relating to the administration of the levy are set out in the Bill for scrutiny by the Senedd. Provisions for the administration of the register will follow through regulations.

1.5. This is a living document which will be kept updated in line with any policy or legislative changes. It has been developed alongside co-construction of the policy with stakeholders. This version of the document reflects the bill as introduced to the Senedd in 2024.

1.6. Also of note is that the Bill establishes a power for local authorities to use if they wish. In exercising this new power, local authorities must have regard to their existing statutory duties under the Data Protection Act 2018. Similarly, any new data collection required by the Bill is without prejudice to the UK General Data Protection Regulation (UK GDPR) of which all organisations involved must adhere to.

1.7. The Welsh Government has engaged with a range of stakeholders throughout the development of the policy. A formal public consultation was conducted for 12 weeks between September and December 2022. Engagement with members of the public, local authorities, tourism businesses, the wider business community and other stakeholders was encouraged. In addition to this engagement, we reached out to stakeholders in Europe to learn about the variety of tourist tax approaches across Europe.

1.8. The details and outcomes of the public consultation can be found in the summary of responses. To sit alongside this, the consumer insight research sought the views of Welsh residents and UK domestic holiday consumers about a visitor levy.

Step 2: Policy proposals

2.1 The Welsh Government is introducing legislation to enable local authorities to introduce a visitor levy in their areas, which is a priority commitment within the Programme for Government. The levy will be a fair contribution made by visitors and applied to overnight stays in visitor accommodation. It will raise additional funds for local authorities to reinvest in the public services and infrastructure that make tourism a success. Each local authority will have the power to decide to introduce a levy in its area, meaning this will be a new, local levy designed in a way that works for residents, businesses, and visitors.

2.2 The levy has been kept simple but fair in design to help minimise any potential negative impacts. We anticipate it will have a positive impact for local areas that choose to use a levy by generating revenue to support local areas, thereby enhancing the reputation of the destination and supporting the visitor economy. The policy intent behind the introduction of a levy is threefold:

  •  Ensure costs to fund local services and infrastructure are shared more equitably between visitors and residents.
  • Provide additional revenue to local authorities that choose to introduce the levy to support sustainable tourism, supporting investment into the area and helping to mitigate the negative externalities that tourism presents.
  • Increase local autonomy and decision making on sustainable tourism spend.

2.3 The visitor accommodation provider (VAP) is liable for paying the levy. It will be a per person, per night charge, for all individuals staying in visitor accommodation. In practice, this means the VAP can ‘pass on’ the levy cost or choose to absorb it.

2.4 The Bill requires all VAPs to register any types of visitor accommodation they offer in Wales. This is the case even if the local authority area they are operating in has not implemented the levy. The register will support the administration of the levy. It will also help the Welsh Ministers to better understand the sector to help inform future policy interventions.

2.5 The purpose of having a register of visitor accommodation providers incorporated within the Bill is twofold. Primarily, it will help us understand who should be remitting the levy in a local authority area and will satisfy registration requirements for that scheme. Secondly, it will provide a single source of data of all visitor accommodation available across Wales, providing an accurate, comprehensive and up to date dataset.

2.6 The levy will be collected and managed centrally as a function of the Welsh Revenue Authority (the WRA) on behalf of local authorities. The registration powers will be a function of Welsh Ministers, who will be able to ask another organisation to carry out those powers.

Step 3: Collection of personal data

3.1 Part 2, paragraph 4(1) establishes a duty on Welsh Ministers to keep a register of visitor accommodation providers (VAPs). Part 3, paragraph 21 amends the Tax Collection and Management (Wales) Act 2016 (TCMA) to extend WRA’s tax management and information collection powers for levy purposes and to extend WRA’s information sharing powers to bring them in line with HMRC’s information sharing powers.

3.2 Therefore, we have relied on UK GDPR Article 6(1)(e) where “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” as the statutory basis for processing the data. There are three instances where the Bill creates powers to process personal data:

  • The creation of a register, part of which may be published
  • The collection and management of the levy
  • Processing refunds.

3.3 During the assessment we have looked at the nature of the processing of data for each of the new powers. We have also considered any risks and how these may be mitigated. The assessment covers:

  • the powers the Bill has to collect, use, store and delete data and set out how the data may be shared.
  • the nature of the data, as it includes special category or criminal offence data in some situations;
  • how much data will be collected and used, how often it will be collected and how long it will be kept for.
  • the context of the processing, especially its impact on individuals.
  • the purpose for the data, what the Bill sets out to achieve and what the benefits are of processing.

3.4 The Bill confers a duty on Welsh Ministers to keep a register of visitor accommodation providers. It also gives the Welsh Ministers powers to make further provisions about the register, including procedures for registration (Part 2, paragraph 7(b). This means the Welsh Ministers will be the data controller of the register. If Welsh Ministers, ask another organisation to carry out those powers, that organisation will be the data controller.

3.5 The WRA will be the data controller for the functions related to the levy. Operational delivery of these functions will be subject to further screening of the impacts on data protection. The VAPs are already data controllers for the information they collect about their visitors. They are bound by their relevant responsibilities under the data protection legislation. The Bill does not require that VAPs collect any data that they do not already collect through their booking process. Furthermore, it is intended that personal data of their guests that they may have collected shall not be shared when VAPs file visitor levy returns and pay the visitor levy – further details provided below.

