Consultation outcome

Information sharing code of practice: public service delivery, debt and fraud

Updated 1 March 2018

1. Overview (relevant for chapters 1, 3 and 4)

1. Part 1 of the Code of Practice sets out its purpose and status and gives other important information about requirements that you will need to understand if you wish to make use of the public service delivery, debt and fraud powers (chapters 1, 3 and 4 respectively) of the Digital Economy Act 2017.

1.1 About the Code of Practice

2. Part 5 of the Digital Economy Act 2017 introduces a number of new powers to share information to help make the digital delivery of government services more efficient and effective. Sections 35 to 39 (public service delivery), section 48 (debt owed to the public sector) and section 56 (fraud against the public sector) create specific gateways to share information for the purpose of improving public service delivery, and managing debt and fraud against the public sector respectively. While the Digital Economy Act 2017 provides a legislative gateway to share information, public authorities will need to have robust safeguards in place to ensure that people’s information is processed in a secure and appropriate way.

3. The purpose of this Code is to provide a set of principles and guidance for the use and disclosure of information under these powers. It also refers to other requirements when sharing information, and explains what these requirements are likely to mean in practice in the context of an information sharing arrangement under the Digital Economy Act 2017.

The Code’s status

4. The Minister for the Cabinet Office has issued this Code under section 43 of, section 52 of, and section 60 of the Digital Economy Act 2017. It has been developed in consultation with the Information Commissioner’s Office, the Commissioners for Her Majesty’s Revenue and Customs, the devolved administrations and other interested persons, and will be laid before Parliament and the devolved legislatures in Scotland, Wales and Northern Ireland, in accordance with the Digital Economy Act 2017.

5. The Code does not itself impose additional legal obligations on parties seeking to make use of the powers, nor is it an authoritative statement of the law. It recommends principles and good practice to follow when exercising the powers set out in the Digital Economy Act 2017. Anyone sharing information under the Digital Economy Act 2017 is required to have regard to this Code when doing so. Government departments will expect public authorities and other participants in an information sharing arrangement to agree to adhere to the Code before any information is shared. Failure to have regard to the Code may result in your public authority or organisation losing the ability to disclose, receive and use information under the powers. In addition, there are criminal sanctions for disclosing personal information in ways that are not permitted by the Act.

6. This Code is required to be consistent with the Information Commissioner’s data sharing code of practice (‘the ICO data sharing code’) and should be read alongside it.^{[footnote 1]}

Definition of ‘information sharing’

7. This Code uses essentially the same definition of ‘information sharing’ as the ICO data sharing code: the disclosure of information from one or more organisations to a third party organisation or organisations, or the sharing of information between different parts of an organisation. The ICO Code says that data sharing can take different forms including:

• a reciprocal exchange of data
• one or more organisations providing data to a third party or parties
• several organisations pooling information and making it available to each other

8. While we consider the terms ‘information’ and ‘data’ to have the same meaning, “personal information” in the Digital Economy Act 2017 has a slightly different meaning to “personal data” in the Data Protection Act 1998. In this Code, personal information is information which relates to and identifies a particular person or body corporate (but which does not relate to the internal administrative arrangements of a person who may disclose or receive information under the Act.^{[footnote 2]}

9. This Code provides a framework to help organisations understand their obligations on information sharing and data handling. If you follow the best practice and recommendations set out in the Code, this will help you to be compliant with the Data Protection Act 1998 and other relevant legislation.

However, you should seek your own legal advice to support specific information sharing arrangements.

Who should use the Code

10. All persons who are involved in disclosing or using information under the public service delivery, debt and fraud powers must have regard to this Code. A requirement to comply with the Code and a statement of compliance should be included in any information sharing agreement produced for such sharing.

11. Public authorities able to make use of these powers are set out in in Schedules 4-8 of the Act. For further information, please refer to Part 1.3.^{[footnote 3]}

1.2 Principles for data sharing

12. It is of vital importance that data is handled in a way that inspires the trust and confidence of citizens. The following principles support the security of data and privacy of citizens whilst enabling the delivery of better services and outcomes for citizens and government.

Principles	Stage of the data sharing lifecycle
1. Privacy impact assessments are carried out before any data sharing takes place and made available to citizens in line with ICO guidance.	Agreeing to Share
2. Information about information sharing agreements under the public service delivery, debt and fraud powers is made available to citizens in a searchable list, unless there are particular national security issues or other sensitivities which would outweigh public interest.	Agreeing to Share
3. Steps should be taken to minimise the amount of data shared, and ensure this is the minimum required for the purpose of achieving the specified objective, using methods which avoid unnecessarily sharing or copying of large amounts of personal information.	Agreeing to Share
4. Data is always held securely, to the appropriate security standards.	Hold
5. Data held is maintained to the appropriate quality and where appropriate citizens can view, correct and delete data held about them.	Hold
6. Data held can only be used for specified purposes.	Hold
7. The ethical issues around the use of data are factored into the decision-making process and any new data analysis techniques are assessed against the Data Science Ethical Framework.	Use
8. Relevant codes of practice (e.g. Technology Code of Practice and Code of Practice for Official Statistics are adhered to when accessing and analysing data.	Use
9. Data is only kept as long as necessary and is then securely deleted.	Delete

13. All persons or parties using the public service delivery, fraud and debt powers are required to apply these principles when they do so. These are separate to the eight Data Protection Principles referenced in Part 1.3 of this Code which must also be adhered to. Further guidance on data standards, security, retention and disposal are provided in Part 1.3 below.

14. These principles are underpinned by four key requirements:

• Before using the powers you must carefully assess whether disclosure is consistent with both the Digital Economy Act 2017 and the requirements set out in the Data Protection Act 1998 (and the General Data Protection Regulation when it comes into effect in the UK in May 2018). You should also have regard to the relevant Codes of Practice issued by the Information Commissioner.
• You must only share the minimum data required to fulfil the stated purpose for sharing. Limit the amount of data copied or shared as far as you are able and where possible, use APIs to run binary checks (‘yes’ or ‘no’ answers) or exchange attributes.
• Data sharing agreements should, subject to limited exceptions, ensure that where datasets are linked, it should be for the specified purpose and should not lead to the creation of new identity registers.^{[footnote 4]} Information sharing agreements must include details of retention and destruction policies that prevent the retention or use of data for longer than it is needed or its use for any purposes other than those for which it was disclosed/received (subject to limited exceptions provided for in law).
• You must be transparent about your use of the powers so citizens can understand what data is being shared, the bodies that are disclosing or receiving data, and why. Unless there are particular national security or other sensitivities which would outweigh the public interest in disclosure, information about information sharing agreements should be published in a searchable electronic public register. You must also adhere to the ICO’s codes of practice such as the one on privacy notices.

1.3 Information sharing and the law

How the powers work with other legislation

15. For information to be disclosed lawfully under the public service delivery, debt and fraud powers, you need to operate according to the Digital Economy Act 2017 and comply with other relevant legal requirements which are either overarching under UK law or which are expressly preserved by the Act. These include:

• the Data Protection Act 1998
• the General Data Protection Regulation (when it comes into force)
• Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016 (and, until it comes fully into force, Part 1 of the Regulation of Investigatory Powers Act 2000)

• the Human Rights Act 1998

  Where such requirements are fully complied with, other restrictions on disclosure, including any obligations of confidence which would otherwise apply, will not be breached.

