Consultation on PSFA Civil Penalty Powers: Code of Practice
Consultation description
About this consultation
This consultation seeks feedback on the draft Code of Practice that will set out the administration of the Public Sector Fraud Authority’s (PSFA) civil penalty powers provided by the Public Authorities (Fraud, Error and Recovery) Act (PAFER) 2025.
Geographic Scope
England and Wales
How to respond
This consultation is hosted on an online survey platform called SmartSurvey. To respond to the consultation, please use the following weblink:
If, for any reason, you are unable to complete the consultation using the online platform, please contact psfa@cabinetoffice.gov.uk to request a Word Document version of the response template. Alternatively, you can post your response to us with the title, “PSFA PAFER Consultation” to:
Public Sector Fraud Authority
1 Horse Guards Road
London
SW1A 2HQ
If you require a copy of this consultation in Welsh please email psfa@cabinetoffice.gov.uk
Response
The government will publish a response to this consultation on GOV.UK within 12 weeks of its closing. If, for any reason, we are unable to respond to the consultation within 12 weeks, we will provide an explanation at the consultation page on GOV.UK about why this is not possible.
Background
The Act addresses the government’s ability to respond to public sector fraud by giving the PSFA new powers to pursue criminal and civil action. Civil penalties will be issued for fraud and for non-compliance with information sharing and gathering, and debt recovery measures within the Act. The Code of Practice sets out how these penalties will be determined and administered.
The introduction of a robust civil penalties regime shows that there are meaningful consequences for breaking the law even when criminal prosecution is not appropriate or achievable. Penalties will serve as an important deterrent to tackle fraud against the public sector and send a clear message to fraudsters that their actions have consequences. Civil penalties offer an alternative route to criminal prosecution, helping to remove some of the burden on the courts by offering alternative resolutions to fraud cases. Penalties may be applied to any fraud arising in any government department or public body but not HM Revenue and Customs (HMRC) or The Department for Work Pensions (DWP). This will enable the PSFA to respond appropriately to the facts of a case, deal with more cases, and act quickly against and prevent fraudulent activity within the public sector.
Basic information
Representations are welcomed from civil society, the private sector, public authorities, as well as professional bodies, interest groups and the wider public.
Why are we consulting?
This consultation seeks views on the draft Code of Practice about the PSFA’s administration of the civil penalty powers it will obtain from the Public Authorities (Fraud, Error and Recovery) Act 2025. Section 63 of the PAFER Act outlines a commitment to introduce a Code of Practice on the administration of these civil penalty powers before the first use of the powers.
After the consultation
The consultation will close on 27 February 2026. Following this, the government will respond to public consultation responses within 12 weeks.
Appendix 1: privacy notice
This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the General Data Protection Regulation (GDPR).
Your Data
Purpose
The purpose for which we are processing your personal data is to obtain the opinions of members of the public, parliamentarians and representatives of organisations and companies about departmental policies, proposals, or generally to obtain public opinion data on an issue of public interest.
The data
We will process the following personal data: name, address, email address, job title (where given), and employer (where given), as well as opinions.
We will also process additional biographical information about respondents or third parties where it is volunteered.
Legal basis of processing
The legal basis for processing your personal data is that it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In this case that is statutory consultation on departmental policies or proposals, or obtaining opinion data, in order to develop good effective policies.
Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The legal basis for processing your sensitive personal data, or data about criminal convictions (where you volunteer it), is that it is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department. The function is statutory consultation departmental policies or proposals, or obtaining opinion data, in order to develop good effective policies.
Recipients
Where individuals submit responses, we may publish their responses, but we will not publicly identify them. We will endeavour to remove any information that may lead to individuals being identified.
Responses submitted by organisations or representatives of organisations may be published in full, unless there is an expressed wish for comments to remain confidential.
Where information about responses is not published, it may be shared with officials within other public bodies in order to help develop policy.
As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email, and document management and storage services.
We may share your personal data where required to be law, for example in relation to a request made under the Freedom of Information Act 2000.
Retention
Published information will generally be retained indefinitely on the basis that the information is of historic value. This would include, for example, personal data about representatives of organisations.
Responses from individuals will be retained in identifiable form for three calendar years after the consultation has concluded.
Where personal data have not been obtained from you
Your personal data were obtained by us from a respondent to a consultation.
Your Rights
You have the right to request information about how your personal data are processed, and to request a copy of that personal data.
You have the right to request that any inaccuracies in your personal data are rectified without delay.
You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.
You have the right to object to the processing of your personal data.
For any further details please visit the Privacy Notice for Cabinet Office Consultations here Cabinet Office Public Consultations
International Transfers
As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the European Union. Where that is the case it will be subject to equivalent legal protection through the use of Model Contract Clauses.
Contact Details
The data controller for your personal data is the Cabinet Office. The contact details for the data controller are:
Cabinet Office
70 Whitehall, London
SW1A 2AS
Public Enquiries: Online Contact Form
The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.
The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk
Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or casework@ico.org.uk. Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.