3.6 Local authorities will not be responsible for any part of the administration of the register of VAPs or the levy. They will not receive any personal data from the WRA. The only personal data available to local authorities will be that which is available should the register be made public. The WRA may provide aggregated data about the number of VAPs in a local authority area, as well as information about the amount of visitor levy a local authority will receive. There will be no data processors.

A register of visitor accommodation providers

3.7 Part 2, paragraph 5 sets out that visitor accommodation providers (VAPs) will be required to register. The function of keeping the register is conferred on the Welsh Ministers, and the Bill allows the Welsh Ministers to make further provisions about the register.

The collection and use of the data

3.8 The Bill requires VAPs to give personal information as part of the requirement to register. The personal information required (Part 2, paragraph 4(2) refers) is the VAP’s name, their proper address and any trading name they use, and the name and address of any premises where they provide visitor accommodation in Wales. Information will also be collected on the types of visitor accommodation that a VAP is providing on a registered premises as this information is necessary to ensure that local authorities are able to determine the level of visitor accommodation in their area, to support their decision to apply the levy.

3.9 Part 2, paragraph 6 allows the Welsh Ministers to publish information held by the register. One of the intentions, as the time of writing, is to use this data for the purposes of analysis and promoting and/or undertaking research as a function under the Tourism Development Act 1969.

3.10 Finally, should a Bill be developed in the future to regulate the sector, any additional data sharing gateways necessary to simplify the process for stakeholders will be set out in a separate DPIA.

Maintenance and management of the data

3.11 Further data protection impacts will be covered by a separate DPIA at the operational delivery point. However, the intention is that the data for the register will be held to appropriate and most stringent UK government security and record-keeping standards. This will include working within a published retention and disposal schedule. The underlying system will support data sharing and application of any updates or rectification of errors in line with the UK GDPR and UK Data Protection Act (DPA)2018 legislation. As well as the legislation for this policy, privacy notices will outline this framework to users of relevant services and other interested parties.

Sharing data

3.12 As stated above, Part 2, paragraph 6 states that Welsh Ministers may publish, in such manner as they consider appropriate, information that is derived from the register. Operational delivery of the register will be subject to further screening of the impacts on data protection. This will initially be focused on the visitor accommodation types available in Wales. This is considered the most relevant information that visitors will have an interest in.

3.13 A regulation power has been included which enables Welsh Ministers to specify what information may be shared from the register and with whom. It is recognised that there will be significant benefits from sharing of the data for specified purposes as the legislative landscape for the tourism sector evolves. This will support a reduction in administrative burden and requiring multiple public bodies to request the same information from VAPs multiple times.

3.14 Any regulations proposed would need to be reasonable and lawful, and for this reason would be subject to separate DPIAs and consultation with the ICO. The proposed regulation power would ensure appropriate Senedd scrutiny for any further disclosure gateways from the register.

3.15 Most of the data on visitor accommodation that could be be published will already be in the public domain as they are trading in Wales. However, this is not easily found in one place currently. The Bill sets out the information required for the register and that the information can be published. At operational level, this will be subject to a further DPIA by the registration authority. It will also ensure compliance with Article 6(1) of the UK GDPR by preparing privacy notices to outline the framework for these to users of relevant services and other interested parties.

3.16 Public information from the register will support local authorities with decision making related to the visitor levy. The register will enable them to have the data and intelligence on visitor accommodation types in their areas.

Nature of the data

3.17 An entry on the register will only collect personal data about a VAP and their business (Part 2, paragraph 4(2) refers). There will be no requirement for special category or criminal offence data. The type of personal data to be collected is commonly used for similar registration schemes across the UK.

Data to be collected

3.18 The data which will be collected is set out in Part 2, paragraph 4. Welsh Ministers have powers to vary this as provided for in paragraph 7, but should this be necessary, it will be subject to further consultation with the ICO.

3.19 The data is required to maintain the accuracy of the register, so there is a means of contacting VAPs for compliance issues and progressing enforcement.

Scale of the data collection

3.20 There is currently no complete data to accurately estimate the scale of the data collection. For example, the Inter-Departmental Business Register (IDBR) (partial regulatory impact assessment) indicates there are around 1,615 VAPs in Wales who are registered for VAT. But the Welsh Government’s Bedstock data report in August 2022 identified 16,600 accommodation establishments. Therefore, as a liberal estimate we have concluded there are roughly 30,000 VAPs with properties in Wales.

The requirement for the data

3.21 The Bill requires VAPs to register when trading in Wales. The data will be processed as strictly required in line with statutory functions and obligations as set out within legislation.

3.22 The register impacts VAPs, and so children and other vulnerable groups are not expected to interact with the register.

3.23 All data in the register will be maintained to confirm that only those trading will remain on the public register. There will be adherence to the data minimisation principles with regards to the information to be made available on the public register so that only information within the public interest is available to view.

Current state of technology

3.24 As a data controller, the Welsh Ministers follow strict security standards and treats the security of data very seriously. This includes robust procedures to safeguard and secure the information collected.

The reason for processing

3.25 The primary purpose of the register is to support the collection and administration of the levy. This will support ongoing local authority decision making related to the use of a visitor levy by enabling more effective impact assessments through better data quality. In addition, it will provide data and intelligence to the Welsh Government and local authorities to support future developments in tourism and other policy areas.