  You should seek your own legal advice if you are unsure whether a proposed use of the public service delivery, fraud or debt powers is lawful.

  Unlawful disclosure of personal information by HM Revenue and Customs is subject to criminal sanctions set out in section 19 of the Commissioners for Revenue and Customs Act 2005. The Digital Economy Act 2017 extends that sanctions regime to offences under the Act which involve the unlawful disclosure of information received from HM Revenue and Customs.

Data Protection Act 1998

16. The Data Protection Act 1998 requires that personal data is processed fairly and lawfully and that individuals are aware of which organisations are sharing their personal data and what it is being used for. Some information disclosed under these powers will not constitute personal data: for example, data relating to deceased persons, businesses or information comprising only statistics that cannot identify anyone. The Data Protection Act 1998 will not apply in these instances, although its principles will often still be relevant and it may be practical to treat all information in the same way. Disclosures will still need to comply with the Human Rights Act 1998 (see below).

17. Public authorities will need to demonstrate that they are complying with the provisions contained in the Data Protection Act 1998, including adhering to data protection principles.

18. The Data Protection Act 1998 sets out eight principles which must be complied with when personal data is collected, held or otherwise processed.

Data Protection Principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: + at least one of the conditions in Schedule 2 is met, and + in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

19. For more information about the Data Protection Principles read the ICO’s guide to data protection or contact your local data protection adviser.

The Investigatory Powers Act 2016

20. The Investigatory Powers Act 2016 provides a framework for lawful interception of communications, equipment interference, the obtaining and retention of communications data and the retention and examination of bulk personal datasets. Where relevant, any potential disclosure under the public service delivery, debt or fraud powers which would be prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016 would be unlawful and must not be made. Until that Act is fully in force, Part 1 of the Regulation of Investigatory Powers Act 2000 continues to apply.

Human Rights Act 1998

21. Public authorities must always ensure that data sharing is compliant with the Human Rights Act 1998 and must not act in a way that would be incompatible with rights under the European Convention on Human Rights.

22. Article 8 of the Convention, which gives everyone the right to respect for their private and family life, home and correspondence, is especially relevant to sharing personal information. Whilst sharing data relating to deceased individuals is not personal data under the DPA as outlined above, you should consider whether sharing this information could affect the right to private life of the relatives of deceased individuals.

Commissioners for Revenue and Customs Act 2005

23. Although the unlawful disclosure of information received from HM Revenue and Customs under the Digital Economy Act 2017 is governed by offences in that Act, those offences have been framed so that they are consistent with the protection for information under the Commissioners for Revenue and Customs Act 2005. Elements of section 19 of the Commissioners for Revenue and Customs Act 2005, which deal with the penalties for and prosecution of unlawful disclosure of Revenue and Customs information, also apply to relevant Digital Economy Act 2017 offences.

1.4 Understanding the public service delivery, debt and fraud powers

24. This part sets out the elements of the Digital Economy Act 2017 which apply across the public service delivery, debt and fraud chapters. It also provides further guidance on data standards, security, retention and disposal of data referred to in the data sharing principles (Part 1.2 of this Code).

Onward disclosure of information under the public service delivery, debt and fraud powers

25. Normally, information disclosed under these powers can only be used for the purposes for which it was disclosed. However there are very limited instances where information can be used by a public authority for another purpose. These circumstances vary between the powers but include:

• if the information has already been lawfully placed into the public domain
• if the data subject has consented to the information being used for the other purpose
• for the prevention or detection of crime or the prevention of anti-social behaviour
• for the purpose of a criminal investigation
• for the purpose of legal proceedings
• for the purposes of safeguarding vulnerable adults or children, or protecting national security

26. A different regime applies to personal information disclosed by HM Revenue and Customs, which would include information disclosed by the Valuation Office Agency (VOA). Personal information disclosed by the Revenue and Customs can only be used for purposes other than the purpose for which it was originally disclosed with the Revenue and Customs’ consent.

Which organisations can use the powers

27. The public service delivery, debt and fraud powers are permissive powers, which means the persons who are potentially able to share information under them can choose whether or not to do so. Those persons are “specified” public authorities and persons who provide services to specified public authorities who have themselves been specified. Only those persons listed in the schedules to the Digital Economy Act 2017 and the persons listed in sections 36 to 39 of the Act are able to disclose information under the respective powers.

28. For the public service delivery powers, there are three schedules: Schedules 4, 5 and 6 — one each for sharing under section 35 (public service delivery), section 36 (fuel poverty), and section 38 (water poverty). Because section 35 will allow sharing for more than one objective, when objectives are set out in regulations, those regulations will also say for which objective or objectives each person is specified. The specified persons for debt are set out in Schedule 7 and those for fraud in Schedule 8.

29. There is a definition of “public authority” for each power. The powers allow a person providing services to a public authority to share information as well as the public authority itself, on the condition that the service provider has also been specified. The schedules contain generic descriptions of such persons. For example, the public service delivery power includes in its schedule of specified persons “a person providing services in connection with a specified objective (within the meaning of section 35) to a specified person who is a public authority”.

30. A person providing services to a public authority can potentially be any person or body, such as a charity or company providing a defined service(s) to a public authority. For example, this could be a frontline service outsourced to a body outside the public sector to deliver. In addition to the conditions set out in the Digital Economy Act 2017 (including information security) the initial consideration in deciding whether to include such persons in a proposed information share is whether enabling the sharing of the relevant information that organisation and other public authorities is necessary to achieve the desired objective.

Amending the list of persons able to use the power

31. The public service delivery, debt and fraud powers specify in Schedules 4-8 of the Digital Economy Act 2017 the public authorities that can use the powers. The Minister for the Cabinet Office, the Secretary of State or relevant minister from a Devolved Administration can make regulations to add, modify or remove a reference to a public authority or description of a public authority. Applications to amend the schedule for debt and fraud should be made through the secretariat.

Non-public authority duties

32. Where an information sharing arrangement proposes that information be disclosed to or received from a body which is not a public authority, the body should be asked to declare all potential conflicts of interest, for example from other work it does for public authorities or its own commercial interests. An assessment should be made of any conflicts of interest that the non-public authority may have, to identify whether there are any legal or reputational risks involved in sharing data with the organisation. If such risks are identified, appropriate steps should be taken to help reduce the risks to acceptable levels. If that cannot be done, information should not be shared with the body.

33. Non-public authorities can only participate in an information sharing arrangement once their sponsoring public authority has assessed their systems and procedures to be appropriate for secure data handling. Details will need to be set out in the privacy impact assessment, along with a statement of compliance with this Code of Practice in the information sharing agreement.

Data standards

34. Public authorities hold data in a number of different formats. When planning to share data, make sure that the data’s format and sharing protocol follow all the relevant standards set out in the Open standards for government data and technology and the API standards if at all possible, unless it would be disproportionate to do so.

