Last autumn Ministers announced there would not be a Council Tax revaluation in England in the lifetime of this Parliament. At the same time they announced that the VOA would commission an independent audit of its Council Tax database to assess compliance with the Data Protection Act (DPA).
VOA ran an open commercial tender process and appointed PricewaterhouseCoopers (PwC) as the independent auditor. PwC started its audit in February and concluded at the end of April. A copy of their final report is now published.
The audit found no major breaches of the DPA and that VOA policies and practices were predominantly conformant to the eight underlying principles of data protection. It found the Agency collected data pertinent to fulfil its legal obligations and had strong examples of good practice, for example the Agency’s security culture.
The report makes four key recommendations, where the Agency could further increase its compliance with DPA and improve its existing internal processes, which are summarised below alongside our responses. The audit also outlined three other findings and recommendations. These have all been accepted by the Agency’s Board.
Key recommendations:
A: The codification and consolidation of VOA’s existing guidance into a single overarching policy statement and document. While the VOA has substantive and substantial guidance it can be piecemeal and sometimes is not easy to use or find.
VOA Response: VOA accepts this in full and will arrange for the formalisation and consolidation of the existing guidance.B: Refresh the staff training package on data protection. The current training package was developed several years ago and whilst not out of date does need some freshening up and it would be useful to build this into induction training for new staff and refreshed training for existing staff.
VOA Response: We accept this in full and we will build this into our existing data security training for staff.C: Formalise an audit programme around data protection.
D: Within the codification and consolidation in recommendation (A) above clarify the categories of personal data between property data and people data. All data we collect on CT is personal data within the definitions of the Data Protection Act (DPA). This includes obvious personal people based data like names, addresses, contact details etc but also includes personal property based data like property attributes, sales values etc.
VOA Response: We accept this in full and had, prior to the review, invited Internal Audit to review data protection compliance and this has been built into their programme of work for this financial year.
VOA Response: We accept this in full and will build this into the codified and consolidated guidance mentioned above.
Copyright © 2025 · All Rights Reserved · Institute of Revenues Rating and Valuation
Warning: Undefined array key "User_id" in /home/irrvnet/public_html/forumalert/inc_footer.php on line 4