The benefits of processing

3.26 Publication of a part of the register is intended to provide a transparent, authoritative and trustworthy single source of information to visitors and other stakeholders which is not currently available.

3.27 While there are already existing publications available for local authorities to assess the size of visitor accommodation i.e. council tax premium rates, non-domestic rate applications, Bedstock survey, they are based on a snapshot of information collected over different periods of time and require significant assessments of multiple datasets which may not provide a single source of actual operators in real time.

3.28 The register will provide an additional benefit for both Welsh Government and local authorities. The data will give intelligence about the tourism sector, which is not currently available. In turn this will provide a foundation for other policies particularly for the tourism and housing sectors.

3.29 The Bedstock survey that is currently used for statistical analysis is conducted in collaboration with local authorities and is heavily reliant on the ability of local authorities to be able to contact tourism operators and persuade them to complete a questionnaire.

3.30 Local authorities may also consider using existing datasets to assess the viability of the levy, such as council tax information and any paid for supplier information. However, as Gwynedd Council confirmed in their assessment of Article 4 Direction (Paragraph 2.22):

The evidence above proves that gathering accurate and complete information in relation to the number of holiday homes is difficult as the holiday home market is unregulated. Although Council Tax figures are considered to be the most accurate source of information, it is not entirely reliable and is dependent on holiday home operators applying the correct council tax/non-domestic business rate category for their property. The inconsistencies between the Gwynedd Bed Stock Survey, 'Transparent Data' and the Council Tax figures highlight this problem.

3.31 The register goes some way to provide more accurate information, which will support better informed evidence gathering for any future policy interventions. This will either be in conjunction with, or as a possible replacement to, existing data collection surveys.

Collection and management of the visitor levy

3.32 In addition to their current tax powers, Schedule 1 introduced via section 21 of the Bill will amend the WRA’s functions enshrined in the Tax Collection and Management (Wales) Act 2016 (the TCMA). The obligations expected of taxpayers shall apply to VAPs collecting the levy to enable them to collect and manage the levy. Part 3 of the Bill details the obligations places on VAPs in relation to the levy. VAPs will be required to submit levy returns and remit the monies to the WRA. The levy revenues will be remitted by the WRA to the local authority following the end of the tax year.

The collection and use of the data

3.33 The nature of the levy return and implementation will be developed by the WRA, in collaboration with the industry. As such, the WRA will be subject to a separate DPIA around the implementation of the levy in due course. However, the levy return element will only require aggregated information around the total number off overnight visitors and total number of those exempt from the charge for each VAP, over either a year or quarter.

3.34 Per section 2 of the Bill certain types of accommodation will be out of scope from the levy, for example, asylum seekers, mobile homes and Roma and Gypsy Traveller sites either by virtue of being explicitly exempted within the legislation or falling outside of the scope of the legislation as it is not captured by the definition of accommodation in Wales in the Act, nor provided in the course of trade or business. In these instances, the WRA will not require levy returns and the legislation will not expect records to be kept for compliance purposes and as such does not involve additional data collection.

3.35 By virtue of the Bill amending the TCMA. The obligations expected of taxpayers shall apply to VAPs collecting the levy one of these obligations is that per TCMA Part 3 Chapter 2 there will be record keeping requirements for VAPs (VAPs holding and using individuals’ personal information are also regulated by the Data Protection Act 2018, which sits alongside the UK General Data Protection Regulation), as well as penalties for VAPs that fail to keep records per TCMA sections 143 to 145. The WRA has the power to request this information per Part 4 of the TCMA should the WRA need to investigate the accuracy of levy returns.

3.36 Other types of information may be obtained in relation to WRA’s existing functions and used for WRA’s visitor levy functions, which is permitted under s16 of the TCMA 2016. For example, information obtained in the collection and management of Land Transaction Tax may support the WRA in knowing the date a VAP ceases to own a property and therefore might no longer be liable to pay the levy.

Maintenance and management of the data

3.37 The data will be held in a UK hosted cloud database, to appropriate and most stringent UK government security and record-keeping standards. This will include working within a published retention and disposal schedule. The underlying system will support data sharing and application of any updates or rectification of errors in line with the UK DPA 2018 legislation, as well as the legislation for this policy, and be backed by privacy notices.

3.38 Any further data protection impacts will be covered by the assessments the WRA will carry out to accompany the specifics nearer the implementation date.

Sharing data

3.39 Section 17 of the TCMA notes that WRA “...must not disclose protected taxpayer information (PTI) unless the disclosure is permitted under section 18”.

3.40 PTI is defined as:

information relating to a person (the “affected person”)—

  1. which was acquired by WRA or which was acquired by a person to whom any of the functions of WRA have been delegated in connection with those functions, and
  2. by which the affected person may be identified (whether by reason of the affected person's identity being specified in the information or being capable of being deduced from it).

3.41 The duty to collect and manage the levy on behalf of local authorities in Wales will be added to the WRA’s general functions at s.12(1) of TCMA. Sharing visitor levy data which amounts to PTI will also be constrained to those permitted disclosure stated in section 18 of the TCMA.

3.42 The WRA will continue to ensure that information shared is aggregated to ensure that it is non-identifiable unless it is allowed under section 18. For example, information is not PTI if it is about internal administrative arrangements of the WRA or of a person to whom WRA has delegated any of its functions.

