How we handle personal data you provide us for transaction monitoring purposes, at the Welsh Revenue Authority (WRA).
To protect your data and our services, we operate transaction monitoring capabilities. This records how you connect to our systems, and what you do whilst you’re on them.
We only monitor you when you’re signed into our services.
Why we process your data
The WRA processes your data for transaction monitoring purposes to:
- keep your data safe, private and secure
- protect your data from people looking to use it for fraudulent and criminal purposes
- prevent fraud
- prevent, detect, investigate and prosecute civil and criminal activity
Data we collect
Transaction monitoring records information about you when you’re signed into our services.
We collect personal data about:
- the computers, phones or devices you use
- the internet connections you use
- what you do when you are on our services
- what you tell us
Transaction monitoring may collect your data even if you do not directly use our systems. For example, when an authorised tax agent or representative contacts us on your behalf.
How we process your data
When you sign in to one of our services, we create unique identifiers in the browser, application or device you’re using. We also give you a transaction monitoring cookie which we use to help recognise you and link you to your account.
The information we collect includes:
- unique identifiers
- browser type and settings
- device type
- operating system
- application version number
We also collect information about the interaction of your apps, software, browsers and devices with our services. This includes:
- your IP address
- date and time
- referrer URL of your request
We collect information about what you do in our services, such as:
- pages you access
- information you give us
We may also collect data about you from trusted security partners who provide us with information to protect against abuse.
We use this information to help improve the safety and security of our services. This includes detecting, preventing and responding to:
- security risks
- technical issues that could harm the WRA or our customers
Lawful basis for processing data
We collect and process your data as needed to carry out our official function as a government department. Also, to do so in the public interest, such as to prevent and detect crime and fraud.
As the WRA is permitted to carry out transaction monitoring without your consent under General Data Protection Regulation (GDPR) Article 6(1)(e), you cannot withdraw your consent.
When we may share your data with third parties
We will, in some circumstances and where the law allows, share your personal information with third parties.
When we detect crime, we may share information with:
- other law enforcement agencies
- government departments
- credit reference agencies
- anti-fraud groups
How long we keep your data
We keep transaction monitoring records for 7 years, in line with our Retention and Disposal Schedule.
Where you've held an account longer than the standard retention period, we may hold some account information which is older but still up to date.
GDPR lists certain rights that apply to you when your personal data is stored and used as described. These rights relate to the legal basis for processing the data and the purposes to which the data are put.
For this purpose, your rights are limited to the right to be informed, which this notice covers. Other rights may apply in some circumstances.
For any questions about this notice or your rights, please contact our Data Protection Officer.
Data Protection Officer
Welsh Revenue Authority
PO Box 110
Send complaints to this contact in the first instance. You can also complain directly to the Information Commissioner’s Office (ICO). The ICO is the UK supervisory authority for data protection issues
Information Commissioner’s Office Wales
17 Churchill Way
Telephone: 029 2067 8400 / 0303 123 1113
Changes to this privacy notice
Any changes to this privacy notice will be updated on this page, for example, any new uses of personal data.
From time to time, we may also contact you through other means about the processing of your personal data.