Transparency data

Data Usage Agreement: Cabinet Office Internal Fraud Pilot

Published 19 October 2023

This Data Usage Agreement between HMRC and Cabinet Office for the internal fraud pilot was agreed and put in place in 2019.

1. Conditions of disclosure of information by HMRC

Cabinet Office collect data on individuals who have been dismissed from the Civil Service for committing internal fraud against their department of employment. Cabinet Office will disclose personal information to HMRC by virtue of section 56 of the Digital Economy Act. HMRC will match Cabinet Office internal fraud data to PAYE RTI data. Where HMRC have evidence that an individual has gone on to obtain employment in the Civil Service or wider public sector since the date of their dismissal, HMRC will disclose anonymous information to the Cabinet Office that indicates the extent of this, by virtue of the legal basis section 74 of the Digital Economy Act for the purposes of taking of action in connection with fraud against a public authority’, including i) preventing and detecting crime (s.56(4)(a) and (b) respectively); and ii) developing the policy for internal fraud, which comes under ‘taking administration action as a result of fraud of that kind’ (s.56(4)(f)) on the condition that the Cabinet Office undertake a data protection impact assessment (DPIA) prior to data processing.

Legal gateway approved: 8 August 2019

1.1 Definitions

Agreed purposes: as set out in clause 2 of this agreement.

Controller, data controller, processor, data processor, data subject, personal data, processing and appropriate technical and organisational measures: as set out in the data protection legislation.

Data protection legislation: all legislation and regulatory requirements in force from time to time relating to the use of personal data and the privacy of electronic communications, including, without limitation (i) the Data Protection Act 2018 (ii) the General Data Protection Regulation ((EU) 2016/679).

Permitted recipients: the parties to this agreement, the employees of each party required to perform the agreed purposes, any third parties engaged to perform obligations in connection with this agreement as agreed by the parties.

Shared personal data: the personal data to be shared between the parties set out in clause 3 of this agreement.

1.2 Purpose

The Cabinet Office has a responsibility to manage the risk of internal fraud across government. To do this, the Cabinet Office runs the internal fraud policy, a cross-government initiative that collects and then recirculates details of civil servants who have been dismissed, or who would have been dismissed had they not resigned, for committing internal fraud. Checks against this data are built into pre-employment checks.

In order to develop the policy, the Cabinet Office would like to understand:

• whether the policy in its current format is working, and where it is not

This content has been withheld because of exemptions in the Freedom of Information Act 2000

• the level of fraud in the application for employment process - highlighting where individuals have failed to declare accurate reason for previous dismissal from employment

Using HMRC data, the pilot will seek statistical information that shows whether these individuals have gone on to obtain employment in the civil service or wider public sector since being found to have committed internal fraud. HMRC will return a data file under section 74 of the Digital Economy Act 2017 that shows the proportion of individuals who have, since the date of dismissal or commitment:

This content has been withheld because of exemptions in the Freedom of Information Act 2000

1.3 Data description

Data to be sent to HMRC:

This content has been withheld because of exemptions in the Freedom of Information Act 2000

Data to be processed for matching to HMRC records (this is the minimum required to identify the individual)
Name of staff member (forename and surname, single field)
National Insurance Number
Date of dismissal

HMRC will process this list of NINOs using RTI data. A categorical value (re-employment status) will be created, with the following values and confirm the number of individuals in each category: HMRC will provide the following data to the Cabinet Office:

This content has been withheld because of exemptions in the Freedom of Information Act 2000

• employed by an NHS or local government organisation
• employed in the private sector
• not employed

Based on the PAYE scheme the individual is employed by, this data will be queried by HMRC to produce the following outputs:

• a ‘current state’ table of the count of NINOs by re-employment status

This content has been withheld because of exemptions in the Freedom of Information Act 2000

• a ‘current state’ tabulation of employments by government department, with a grouped category for NHS/local government, and another for the private sector

• a tabulation of the employments by salary, banded into the following bands (lower band inclusive, upper band exclusive):

• £0 - £15k
• £15k - £30k
• £30k - £45k
• £45 - £70k

• £70k

• banded salary data is required for the purposes of estimating the grade of office employees who have previously committed internal fraud hold