3.43 As section 18 of the TCMA currently only allows WRA to disclose PTI in certain circumstances, any additional permitted disclosure would require an amendment to section 18.

3.44 Therefore as well as the Bill creating broader data collection and management powers in order to administer the levy, to support the WRA in the collection of the levy, and its existing taxes, the Bill intends to amend section 18 of the TCMA to extend the WRA’s information sharing powers.

3.45 This change will amend section 18 sub-section (1) of the TCMA, to include a permitted disclosure where this is made for the purposes of a function of WRA. However, an exception to that disclosure will prevent any possibility of disclosure to Welsh Ministers about taxpayers.

3.46 Any data sharing needs to be lawful and not contravene the Human Rights Act 1998. Of particular relevance is article 8 of the European Convention on Human Rights, which gives everyone the right to respect for their private and family life, home and correspondence.

3.47 However, Article 8 goes on to specify that there are exceptions to this right regarding prevention of disorder or crime and economic wellbeing of the country. For example, if a VAP fails to meet their statutory obligation to collect the levy and file returns, the WRA while undertaking their function to investigate must collect these monies. Therefore, it is viewed that sharing this data, and with the controls placed around it, would be proportionate. Additionally, such data sharing is proportionate to the economic wellbeing of the country and upholding the rights of others.

Nature of the data

3.48 The data required by the WRA for the purposes of exercising their general functions will be directed toward tax compliance. The data collected via the levy returns will not include any special category data as described in UK GDPR Article 9 or criminal and court records information as set out in UK GDPR Article 10. However, an investigation could discover special category data, which may be incidental (so discarded), or pertinent (and retained), to the investigation.

3.49 The information may be commercially sensitive as it provides an indication of the performance of individual businesses and each accommodation unit. The visitor accommodation sector in Wales ranges from large hotels to self-catering lets to campsites and caravans. This means individuals running small businesses will be collecting the levy as well as large hotel chains.

Data to be collected

3.50 Development work regarding what a levy return will look like and the guidance for VAPs is ongoing. However, the information expected to be provided in a levy return is as follows:

  • Accounting period dates
  • Aggregate amount of levy payable across the accounting period by local authority area
  • Number of leviable nights (i.e. total leviable nights which is number of leviable visitors x nights staying) by local authority area (without further details of those individuals)
  • Number of nil rated persons and nights during that period (without further details of those persons).

3.51 The WRA will have powers to investigate levy returns if concerns arise as to their accuracy. Powers such as the ability to open an enquiry into a return and to ask for further information from a levy payer are commonplace in tax administration activities. Furthermore, during an investigation by the WRA, further personal data may be collected via third party sources in a number of ways. These could include:

  • Third parties involved in a levy transaction or collecting the levy on behalf of VAPs (e.g. Airbnb or another online travel agent) may provide additional details about the correspondence address not previously known to the WRA.
  • Other third parties, such as Companies House or HMRC during an investigation if there is a suspicion of fraud or an outstanding debt is being chased, may disclose a VAP’s previous addresses.

Scale of the data collection

3.52 It is difficult to estimate the number of individuals that will have their criminal and courts records data disclosed as this will be pursuant to WRA investigations. The scale of WRA investigations will depend on the number of local authority areas that choose to switch on a levy.

3.53 The WRA will carry out their own DPIA when implementing the levy.

The requirement for the data

3.54 Collecting and processing personal data in relation to the WRA’s collection and management of the levy will be necessary to effectively administer the tax.

3.55 As part of their statutory function, the WRA will process the data required for tax collection and management purposes. However, that can only be done within the confines of the legislation.

3.56 The data collection relates to visitor accommodation providers. Any impact the levy would have on a specific group would be incidental to the administration of the levy by virtue of the member of that group being a VAP in a participating local authority area or through the investigation or refund processes.

3.57 The WRA already processes sensitive data for law enforcement purposes (WRA appropriate policy document). As the data controllers of the Land Transaction Tax and the Landfill Disposals Tax, it is not expected there would be any additional concerns around secure processing. More information about the WRA’s current processing of personal data is on their website (WRA privacy policy).

Current state of technology

3.58 As a data controller, the WRA already follows strict security standards and treats the security of data very seriously. They have robust procedures to safeguard and secure the information they collect, including regular training for staff to keep data safe.

3.59 They also limit access to personal information to those staff members who have a business or legal need to do so. There are also procedures in place to deal with any suspected breaches in data security.

3.60 The WRA is a fully cloud-based organisation and continually enhance their cyber resilience to protect external digital service users, such as taxpayers and agents, as well as their staff. They have a strategy in place to support this work. This covers the WRA’s ability to withstand cyber incidents, and the approach they would take to recover as quickly as possible.

3.61 Their approach to cyber resilience is guided by the National Cyber Security Centre (NCSC) guidance on IT infrastructure, devices, data and applications. They have recently strengthened their cyber resilience using an NCSC accredited independent third party to test their digital infrastructure and have renewed its Cyber Essentials Plus certification.

The reason for processing

3.62 Collecting and processing personal data in relation to the WRA’s collection and management of the levy will be necessary to effectively administer the tax and deliver the levy policy aims.

3.63 When it was enacted the TCMA intended to place far greater restrictions on when the tax authority could disclose PTI than is the case for other tax authorities in the UK.