35. You should check the accuracy of data prior to transferring it, in line with the Data Protection Privacy Principles. Organisations involved in an information sharing arrangement should also agree procedures and processes for:

• correcting inaccurate data and making sure all bodies that the data has been transferred to correct it too
• recording and capturing corrections for auditing purposes
• contacting the data subject where appropriate

36. These requirements must be set out in the information sharing agreement. You will also need to apply your organisation’s procedure for correcting inaccurate data held on your own systems, including alerting officials responsible for data protection and any other teams that hold the relevant data on their systems.

37. Public authorities making their data available must make sure that they share the minimum amount of personal information required to properly fulfil the purpose for which it is being processed. Organisations must design and structure information sharing processes to avoid over-sharing, ie disclosing more information about individuals, or about more individuals, than is strictly required. Organisations should format as much of their output as possible into standardised minimal confirmations of specific questions (for example a yes/no answer in response to an eligibility check). Organisations must work with data recipients to understand their specific needs and how data access can be minimised.

Data security

38. Everyone who is involved in information sharing arrangements under these powers is required to comply with the security requirements in the Digital Economy Act 2017, the Data Protection Principles and other security-related requirements of the Data Protection Act 1998, and the additional security requirements in this Code.

39. There are three additional requirements in this Code:

• public authorities and receiving parties must follow all departmental or local authority standards and protocols when providing or receiving information
• each party involved in the data share must make sure effective measures are in place to manage potential or actual incidents relating to the potential loss of information
• public authorities and data processors, together with any other additional third parties, must be fully engaged in the resolution of a potential or actual data incident. The responsibilities of each party in the event of a potential or actual loss of information must be clearly defined in the information sharing agreement or security plan

40. You will need to agree a security plan as part of any formal information sharing agreement with public authorities and third parties who are party to the data share. Security plans should include:

• storage arrangements that make sure information is secured in a robust, proportional and rigorously tested manner
• assurance that only people who have a genuine business need to see personal information will have access to it
• who to notify in the event of a security breach
• procedures to investigate the causes of any security breach

Data retention and disposal

41. It is a requirement of the Data Protection Act 1998 that personal information should be kept only for as long as necessary. How long it is “necessary” to hold personal information depends on the purpose for which the public authority holds the information.

42. You will need to agree with recipients of data shared under these powers how long the data is expected to be held for. The period agreed should be documented in the information sharing agreements between both parties and the need to continue to hold information should be kept under continuous review.

43. You should put procedures in place to ensure that data no longer required is destroyed promptly and rendered irrecoverable. The same will apply to data derived or produced from the original data, except where section 33 of the Data Protection Act 1998 applies (in relation to data processed for research purposes). You should refer to the ICO guidance on Deleting Personal Data.

2. Public service delivery

2.1 Understanding the purpose of the public service delivery power

44. Public service delivery is changing, due to increasing acknowledgement that services are more efficient and effective when they are joined up. Joining up services requires the sharing of information. The Digital Economy Act 2017 creates a mechanism for establishing clear and robust legal gateways which will enable public authorities to share relevant information on the individuals and families they are working with in compliance with the Data Protection Act 1998. The primary purpose of this power is to support the wellbeing of individuals and households.

45. The public service delivery power gives you the ability to gain access to the data you need to respond more efficiently and effectively to current and emerging social and economic problems. The power allows ministers in the UK government and, for devolved matters, the devolved administrations to set objectives in regulations. All objectives must meet all of the following conditions which are set out in the Act:

• condition 1: the purpose is the improvement or targeting of a public service provided to individuals or households, or the facilitation of the provision of a benefit (whether or not financial) to individuals or households
• condition 2: the purpose is the improvement of the wellbeing of individuals or households
• condition 3: the purpose is the supporting of the delivery of a specified person’s functions, or the administration, monitoring or enforcement of a specified person’s functions

46. For an explanation of, for example, ‘benefit’ and ‘wellbeing ’ please refer to the Digital Economy Act 2017 and its Explanatory Notes.

47. The [accompanying regulations] set out the initial objectives for which information can be disclosed under the power:

• identifying individuals or households who face multiple disadvantages and enabling the improvement or targeting of public services to such individuals or households and providing for the monitoring and evaluation of programmes and initiatives
• assisting people living in fuel poverty by reducing their energy costs, improving efficiency in their use of energy or improving their health or financial wellbeing
• reducing water or sewerage costs, improving efficiency in use of water or improving the health or financial wellbeing of people living in water poverty
• identifying and making contact with vulnerable people who might need help from the authorities in re-tuning televisions in 2018 to 2019 after the 700Mhz band is be used for mobile broadband rather than to transmit digital TV

2.2 The process for establishing a new objective under the public service delivery power

48. To propose a new objective, you need to determine what types of data are required, which bodies hold the data and how the ability to share personal data will support the achievement of your policy objectives. Objectives should be drafted to ensure that they meet the conditions in section 35 of the Digital Economy Act 2017 and are specific enough to limit the use of the power to a clear purpose. Where an objective has been developed by a devolved administration for a devolved matter, the objective should specify which devolved administration it relates to.

Example objectives

Examples of potentially suitable topics for objectives which would deliver an improvement in a service or benefit are:

• reducing the number of people sleeping on the street for more than one night
• improving employment outcomes for ex-offenders
• supporting gang members to safely exit gang culture

Examples of objectives which would not meet the conditions because the objective is punitive instead of providing a benefit and improving wellbeing are:

• identifying individuals operating in the grey economy
• identifying welfare claimants erroneously receiving welfare benefits

Examples of objectives which would not be acceptable because they are too ‘general’ in terms of targeting communities or conferring a broad public benefit rather than one targeted at individuals or households, or which are insufficiently specific for an information sharing arrangement include:

• improving levels of safety in a neighbourhood
• helping people into work
• preventing people going to prison

49. You should discuss your proposal for a new objective with the relevant central government body with oversight responsibility for the respective policy area. Either your organisation or the responsible central government departments should then write formally to the Minister for the Cabinet Office to request that the new objective be added through regulations. If the minister agrees to the creation of a new objective, statutory consultation must take place. Subject to the outcome of that consultation, the new objective will then be considered in Parliament for approval under the affirmative procedure.

50. Public authorities within a devolved administration proposing to create a new objective which is limited to a devolved function involving only devolved bodies within that territory should contact the relevant ministerial body in the devolved administration (for example the Department of Finance in Northern Ireland). Ministers within the devolved administration have the powers to make regulations to create objectives within the legislative competence of the devolved administration. The minister must consult the Minister for the Cabinet Office, relevant ministers from the other devolved administrations, Commissioners for HM Revenue and Customs, HM Treasury and such other persons as the minister considers appropriate.

51. Any proposal by a public authority within a devolved territory for the creation of an objective which is not within devolved competence or for information sharing between devolved authorities and non-devolved authorities, should be discussed with the relevant ministerial body in the devolved administration before it is formally proposed to the Minister for the Cabinet Office for consideration. If the proposed objective includes the sharing of data held by a public authority with responsibilities which are not devolved, the agreement of the relevant UK minister(s) must also be obtained. Legislation only allows the Minister for the Cabinet Office or the Secretary of State to make regulations for the creation of non-devolved objectives or the specification of persons whose functions are not devolved.