1.4 Data security

Both parties agree to:

• move, process and destroy data securely i.e. in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
• only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information will have access to it
• only keep it for the time it is needed, and then destroy it securely
• not onwardly disclose that information without the prior authorisation of HMRC
• comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
• mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, and in particular as set out in the Annex – Security Controls Framework to the GSC
• comply with ICO standards relating to data security breaches and follow due procedure when reporting and investigating breaches of this nature
• due to the criteria used to identify individuals included in the data, there is a likelihood that ‘special customer records’ may be included - this being the case the handling process must be appropriate for data of that classification and has been agreed with the SCR data guardian in advance of any data matching

1.5 Data flow

An overview of the data flow is provided as per annex b.

Both parties agree to

• ensure that the data match output file is sent by the Cabinet Office to

This content has been withheld because of exemptions in the Freedom of Information Act 2000

of HMRC - the data will be sent via government secure email, password protected, with the password sent independently of the data.

• ensure that the data match output file is sent by HMRC to

This content has been withheld because of exemptions in the Freedom of Information Act 2000

of Cabinet Office - the data must be anonymised and sent by secure email, password protected, with the password sent independently of the data - the data will be securely stored on Cabinet Office drives with limited access and password protected - HMRC will destroy Cabinet Office data upon confirmation of receipt of the matched file - the Cabinet Office will use the HMRC data to inform an evaluation report, which will be circulated among key stakeholders upon completion of the project - the Cabinet Office will retain HMRC data until completion of the pilot or 6 months after receipt, whichever is soonest

1.6 Data protection

All parties agree that HMRC and the Cabinet Office are both separately data controller, as defined by the data protection legislation for the personal data they provide to meet the agreed purposes.

Each party shall comply with all obligations imposed on a controller under the data protection legislation.

Each party shall:

• process the shared personal data only for the agreed purposes
• not disclose or allow access to the shared personal data to anyone other than the permitted recipients
• ensure that all permitted recipients are subject to written contractual obligations concerning the shared personal data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement
• notwithstanding the measures at clause 4, ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
• not transfer any personal data received from any party outside the EEA unless the transferor ensures that:
• the transfer is to a country approved by the European Commission as providing adequate protection pursuant to article 45 GDPR,
• there are appropriate safeguards in place pursuant to article 46 GDPR, or
• one of the derogations from specific situation in article 49 GDPR applies to the transfer

Each party shall assist the other in complying with all applicable requirements of the data protection legislation. In particular, each party shall:

• promptly inform the other party about the receipt of any data subject access request
• provide the other party with reasonable assistance in complying with any data subject access request
• not disclose or release any shared personal data in response to a data subject access request without first consulting the other party wherever possible
• assist the other party, at the cost of the other party, in responding to any data request from a data subject and in ensuring compliance with its obligations under the data protection legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators
• notify the other party without undue delay on becoming aware of any breach of the data protection legislation
• delete or return shared personal data and copies thereof to the other party on in accordance with clause 5 or on termination of this agreement unless required by law to stare the personal data

1.7 Freedom of Information

All parties agree that if an FOI request relating to this information is made to any party, their FOI team will engage with the other parties FOI team regarding the potential impact of disclosure.

All parties agree that the responsibility and final decision on responding under FOI lies with the party that received the request for information.

All parties agree that if an FOI request relating to this information is made to any party, their FOI team will engage with the other parties FOI team regarding the potential impact of disclosure.

All parties agree that the responsibility and final decision on responding under FOI lies with the party that received the request for information.

If a SAR request relating to this information is made to either the Cabinet Office or HMRC, both parties will engage regarding the potential impact of disclosure.

1.8 Disputes

This content has been withheld because of exemptions in the Freedom of Information Act 2000

1.9 Annex a

This content has been withheld because of exemptions in the Freedom of Information Act 2000

1.10 Annex b

This content has been withheld because of exemptions in the Freedom of Information Act 2000

1. HMRC RIS team undertake data matching.
2. HMRC RIS team send the anonymous data matching output to Cabinet Office.
3. Cabinet Office review and investigate matches where the data indicates a risk of fraud.