3.64 Consequently, WRA has found, in some cases, it cannot disclose PTI even to the taxpayer affected. It can also be restricted in seeking relevant evidence from partner agencies, as requesting information on an individual or company may constitute a disclosure of PTI. Therefore, a ‘general functions’ gateway is required to enable the WRA to disclose information where required for the necessary operation of its functions, including the collection and management of the levy. Without this change, the following sets out how the restrictions might impact collection and management of the levy.

3.65 When undertaking enquiries into a number of returns filed by a taxpayer, the WRA receive information from a third party that suggests the VAP hasn’t been declaring all overnight stays on their levy returns. If WRA put the information to the VAP, the VAP will be able to work out that it came from the third party. WRA can’t share the information with the VAP and question the VAP about it because it will be a disclosure of the third party’s PTI (unless the third party gives consent which may not be forthcoming).

3.66 This leaves WRA in a difficult position whereby WRA is not able to provide the taxpayer with all of the evidence against them before closing the enquiry. This may prevent opportunities to resolve the case with the taxpayer and prompt an unnecessary appeal. It may also result in unfairness to the taxpayer as they are not able to respond to the evidence against them. Once the taxpayer appeals to the Tribunal, WRA will be able to share the evidence against them as disclosing PTI for the purposes of civil proceedings is a permitted disclosure (section 18(1)(e) TCMA).

3.67 As a result, the Bill includes an additional permitted disclosure of PTI, at s18 of TCMA, where a disclosure is made for the purposes of a WRA’s functions i.e. where it is required to support the WRA in its day to day operation of the levy and its existing taxes. This brings WRA in line with HMRC.

3.68 The information being disclosed will align to the data minimisation principle as only relevant information will be shared for the specific purposes. Additionally, there is public interest in this information being shared to ensure the rule of law is upheld and that there is fairness in treatment of those operating visitor accommodation.

The benefits of processing

3.69 To meet the function of collecting and managing tax without being able to communicate essential elements of a tax case to a taxpayer can impact the WRA’s compliance and enquiry activities. Without this change, this would also be the case for the levy. This sharing has a lawful basis as we have demonstrated the gateway is necessary to the exercise of the WRA’s functions.

3.70 To maintain the integrity of the tax system and the rule of law, it is necessary for the WRA to collect PTI and disclose this where necessary in relation to its functions. Therefore, it is proportionate and legitimate for the WRA to be able to disclose this information. Sharing the information would be in accordance with WRA’s functions, the lawful basis by which the information could be shared. WRA would not be able to share PTI more generally for other purposes that are not related to their functions unless permitted by section 18 of the TCMA

3.71 This was predominantly inspired by a desire to provide greater controls on the disclosure of sensitive and confidential information. The following scenarios are those the WRA has already encountered, or can foresee happening, due to this restriction in sharing PTI:

  • Scenario 1: to enter settlement negotiations with a taxpayer, the WRA may have to encourage taxpayers to appeal their cases to the Tax Tribunal so that WRA can rely on the civil proceedings gateway to share PTI and discuss settlement. This places an unreasonable administrative burden on the taxpayer and is not an appropriate use of Tribunal resource.
     
  • Scenario 2: requesting information from a third party about a named person. E.g. WRA wants to request information from Airbnb or another OTA about a levypayer. The request will include PTI as it will involve an identifiable person and it signals that WRA has an interest in that person . WRA could use their third party notice information powers to request the information but if the levypayer won’t consent to this, WRA will have to obtain approval from the Tribunal to issue the third party notice. If the OTA provides information in response to the third party notice but doesn’t want WRA to share the information they provide with the levypayer, WRA may not be able to share it and progress the enquiry effectively if there is no suitable gateway to use under s18 TCMA. HMRC on the other hand will be able to make this request if it is for the purposes of HMRC’s functions.

3.72 HMRC already have a ‘general functions’ gateway specified in section 18(2)(a) of the Commissioners of Revenues and Customs Act 2005. HMRC only use this power to disclose information which is necessary to carry out their functions. For example, this wouldn’t generally include sharing anything of substantial interest about one taxpayer to another taxpayer. It is just about being able to tell the taxpayer relevant information about the taxpayer’s case.

Refunds of visitor levy

3.73 Following extensive engagement undertaken by officials it was identified that there were some stays where the visitor levy should not be paid. However, it would not be appropriate for VAPs to record those stays given the sensitive nature of the data required to verify compliance with the legislation.

3.74 Where it is not possible or preferential for a VAP to apply a levy nil rate and have to make an assessment to that effect, refunds will be provided by the WRA. This includes a person staying overnight in visitor accommodation when unable to reside at their sole or main residence because of a risk to their health safety or welfare, stays by a person in receipt of a disability benefit accompanied by another person, and persons who at the time of the stay were otherwise homeless. All refunds will be optional (in the sense that where permitted by the law, specified persons can choose to apply for a refund from WRA of an amount equivalent to the levy that they incurred).

The collection and use of the data

3.75 Section 15 of the Bill will give the power for the WRA to issue refunds in the above scenarios. VAPs will not pass details of individuals staying in their premises to the WRA. Therefore, the refund will be initiated by the individual or charity who has paid an amount equivalent to the levy and is in receipt of evidence to demonstrate they qualify applies to the WRA for a refund. That process will result in individuals’ personal details, including some special category data, being held by the WRA. This will be subject to a DPIA by the WRA nearer the implementation date, when the specific information requirements are known.