52. In all cases, the public authorities authorised to share data under each objective must be specified in the regulations for that objective. Only those public authorities whose inclusion is necessary for the delivery of that objective will be specified.

2.3 Process for using the public service delivery power

Step 1: Identify the policy objective and the data needed to support it

• Do you need to use personal information? If you don’t need it, don’t use it
  • Familiarise yourself with the Data Protection Act 1998, the Data Protection Principles and the Information Commissioner’s data sharing code of practice on information sharing
• Does the proposal pose any ethical issue or will it lead to any data handling risks?
  • Refer to the Data Science Ethical Framework
  • Consider running a public consultation
• How do you want to share information and will it be secure?
  • Assess the data you need and ensure you can justify why you need each data item
  • Speak to your organisation’s information governance and security experts and discuss what the best methods are for data transfer

Step 2: Develop the proposal

• Agree a proposal with the other organisations involved in the information sharing arrangement
  • If bodies outside the public sector are involved you should consider any conflicts of interest and reflect it in the business case
  • Ensure all bodies undertake to comply with this Code of Practice
  • Seek advice from your legal advisers that your proposal is suitable for use under the public service delivery power and is not unlawful under the Data Protection Act 1998 or applicable investigatory powers legislation
• Conduct a privacy impact assessment
  • Assess the potential benefits of the information sharing arrangement against the risks or potential negative effects, such as an erosion of personal privacy
• Develop and draft a business case, information sharing agreements, a privacy impact assessment and security plan
  • Ensure you have regard to ICO guidance on data sharing agreements and privacy impact assessments
  • Ensure the responsibilities for each body involved in the information sharing arrangement are understood and articulated in the documentation
  • The outcomes of any public consultation or, if a decision was taken not to undertake public consultation, the reasons for that decision, should be articulated in the business case
  • Ensure each organisation involved in the data sharing arrangement has the appropriate systems and procedures in place to handle data securely and that a security plan has been agreed which sets out how data security will be managed

Step 3: Operating the data sharing arrangement

• Managing the information sharing arrangement
  • You should ensure you apply fairness and transparency principles as set out in the ICO Code of Practice on Data Sharing
  • You should ensure the business case, information sharing agreement and privacy impact assessment are made available to the public (and be ready to justify any redactions)
  • You should ensure that all bodies adhere to the information sharing agreement and security plan and report any data breaches as appropriate
  • You should notify the Government Digital Service (GDS) in the Cabinet Office of your information sharing arrangement, to be maintained in a searchable register available to the general public
• Assessment of the information sharing arrangement
  • At the conclusion of a data sharing arrangement, you should assess and review that arrangement and consider publishing the findings including an assessment of benefits derived. This will help improve understanding of data sharing and also help share best practice and lessons learned with other public authorities. Finally, you should ensure that arrangements for the destruction of data which does not need to be retained have been fully implemented.

  In considering whether to use the public service delivery powers, the following checklist may also be helpful.

Checklist: points to consider

Why share:

• For what purpose and public function is the information being requested?
• What are the benefits of the data exchange for the receiving party or any other public body?
• What are the implications of not sharing information? For example:
  • increased risk that people do not receive the support or the services they require in a timely manner
  • risk that burdens will be placed on people to repeatedly supply information to access the services they require
  • risk of wasting taxpayers’ money by jeopardising public finances or commercial projects

What to share:

• What specific data items are required and why?
• Are there reasons why the data should not be shared? Consider the Data Protection Principles and any legal restrictions that may apply
• Are there any legal obligations on the recipient of the data to provide it to any other bodies?
• How regularly and in what volume is it proposed to share the data?
• Are there any ethical issues with the proposed data sharing arrangement?

How to share:

• What methods or technology can be used to minimise the amount of information shared and risk of data loss, for example using aggregate data, derived data or the use of a look-up process, in preference to sharing large amounts of data
• What procedures will be in place to correct any inaccurate data identified during the data sharing process and the process for capturing the changes made for auditing purposes?
• What are the conditions for processing information? Will data subjects be aware that their data is being processed and will procedures for dealing with access requests, queries and complaints be in place?
• Information handling responsibilities, including details of any data processors, contractors or subcontractors
• Security considerations, like the use of secure transfer mechanism, encryption, etc
• For audit purposes, document the process and methods of exchange, how exchanges are logged, what information is stored and who has access to it
• Standards and levels of expected operational service
• Termination arrangements
• Minimising cost of providing/transferring the data
• Issues, disputes and resolution procedures
• Sanctions for failure to comply with the agreement or breaches by individual staff
• Is there a time-limit suggested for using the data and, if so, how will the data be deleted?
• Periodic reviews of the effectiveness and necessity of data sharing arrangements

3. Debt

This part of the Code is for organisations wishing to make use of the debt power. It sets out the purpose of the debt provisions and the process you will need to follow to establish a new pilot.

3.1 Understanding the purpose of the debt power

53. As at March 2016, it was estimated that £24.5bn of debt was owed to government.

54. The purpose of the debt power is to allow a public authority (or a private body who provides services to a public authority) to share debt data to enable better debt management, including debt recovery, in connection with debt owed to a public authority or the Crown. Fairness is a key consideration in the exercise of the power. All users of the power will be required to consider fairness in their debt information sharing arrangements. The applicable Fairness Principles are set out in Part 3.4 below.

55. These permissive powers are intended to ease the burden of establishing individual gateways and remove the need to seek new legislation to ensure public authorities have the required legal powers where they wish to share data. It is important to note that the powers are designed to be operated initially through pilots, established to explore the benefit of the data share.

56. Steps have to be taken to ensure that information sharing proposals are balanced and proportionate and come under an appropriate level of scrutiny, similar to that which would be applied to the development of a new legal gateway.

3.2 Deciding to share information under the debt power

57. All information sharing proposals under the debt powers must be piloted to determine whether there is value in sharing personal information for the purposes set out in the relevant parts of the Act, namely to take action in connection with debt owed to the public sector.

58. A review board will be established by the UK government to oversee any non-devolved and England-only information sharing under the debt and fraud powers, and to monitor the pilots. This will help ensure bodies carrying out pilot data shares under these provisions operate with regard to the Code. It will support any decision made on the basis of the outcome of the pilots, such as implementing the data share on a wider scale, and will gather and analyse evidence on the effectiveness of pilots to assist the review of the power after three years.

59. The review board will also consider complaints and act as a point of contact with the Information Commissioner’s Office. All proposals for pilots must be submitted to the review board through the secretariat. It is envisaged that the review board will sit monthly and that requests and clearance through the minister should take around six weeks once an application has been submitted.

60. The review board will consist of appropriately qualified subject experts gathered from across government and will be attended by representatives from the ICO and invited members from appropriate public representative bodies. The secretariat will monitor and record the progress of pilots, and will gather performance data for the evaluation of the pilot and the power itself.

61. If you wish to establish a pilot you must submit a business case and privacy impact assessment to the secretariat of the review board. A single business case will need to be submitted which is agreed by all the participating bodies.

62. On receipt of a given business case, the secretariat will look over the business case, and will confirm with you whether it is suitable for submission to the review board and will let you know the date by which the business case will be considered by the review board.