3.76 Having a refund mechanism for these stays was determined to be a more proportionate and effective means of achieving the policy objectives. This is because of the consistency of treatment for visitors and that we could ensure appropriate safeguards are in place to handle and secure this information. In addition, we considered the adverse impact on VAPs for additional safeguards when processing special category data, most of whom will not routinely collect this information in the course of their business.

Maintenance and management of the data

3.77 The data will be held in a UK hosted cloud database, to appropriate and most stringent UK government security and record-keeping standards. This will include working within a published retention and disposal schedule. The underlying system will support application of any updates or rectification of errors in line with the UK DPA 2018 legislation, as well as the legislation for this policy, and be backed by privacy notices.

Sharing data

3.78 There will be no requirement to share the data collected via the refund process.

Nature of the data

3.79 Special category data will be collected necessarily to process and manage refunds of the levy for carers, homeless persons and persons who are unable to occupy their usual place of residence due to a specified emergency. The WRA operates within an accountancy regulatory framework (Managing Welsh Public Money) which requires a degree of verification with regards to refund claims being processed which necessitates the provision of qualifying evidence before refunds may be transferred. As such there are risks related to defrauding the public purse, therefore the WRA would need to have a high degree of assurance related to applications for refunds.

3.80 Importantly, all refundable scenarios within the Bill are optional. An individual will need to determine whether passing their personal data to the WRA for a refund outweighs the benefit of receiving a refund.

3.81 It is important to note when considering refunds that any stays over 31 days do not have to pay the levy.

Data to be collected

3.82 Development work regarding what information will be required from an individual seeking a refund is ongoing and will be subject to a DPIA carried out by the WRA. However, it is expected that this will include bank details and evidence of qualifying disability benefits, for example.

3.83 The Bill will give the power for the WRA to issue refunds in certain scenarios, including:

  • where a stay has occurred because a person is unable to reside at their sole or main residence because of a risk to their health safety of welfare
  • the stay is by a vulnerable person that has been organised by a charity (such as where the person is homeless or fleeing domestic violence)
  • a stay where a person has accompanied a disabled person in receipt of certain benefits.

3.84 Each of these scenarios will require the person making the claim for a refund to provide the WRA with evidence for the refund. This might include details of their identity, receipts of the levy charged and official documents such as a disability benefit acknowledgement or insurance document showing the usual place of residence was uninhabitable due to disrepair.

Scale of the data collection

3.85 It is difficult to estimate the number of individuals that will have their special category data disclosed as this will depend on the number of refunds initiated by visitors and the number of local authority areas that choose to switch on the levy.

3.86 The WRA will still carry out their own DPIA into the information they will need to retain for verifying personal data at the point of an individual applying for a refund, and the relevant person’s identity.

The requirement for the data

3.87 Collecting and processing personal data in relation to the WRA’s collection and management of the levy will be necessary to effectively administer the tax. As part of their statutory function, the WRA will process the data as strictly required for law enforcement purposes. However, that can only be done within the confines of the legislation. This gives those seeking refunds protection against the WRA processing data outside their legislative functions.

3.88 The data collection as a result of requested refunds is likely to include personal information about carers of children and other vulnerable people, including evidence of the disability or other health status of the person in their care.

Current state of technology

3.89 As a data controller, the WRA follows strict security standards and treats the security of data very seriously. They have robust procedures to safeguard and secure the information they collect, including regular training for staff to keep data safe.

3.90 They also limit access to personal information to those staff members who have a business or legal need to do so. There are also procedures in place to deal with any suspected breaches in data security.

3.91 The WRA is a fully cloud-based organisation and continually enhance their cyber resilience to protect our external digital service users, such as taxpayers and agents, as well as their staff. They have a strategy in place to support this work. This covers the WRA’s ability to withstand cyber incidents, and the approach they would take to recover as quickly as possible.

3.92 Their approach to cyber resilience is guided by the National Cyber Security Centre (NCSC) guidance on IT infrastructure, devices, data and applications. They have recently strengthened their cyber resilience using a NCSC accredited independent third party to test their digital infrastructure and have renewed our Cyber Essentials Plus certification.

The reason for processing

3.93 Collecting and processing personal data in relation to the WRA’s collection and management of the levy is necessary to effectively administer the tax and deliver the policy aims. The amendment to TCMA to extend the WRA’s information sharing powers is essential to delivering this.

Step 4: Consultation

4.1 A public consultation ran from September to December 2022 seeking views from the public and stakeholders on the Welsh Government’s proposal to introduce a discretionary levy for Wales. A summary of responses was published in March 2023.

4.2 There has been extensive engagement with those in the tourism and hospitality sector via a Business Reference Group, tourism industry representative groups via Regional Tourism Fora and the Visitor Economy Forum, the WRA and local authorities. Welsh Government officials have also engaged with online booking platforms, National Parks, third-sector organisations and administrations in other countries who have established visitor levies. Four in-person consultation events were held across Wales as well as a virtual event. An awareness campaign was launched with the public consultation to share information and encourage involvement.

4.3 Officials engaged directly with children and young people between 12 and 17 years old, seeking their opinions on the levy through discussions and role-play exercises. The consultation was accessible to a wide audience with a community and youth version published along with an easy read format.

4.4 Following the consultation, and in the lead up to the introduction of the legislation, the Welsh Government has continued to engage with representative groups who may be impacted by a levy. This targeted engagement was to gather more evidence regarding the potential impacts of the levy on various stakeholders, to clarify the policy and discuss mitigating any unintended consequences on those with protected characteristics, those based in rural areas and those from lower socio-economic backgrounds.

4.5 Engagement has been undertaken specifically in areas to inform our understanding of the lived experiences of the potential impact on vulnerable groups, as part of the development of the equalities impact assessment, children’s impact assessment, socio-economic impact assessment and Welsh language impact assessment.

4.6 We will continue to engage as part of the post implementation review of the legislation, and those local authorities that should decide to apply a levy in their area will also be required to monitor the impact of the levy on their communities.

4.7 We have also consulted with the ICO about the proposals, most recently on 23 September 2024. We discussed the importance of a DPIA, and how it will be a key tool to assess the necessity and proportionality of the proposals. It has been an important mechanism for identifying potential risks to the rights and freedoms of individuals, and to identify mitigations to lessen the risks that have been identified.

Step 5: Necessity and proportionality

5.1 The WRA has been selected as the appropriate authority to administer the levy as they already have comprehensive data management and governance systems in place for the devolved taxes as a data controller in compliance with the Data Protection Act 2018 and UK GDPR (the Data Protection Legislation).

5.2 Operational controls will be put in place to ensure storage of the information by the WRA is secure and managed appropriately. Processing will be limited to where it is necessary in order to comply with the legislation. The infrastructure to securely house data will be included in a separate DPIA.

5.3 A key element of the Bill’s design principles has been to minimise the collection of personal data wherever possible and also ensure appropriate data governance is in place where the collection of personal data is absolutely necessary. For example, the decisions surrounding those stays eligible for a refund being managed by the WRA rather than VAPs were born out of a principle to minimise the number of authorities required to collect and store personal data whilst ensuring integrity of the tax system.

5.4 Part 2, paragraph 7 of the Bill provides for Welsh Ministers to make supplementary regulations about the register, including procedures for registration. If this is enacted, these regulations will be subject to further consideration and  will include an appropriate privacy notice under Art.14 of the UK GDPR. This will outline how the information is used, for example to produce non identifiable statistics and who the data can be shared with.

5.5 The following measures have been incorporated into the draft proposals:

  • reduced scope of personal data collected; the data collected from each source is stated in the draft Regulations
  • managing, limiting and controlling access to the data (as specified within the draft Regulations)
  • protecting the classic ‘CIA triad’ (confidentiality, integrity, and availability) of personal data
  • resilience of processing systems and services, and the ability to restore availability and access to personal data, and
  • regular testing of the effectiveness of measures implemented.

5.6 Special category data as described in UK GDPR Article 9 will not be collected about VAPs during routine processes. However, an investigation could discover special category data, which may be incidental (so discarded), or pertinent (and retained), to the investigation. This also applies to Article 10 criminal and court records information, where an investigation could discover relevant information that the WRA would process.

5.7 The lawful basis for this processing is UK GDPR Article 6(1)(e), where the Bill amends TCMA to give the WRA the public task of collecting and managing the levy.

5.8 Processing of special category (Article 9) data in this circumstance will be limited to data that is relevant to an investigation or to the verification of a refund request. In both cases the WRA will be protecting public finances by either investigating that the correct levy amount has been paid or verifying a refund should be issued. The Bill will amend TCMA to give the WRA these functions to collect and manage the levy, therefore this processing would fall under UK GDPR Article 9(g), as it is necessary for reasons of substantial public interest on the basis of domestic law.

5.9    In addition to the points above, we consider that we meet the substantial public interest test by:

  • Collecting the levy as legislated for by Welsh Ministers for the purposes of meeting the policy intent outlined at the start of this assessment.
  • Ensuring fairness in the system by correcting and reducing errors so that the majority of levy payers who are compliant are not disadvantaged.
  • Protecting the integrity of the levy system by ensuring that levy payers try to comply and that evasion is not an easy option.

5.10 Processing of UK GDPR Article 10 data as described above will be allowed as it will be authorised by domestic law (the Bill will amend TCMA). UK GDPR Article 10(2)(a) references the DPA 2018 s10 and in accordance with DPA 2018 s10(5), we confirm we have an appropriate policy document in place as required under DPA 2018 Schedule 1, Part 2 s5(1), and the processing falls under DPA 2018 Schedule 1, Part 2 s6 – statutory and government purposes.

5.11 Refunding carers for levy per section 15 of the Bill paid will require the processing of their personal data and necessitate the processing of sensitive personal data of the disabled person for whom they provide care. A lawful reason for processing special category data relating to health includes doing so for reasons of substantial public interest (with a basis in law) per Article 9(2)(g) of the UK GDPR; processing sensitive personal health data for the purposes of avoiding any discriminatory impact in the operation of the levy fulfils this condition.

5.12 The lawful basis for this processing is UK GDPR Article 6(1)(e), where the Bill amends TCMA to give the WRA the public task of collecting and managing the levy.

5.13 Processing of special category (Article 9) data in this circumstance will be limited to data that is relevant to an investigation (above) or to the verification of a refund request based on the principle of data minimisation. In both cases the WRA will be protecting public finances by either investigating that the correct levy amount has been paid or verifying that a refund should be issued.