63. The review board will review the business case and consider whether the proposal meets the requirements to use the power. It will make recommendations to the Minister for the Cabinet Office on whether the request should be accepted for implementation, accepted subject to amendments, or declined. You will be informed of the outcome by the secretariat.

64. Business cases may be declined for a range of reasons. For example, the proposal may require modification to align it to best practice, to more clearly define success criteria and the methodology for measuring them, or because alternative delivery routes may be more appropriate. Pilots can only commence under this power upon confirmation from the minister that the recommendation has been approved.

65. During the operation of the pilot, you are responsible for:

• adherence to the terms of the pilot
• reporting on the performance of the pilot
• reporting of any variation in the pilot as a request to the review board
• reporting of any breach of the code
• closure of the pilot and final reporting

66. After the pilot has concluded, and if it is considered to have been a success, you can put a recommendation to the review board to act upon the findings of the pilot. The review board may, at this point, approve the continuation of the pilot as ‘business as usual’ or recommend further piloting activity.

67. The review board is responsible for collating the evidence which will inform the minister’s review of the operation of the debt power, as required under the Digital Economy Act 2017 after three years. This evidence will be gathered from the non-devolved and England-only information sharing arrangements, as well as those implemented in the devolved administrations.

68. The devolved administrations will establish their own governance structures for oversight of information sharing arrangements within their areas. Data pertaining to the operation of pilots in the devolved administrations should be periodically submitted to the secretariat for the review board for the purpose of collating the evidence for the review of the debt power after three years.

3.3 Process for using the debt power

Step 1: Identify the policy objective and the data needed to support it

• Do you need to use personal information?
  • Familiarise yourself with the Data Protection Act 1998, the Data Protection Principles and the ICO Code of Practice on information sharing
• Does the proposal pose any ethical issue or will it lead to any handling risks?
  • Refer to the Data Science Ethical Framework
• Can the information share be piloted and what would the method for measuring success or failure?
  • Contact the relevant central review board for your national territory for advice
  • Discuss with your analysts what would be suitable measures to evaluate the particular information sharing arrangement
• How do you want to share information and will it be secure?
  • Assess the data you need to share and ensure you can justify why you need each data field
  • Speak to your organisation’s information governance and security experts and discuss what the best available methods are for data transfer.

Step 2: Develop the proposal

• Agree a proposal with the other organisations involved in the data pilot
  • If bodies outside the public sector are involved you should consider any conflicts of interest and reflect this in the business case
  • Ensure all bodies undertake to comply with this Code of Practice
• Agree success and failure criteria for the pilot
  • Seek advice from your legal advisers that your proposal is suitable for use under the debt power and is not unlawful under the Data Protection Act 1998 or applicable investigatory powers legislation
  • Consider how the fairness principles can be embedded into the proposal
• Conduct a privacy impact assessment
  • Assess the potential benefits against the risks or potential negative effects, such as an erosion of personal privacy
• Develop and draft a business case, information sharing agreements, a privacy impact assessment and security plan
  • Ensure you have regard to ICO guidance on Data Sharing Agreements and privacy impact assessments
  • Ensure the responsibilities of each body involved in the information sharing arrangement are understood and articulated in the documentation
  • The outcomes of any public consultation or decision as to why a public consultation did not take place should be articulated in the business case
  • Ensure each organisation involved in the information sharing arrangement has the appropriate systems and procedures in place to handle data securely and that a security plan has been agreed which sets out how data security will be managed

Step 3: Submitting the proposal

• Submit your proposal to the relevant central review board for your territory
  • Contact your central review board and submit the relevant documentation to them
  • You may receive an initial view from the central review board with any recommendations they may have for strengthening the proposal, which you should respond to accordingly to enable the proposal to progress
  • The central review board will contact you to let you know whether a) your proposal will be recommended to the relevant minister, b) whether modifications are recommended, or c) the proposal has not met requirements and an alternative approach should be pursued
  • Your central review board will contact you to let you know whether the minister is content for the pilot to proceed and the updates that will be required so that they can monitor progress

Step 4: Running the pilot

• Managing the pilot
  • Upon receiving confirmation that the pilot may proceed, you should ensure there is an appropriate governance structure in place for the pilot
  • You should ensure that all bodies taking part in the relevant arrangement adhere to the information sharing agreement and report any breaches as appropriate to the central review board for your territory. Serious data security breaches should be reported to your central review board and the Information Commissioner’s Office
• Reporting to the central review board in England
  • Send appropriate metrics data about your pilot through at agreed intervals to the secretariat to the review board
  • The secretariat will publish relevant information about the pilot online and update with metrics as appropriate
  • At the end of the pilot period send a summary of the findings, and other relevant information to the review board
• Assessment of the pilot
  • The central review board for your territory will analyse the metrics and findings of the pilot and make a recommendation to the relevant minister as to whether it has met its objectives and whether the data sharing should continue on a business as usual basis or not. The review board will contact you to inform you of the minister’s decision
  • If the decision is to stop the pilot, you must ensure that steps are taken to destroy any copies of data acquired under the power which do not need to be retained

  In considering whether to use the debt power, the following checklist may also be helpful.

Checklist: points to consider

Why share:

• For what purpose and public function is the information being requested? What are the benefits of the data exchange for the receiving party or any other public body?
• What are the implications of not sharing information? For example:
  • increased risk that people do not receive the support or the services they require in a timely manner
• risk that burdens will be placed on people to repeatedly supply information to access the services they require
• risk of wasting taxpayers’ money by jeopardising public finances or commercial projects

What to share:

• What specific data items are required and why?
• Are there reasons why the data should not be shared (consider the Data Protection Principles and any legal restrictions that may apply)?
• Are there any legal obligations on the recipient of the data to provide it to any other bodies?
• How regularly and in what volume is it proposed to share the data?
• Are there any ethical issues with the proposed information sharing arrangement?

How to share:

• What methods or technology can be used to minimise the amount of information shared and risk of data loss, for example using aggregate data, derived data or the use of a look-up process, in preference to sharing large amounts of data
• What procedures will be in place to correct any inaccurate data identified during the data sharing process and the process for capturing the changes made for auditing purposes?
• What are the conditions for processing information? Will data subjects be aware that their data is being processed and will procedures for dealing with access requests, queries and complaints be in place?
• Information handling responsibilities, including details of any data processors, contractors or subcontractors
• Security considerations, like the use of secure transfer mechanisms or encryption
• For audit purposes document the process and methods of exchange, how exchanges are logged, what information is stored and who has access to it
• Standards and levels of expected operational service
• Termination arrangements
• Minimising cost of providing or transferring the data
• Issues, disputes and resolution procedures
• Sanctions for failure to comply with the agreement or breaches by individual staff
• Is there a time limit suggested for using the data and, if so, how will the data be deleted?
• Periodic reviews of effectiveness and necessity of data sharing arrangements

3.4 The Fairness Principles for data sharing under the debt power

69. Fairness is a key consideration in respect of the operation of the debt data sharing power. Public authorities will continue to have their own fairness policies and practice in how they manage debt. These Principles provide a set of best practice guidelines to help ensure a common approach to fairness is considered when sharing information under the power. These Principles aim to align with existing public authority practices, and aim to encourage a consistent approach to fairness across the debt data sharing pilots. The Principles only apply to debt data sharing pilot activity to be carried out under this Act, and only in accordance with any legal obligations to which public authorities are subject.

70. Pilots operating under the debt power should aim to use relevant data to help differentiate between:

• a customer who cannot pay their debt because of vulnerability or hardship - so that individuals can, for example, be offered advice and guidance about the debt owed (where appropriate), or be signposted to non-fee-paying debt advice and support, with the aim of minimising the build-up of further debt
• a customer who is in a position to pay their debt - some of whom may need additional support
• a customer who has the means to pay their debt, but chooses not to pay - so public authorities, and private bodies acting on their behalf, can assess which interventions could best be used to recover the debt

71. The use of wider data sharing for this purpose will help enhance cross-government debt management capability, and will help to enable a more informed view of a customer’s individual circumstances and their ability to pay.

72. Pilots should be conscious of the impact debt collection practices have on vulnerable customers and customers in hardship. Statistical and anecdotal evidence from debt advice agencies shows that in a substantial amount of cases, a non-fee-paying customer who has an outstanding debt will owe money to more than one creditor. The aim is to ensure any repayment plans are affordable and sustainable. This should balance the need to maximise collections, while taking affordability into account.

This may be achieved by:

• Using relevant sources of data and information to make informed decisions about a customer’s individual circumstances and their ability to pay. This process could include:
  • an assessment of income versus expenditure to create a tailored and affordable repayment plan based on in work and out of work considerations, including the ability to take irregular income into account
  • consideration of the need for a ‘breathing space’ to seek advice, or forbearance, in cases of vulnerability and hardship
• where a vulnerable customer is identified, they should be given appropriate advice and support, which may include signposting to non-fee-paying debt advice agencies
• government should liaise with non-fee-paying debt advice agencies who are helping customers in debt
• communication should clearly set out relevant information to enable the customer to take action, and encourage them to engage with the government
• any pilot that uses a third party (such as a debt collection agency or shared services) must also treat people fairly, in line with these Principles and relevant regulatory rules
• pilots should undertake regular engagement with stakeholders to encourage regular feedback about how fairly the pilots are working in practice

4. Fraud

This part of the Code is for organisations wishing to make use of the fraud power. It sets out the purpose of the fraud provisions and the process you will need to follow to establish a new pilot.

4.1 Understanding the purpose of the fraud power

73. It is estimated that losses to Government through fraud are in the region of £29bn to £40bn. It is in all our interests to prevent fraud, and public bodies have a particular responsibility to ensure that taxpayers’ money is spent appropriately and is not taken out of the system fraudulently.

74. The purpose of the fraud power is to allow a public authority (or a private body who provides services to a public authority) to share data to enable better detection and prevention of fraud against the public sector as well as recovery of public sector monies.

75. These permissive powers are intended to ease the burden of establishing individual gateways and remove the need to seek new legislation to ensure public authorities have the required legal powers where they may wish to share data. It is important to note that the powers are designed to be operated initially through pilots, established to explore the benefit of the data share.

76. Steps have to be taken to ensure that information sharing proposals are balanced and proportionate and come under an appropriate level of scrutiny, similar to that which would be applied to the development of a new legal gateway.

4.2 Deciding to share information under the fraud power

The process for establishing information sharing arrangements under the fraud power

77. All information sharing proposals under the fraud power must be piloted to determine whether there is value in sharing personal information for the purposes set out in the relevant parts of the Act, namely to take action in connection with fraud against the public sector.

78. A review board will be established by the UK Government to oversee any non-devolved and England-only data sharing under the debt and fraud powers, and to monitor the pilots. This will help ensure bodies carrying out pilot data shares under these provisions operate with regard to the Code. It will support any decision made on the basis of the outcome of the pilots, such as implementing the data share on a wider scale, and gather and analyse evidence on the effectiveness of pilots to assist the review of the power after three years.

79. The review board will also consider complaints and act as a point of contact with the Information Commissioner’s Office. All proposals for pilots must be submitted to the review board through the secretariat. It is envisaged that the review board will sit monthly and that requests and clearance through the minister should take around six weeks once an application has been submitted.

80. The review board will consist of appropriately qualified subject experts gathered from across government and will be attended by representatives from the ICO and invited members from appropriate public representative bodies. The secretariat will monitor and record the progress of pilots, and will gather performance data for the evaluation of the pilot and the power itself.

81. If you wish to establish a pilot you must submit a business case and privacy impact assessment to the secretariat of the review board. A single business case will need to be submitted which is agreed by all the participating bodies.

82. On receipt of a given business case, the secretariat will look over the business case, and will confirm with you whether it is suitable for submission to the review board and will let you know the date by which the business case will be considered by the review board.

83. The review board will review the business case and consider whether the proposal meets the requirements to use the power. It will make recommendations to the Minister for the Cabinet Office on whether the request should accepted for implementation, accepted subject to amendments, or declined. You will be informed of the outcome by the secretariat.

84. Business cases may be declined for a range of reasons, for example the proposal may require modification to align it to best practice, or to more clearly define success criteria and the methodology for measuring them, or because alternative delivery routes may be more appropriate. Pilots can only commence under this power upon confirmation from the minister that the recommendation has been approved.

85. During the operation of the pilot, you are responsible for:

• adherence to the terms of the pilot
• reporting on the performance of the pilot
• reporting of any variation in the pilot as a request to the review board
• reporting of any breach of the code
• closure of the pilot and final reporting

86. After the pilot has concluded, and if it is considered to have been a success, you can put a recommendation to the review board to act upon the findings of the pilot. The review board may, at this point, approve the continuation of the pilot as ‘business as usual’ or recommend further piloting activity.

87. The review board is responsible for collating the evidence which will inform the minister’s review of the operation of the fraud power, as required under the Digital Economy Act 2017 after three years. This evidence will be gathered from the non-devolved and England -only data sharing arrangements as well as those implemented in the devolved administrations.

88. The devolved administrations will establish their own governance structures for oversight of information sharing arrangements within their areas. Data pertaining to the operation of pilots in the devolved administrations should be periodically submitted to the secretariat for the review board for the purpose of collating the evidence for the review of the debt and fraud power after three years.

4.3 Process for using the fraud power

Step 1: Identify the policy objective and the data needed to support it

• Do you need to use personal information?
  • Familiarise yourself with the Data Protection Act 1998, the Data Protection Principles and the ICO Code of Practice on information sharing
• Does the proposal pose any ethical issue or will it lead to any handling risks?
  • Refer to the Data Science Ethical Framework
• Can the information share be piloted and what would the method for measuring success or failure?
  • Contact the relevant central review board for your national territory for advice
  • Discuss with your analysts what would be suitable measures to evaluate the particular information sharing arrangement
• How do you want to share information and will it be secure?
  • Assess the data you need to share and ensure you can justify why you need each data field
  • Speak to your organisation’s information governance and security experts and discuss what the best available methods are for data transfer.