5.14 These would fall under UK GDPR Article 9(g), where processing is necessary for reasons of substantial public interest on the basis of domestic law (the Bill will amend TCMA to give the WRA these functions to collect and manage the levy). These will be explained in the relevant privacy notice to provide appropriate transparency.

Step 6: Identification and management of risks

6.1 It is important to note that the implementation of the visitor levy and national register of visitor accommodation will be subject to a separate DPIA to outline the risks at a closer operational level.

The risks identified
Describe source of risk and nature of potential impact on individuals. Include associated compliance and corporate risks as necessary.Likelihood of harmSeverity of harmOverall risk
Data breach through incorrectly publishing an extra field in the public register, or loss or breach of data in transmission.LowHighLow – there are extensive data governance and security frameworks in place to ensure the security of data
There is a risk of incorrect disclosure of Protected Taxpayer InformationVery lowHighVery Low – there are extensive rules about how taxpayer information may be used. Any persons making an unlawful disclosure would be subject to a potential criminal offence

Measures to reduce risks

6.2 Data minimisation has been at the forefront of the policy design for the Bill. Where possible the legislation has been designed to only require information to be provided by VAPs that is already collected by their booking processes or published publicly.

6.3 Furthermore, enlisting the WRA to collect and manage the visitor levy centrally ensures that VAPs will only ever have to interact with one body to ease the administrative burden of having to file multiple levy returns to different local authorities.  

6.4 Refunds rather than being managed by VAPs in the circumstances described above are to be managed by the WRA to ensure that any sensitive disclosures of personal or special category data are managed by a public body that on an operational level already have vast data security infrastructure and data protection accountability frameworks.
 

Step 7: Summary of the main data principles

7.1 This summary sets out the main principles we have applied to the data which will be created by this Bill.

Will the data be shared

7.2 The Bill gives the Welsh Ministers powers to make further provisions about the register, including whether it is shared. This means the Welsh Ministers will be the controller of the data for the functions related to the register, until such a time that the powers to vary this are enacted.

7.3 The Bill provides for parts of the register to be published. This will allow visitors to know whether the accommodation they are staying in is liable for the levy. It will also allow local authorities to use aggregate datasets for analytical purposes. Both of these will decrease the need for data sharing gateways and will be subject to further DPIAs.

7.4 We have also considered that the register may have the potential to help communications with the tourism sector in the event of a public health emergency. One of the areas being examined by the Covid-19 Inquiry UK in Module 2B, is the public health communications in Wales in relation to the control of the virus. We await the report on the module, but it is intended that the register may be able to fulfil any recommendations in this area outside of those already governed by the UK GDPR in the circumstances of an emergency.

7.5 As outlined in the permitted disclosures list within section 18 of TCMA, information from the levy returns may be shared with HMRC in connection to supporting their functions. This is commonplace in relation to tax administration and would only be undertaken when the necessary data governance and infrastructure is in place. This change will bring the WRA in line with HMRC’s information sharing powers and will decrease the need for data sharing gateways.

Does the proposal require a data sharing agreement

7.6 Any agreements will be subject to the usual data management and governance arrangements.

Has Legal Services confirmed that the basis outlined above provides the necessary statutory gateway for processing

7.7 This is new legislation and as such has been developed between officials and lawyers to ensure that there is necessary gateways for sharing.

Will the proposal involve new or significantly changed processing of personal data

7.8 The requirement on VAPs to register and on the WRA to collect and maintain the levy are new under this law. Processing personal data about individuals will be necessary.

Will the personal data be consolidated, linked or matched with data from other sources

7.9 The taxpayer information will be linked/matched, where possible, to existing information the WRA holds for its functions to support tax compliance activities. Section 16(2) of TCMA specifies that information acquired by WRA may be used in a connection with any functions of WRA. Privacy notices for which the WRA is responsible will be amended to reflect this in due course.

Will the personal data be used for automated decision making

7.10 The data will not be used for any automated decision making or systemic monitoring of anyone. Neither will it be subject to privacy-intrusive technologies such as biometrics or mobile phone tracking.

Does the proposal involve new or changed data collection, retention or sharing policies/practices

7.11 All the personal data being processed will require a combination of new policies and practices, which will include privacy notices and retention periods. These will be subject to further DPIAs as operational delivery is developed.

Will the proposal involve new or changed identity management or authentication processes

7.12 It is probable that VAPs will be required to use multi factor authentication to access their WRA account to file a levy return for example. However, this will be subject to further DPIAs as operational delivery is developed.

Will the proposal have the effect of enabling identification of individuals who were previously anonymous

7.13 Many VAPs will already have their details in the public domain, due to the nature of their business. However, smaller VAPs, especially those using online services, such as Airbnb and booking.com, may otherwise have remained anonymous. In addition, anyone who requests a refund from the WRA will have to provide personal information to support their claim and will therefore no longer be anonymous. As detailed earlier, the refundable scenarios are designed to be quite narrow and used infrequently and are optional.

What is the statutory basis for processing the data

7.14 The Bill will be primary legislation in Wales, with provisions relating to the administration of the register and the levy. However, some administrative elements will need to be set out in secondary legislation.

Does the proposal require a contract between Welsh Government as data controller and a third-party processor?

7.15 The registration powers will be a function of Welsh Ministers, who will be able to designate another public body to carry out those powers. At this point, the designated body will become the controller. The levy will be collected and managed centrally as a function of the WRA on behalf of local authorities. Therefore, no third-party processor will be required.