Step 2: Develop the proposal

• Agree a proposal with the other organisations involved in the data pilot If bodies outside the public sector are involved you should consider any conflicts of interest and reflect this in the business case
  • Ensure all bodies undertake to comply with this Code of Practice
  • Agree success/failure criteria for the pilot
  • Seek advice from your legal advisers that your proposal is suitable for use under the relevant power (fraud or debt) and is not unlawful under the Data Protection Act 1998 or applicable investigatory powers legislation
  • If your proposal relates to debt, consider how the fairness principles can be embedded into the proposal
• Conduct a privacy impact assessment
  • Assess the potential benefits against the risks or potential negative effects, such as an erosion of personal privacy
• Develop and draft a business case, information sharing agreements, a privacy impact assessment and security plan
  • Ensure you have regard to ICO guidance on Data Sharing Agreements and privacy impact assessments
  • Ensure the responsibilities of each body involved in the information sharing arrangement are understood and articulated in the documentation
  • The outcomes of any public consultation or decision as to why a public consultation did not take place should be articulated in the business case
  • Ensure each organisation involved in the information sharing arrangement has the appropriate systems and procedures in place to handle data securely and that a security plan has been agreed which sets out how data security will be managed

Step 3: Submitting the proposal

• Submit your proposal to the relevant central review board for your territory
• Contact your central review board and submit the relevant documentation to them
• You may receive an initial view from the central review board with any recommendations they may have for strengthening the proposal, which you should respond to accordingly to enable the proposal to progress
• The central review board will contact you to let you know whether a) your proposal will be recommended to the relevant Minister, b) whether modifications are recommended, or c) the proposal has not met requirements and an alternative approach should be pursued
• Your central review board will contact you to let you know whether the Minister is content for the pilot to proceed and the updates that will be required so that they can monitor progress

Step 4: Running the pilot

• Managing the pilot
  • Upon receiving confirmation that the pilot may proceed, you should ensure there is an appropriate governance structure in place for the pilot
  • You should ensure that all bodies taking part in the relevant arrangement adhere to the information sharing agreement and report any breaches as appropriate to the central review board for your territory. Serious data security breaches should be reported to your central review board and the Information Commissioner’s Office
• Reporting to the central review board in England
  • Send appropriate metrics data about your pilot through at agreed intervals to the secretariat to the review board
  • The secretariat will publish relevant information about the pilot online and update with metrics as appropriate
  • At the end of the pilot period send a summary of the findings, and other relevant information to the review board
• Assessment of the Pilot
  • The central review board for your territory will analyse the metrics and findings of the pilot and make a recommendation to the relevant Minister as to whether it has met its objectives and whether the information sharing should proceed or not. The review board will contact you to inform you of the Minister’s decision
  • If the decision is to stop the pilot, you must ensure that steps are taken to destroy any copies of data acquired under the power which do not need to be retained

In considering whether to use the fraud power, the following checklist may also be helpful.

Checklist: points to consider

Why share:

• For what purpose and public function is the information being requested?
• What are the benefits of the data exchange for the receiving party or any other public body?
• What are the implications of not sharing information? For example, risk of wasting taxpayers’ money by jeopardising public finances or commercial projects

What to share:

• What specific data items are required and why?
• Are there reasons why the data should not be shared? Consider the Data Protection Principles and any legal restrictions that may apply?
• Are there any legal obligations on the recipient of the data to provide it to any other bodies?
• How regularly and in what volume is it proposed to share the data?
• Are there any ethical issues with the proposed data sharing arrangement?

How to share:

• What methods or technology can be used to minimise the amount of information shared and risk of data loss, for example using aggregate data, derived data or the use of a look-up process, in preference to sharing large amounts of data
• What procedures will be in place to correct any inaccurate data identified during the data sharing process and the process for capturing the changes made for auditing purposes?
• What are the conditions for processing information? Will data subjects be aware that their data is being processed and will procedures for dealing with access requests, queries and complaints be in place?
• Information handling responsibilities, including details of any data processors, contractors or subcontractors
• Security considerations, like the use of secure transfer mechanisms, encryption, etc
• For audit purposes document the process and methods of exchange, how exchanges are logged, what information is stored and who has access to it
• Standards and levels of expected operational service
• Termination arrangements
• Minimising cost of providing/transferring the data
• Issues, disputes and resolution procedures
• Sanctions for failure to comply with the agreement or breaches by individual staff
• Is there a time-limit suggested for using the data and, if so, how will the data be deleted?
• Periodic reviews of effectiveness and necessity of information sharing arrangement

5. Fairness and transparency

89. When using the powers for public service delivery, fraud and debt, you are required to ensure that your information sharing practices are fair and transparent. You should only share information once you are satisfied that the processes are fair and transparent. This part of the Code sets out your obligations for reporting information sharing activities under these powers and the documents you will need to prepare and make available.

5.1 Register of information sharing activity

90. Information about all information sharing agreements concerning England-only or non-devolved bodies for a disclosure or group of disclosures under the public service delivery, debt and fraud powers must be submitted to the Government Digital Service (GDS) in the Cabinet Office, who will maintain a searchable register available to the general public.

91. It is important that citizens can understand what data is being shared, the specific purposes for which it is being shared, which bodies are disclosing and receiving that data, the potential benefits to be derived from the data sharing, and where appropriate how long that data will be held for. Furthermore, under the General Data Protection Regulation public authorities will be required to keep records of their information sharing agreements.

The register will allow Government and the ICO to understand what information sharing is taking place under the provisions to assess the value of the provisions, as well as to run audits where appropriate to check compliance with legislation and the use of this Code and other security and data processing guidelines.

92. Responsibility for submitting the required information about an information sharing agreement for a disclosure or group of disclosures rests with the recipients of the data, or in the case of the fraud and debt provisions, with the secretariat. Where an agreement establishes several disclosures over a period of time such as a data feed, a single entry is sufficient. If there is more than one recipient, they should work together to provide information for a single entry in the register It is essential that information for the entry be cleared by the data provider before it is submitted to the Government Digital Service.

93. The information required to be submitted for inclusion in the register is as follows:

• title of the information sharing agreement
• short description of the purpose of the information sharing agreement
• whether consent from the citizen is required and, if so, whether consent has been obtained
• which chapter under Part 5 of the Digital Economy Act 2017 the information is being shared under (and the specific objective where the public service delivery provisions are used)
• description of the information being disclosed and by which body, including bodies outside the public sector
• method by which data will be disclosed
• bodies receiving the data, including bodies outside the public sector
• how long the information will be held
• when the data sharing agreement will come into effect and when it will end
• anticipated benefits of the data sharing
• contact details for any subject access requests for public service delivery and debt

94. Providing this information should not be burdensome, as it will already have to be collated as part of the process of developing the business case and information sharing agreement. Information should be submitted for inclusion in the register as early as possible before the data sharing comes into effect. There is a presumption that information sharing arrangements - whether preparing to go live, live, or closed - will be included on the register and available for citizens to scrutinise.

95. There may be instances where publication of information about an information sharing agreement may in itself risk the objectives of the data share, such as where it pertains to national security, counter-fraud or criminal investigations. In such instances, an entry should still be submitted to GDS and a neutral description agreed for publication and audit purposes.

96. Documents may be redacted where appropriate to protect material which it would not be in the public interest to publish, for example where publication would damage national security. Such redactions will be the exception and will need to be justified.

It is the responsibility of the authority or authorities who submit information to the Government Digital Service to redact material before they submit it and to mark clearly where redactions have been made. Where you are asking for material to be published with redactions, you should provide the Government Digital Service with a separate list of the material that you propose for redaction and, in each case, an explanation of why you consider that redaction to be justified. This is subject to the need to protect this information appropriately.

5.2 Other documentation

97. If you are looking to share information under any of the three powers you need to carefully consider why an information sharing arrangement should be established and maintain a full audit trail of decisions. Conducting a privacy impact assessment of the proposal should be one of the first steps you take. It will help you assess the potential benefits against the risks or potential negative effects, such as an erosion of personal privacy. It will also provide a platform for considering how to design the information sharing to help ensure the minimum amount of information is shared to achieve the desired objective. See below for further guidance on privacy impact assessments.

98. You should always seek to operate as transparently as possible. Business cases, information sharing agreements and privacy impact assessment reports should be published in line with ICO guidelines. You may wish to redact some sensitive information from these documents before making them available. You should keep a record of redactions in each case and the reasons for making them. For example, in a privacy impact assessment or business case for a fraud or debt pilot, if you consider that placing certain information about the pilot in the public domain could undermine the objectives of the information sharing arrangement, you should redact that information. You should include a high level summary of the security plan in the business case unless there are particular national security or other sensitivities which would outweigh public interest in disclosure, but you do not need to publish the full plan.

Business cases

99. If you wish to establish an information sharing arrangement under the public service delivery, debt or fraud powers you must develop and agree a business case with the other bodies participating in the data share. A single business case will need to be developed for each information sharing arrangement. An information sharing arrangement could cover multiple transactions, and may cover the exploration of the benefit of sharing a single data asset, through to the trialling of a complete business process (for example under the debt and fraud powers).

100. Because all initial uses of the debt and fraud powers will be run as pilots, the initial purpose of the business case for debt and fraud arrangements is to justify the pilot by clarifying its objectives, how the pilot will be measured and the processes to ensure that data is being protected and used appropriately.

101. Your business case should contain the following information:

• An outline of the information share. This should include:
  • the objective of the information sharing arrangement
  • an overview of the activity under the arrangement (and how the data will be used)
  • the period of duration for the arrangement, when the data share will be live and how retention periods will be managed
  • an outline of what types of data will be used and the data security arrangements to be put in place
• Persons included in the information share. This should include:
  • a list of all persons and bodies that will be involved in the share – specifying which would disclose or receive data
  • to note - a business case provided under the fraud power need not go as far as detailing the counter fraud operation of partners.
• How the benefits of the information share will be measured. This should include:
  • the potential benefits the information share could bring
  • the success criteria for the data share, and the methodology you will use to measure success
• A statement of adherence to the Code of Practice:
  • for a debt data share, you should also include a statement explaining how you will comply with the Fairness Principles

Privacy impact assessments

102. A privacy impact assessment is a process which helps identify and reduce the privacy risks of an information share. You must conduct a privacy impact assessment if you wish to share data under the public service delivery, debt and fraud powers. The ICO’s Conducting Privacy Impact Assessments Code of Practice[1] provides guidance on a range of issues in respect of these assessments, including the benefits of conducting privacy impact assessments and practical guidance on the process required to carry one out. The privacy impact assessment should be reviewed at critical milestones and updated where necessary (for example when a pilot under the debt or fraud power has demonstrated benefit and is to be upscaled).

103. A Privacy Notice is either provided directly to individuals or otherwise made available. It explains what you do with their personal information, which bodies are involved and so forth.In exercising these powers to share data, you must ensure that suitably worded privacy notices are published and made available to the public in line with the fairness and transparency principles in the Information Commissioner’s privacy notices code of practice[2] and data sharing code of practice. The Information Commissioner’s privacy notices code of practice provides guidance on the content of these notices, as well as where and when to make them publicly available.

104. The Digital Economy Act 2017 requires all persons who are involved in disclosing information under the public service delivery, debt and fraud powers to have regard to the codes issued by the Information Commissioner, in so far as they are relevant, when they disclose information under these powers.^{[footnote 5]}

Information Sharing Agreements

105. You should follow the Information Commissioner’s data sharing code of practice with regards to information sharing agreements. Before entering into information sharing agreements, you will need to agree with the other organisations involved in the data share that they will take appropriate organisational, security and technical measures to:

• ensure information will be retained securely and deleted once it has been used for the purpose for which it was provided
• prevent accidental loss, destruction or damage of information
• ensure only people with a genuine business need have access to the information.

106. Information sharing agreements should contain details of sanctions that will apply to recipients of information who are found to be unlawfully or inappropriately processing data. These sanctions will include, but are not limited to:

• Public authorities ceasing to receive information from other public authorities under the relevant power in the Digital Economy Act 2017. Regulations may be made to remove the organisation from the list of bodies able to share information under the power
• Public authorities considering whether a given incident and/or organisation needs to be reported to the Information Commissioner’s Office
• Public authority officials determining whether any misuse of public office offences have been committed, and if so, to take any necessary action
• Persons granted access to information following a previous data breach will be required to have their systems and procedures assessed by a sponsoring public authority. Such persons will only be able to participate in an information sharing arrangement once public authority officials are satisfied that any security or other issues have been resolved to reduce the risk of any further issues occurring again in the future. The data sharing agreement should capture details of the assessments and the steps that have been taken to address previous problems.

6. Governance

6.1 Implementing a data sharing arrangement

107. Information sharing under these powers must adhere to the Information Commissioner’s data sharing code of practice and other existing guidelines on data security. You must respond swiftly and effectively to any complaints, objections or requests under the right of access to personal information. You should periodically run checks to ensure data security best practice is adhered to and publish details online of what checks were carried out and when.

108. Where data quality issues are identified during an information sharing arrangement, the governance structure supporting the arrangement should provide for immediate steps to be taken to identify and manage the risks associated with the use of that data and any remedial action required.

109. The Information Commissioner’s Office has a general power to conduct audits (including compulsory audits of government departments, designated public authorities and other categories of designated persons) of organisations to check that they are complying with law in relation to the handling of personal information. All bodies are required to comply with the ICO’s request for assistance so that they can determine whether data has been processed lawfully within the data sharing arrangement. The ICO is able to initiate criminal proceedings where necessary.

110. Anyone with concerns about a person’s systems and procedures for handling data, including the Information Commissioner’s Office, may raise those concerns with the responsible Minister. The responsible minister is the Minister for the Cabinet Office for England-only and non-devolved information sharing initiatives and the relevant Minister in the devolved administration for an information sharing arrangement within a devolved territory only. Serious or persistent failure to handle data securely may result in regulations being laid to exclude a person from participating in any data share under the power.

6.2 Compliance with the Code

111. Any serious security breaches or serious breaches of the Data Protection Act 1998 need to be reported immediately to the Information Commissioner’s Office, the review board (for fraud and debt pilots) and, where applicable, the governance group in your devolved territory.

112. You should also report immediately any breaches of the Code or any sharing that contravenes the terms of the information sharing arrangement even if it may not constitute a serious breach of the Data Protection Act 1998. A breach of the Code, or an information sharing arrangement under the public service delivery power, should be reported to the contact person for such breaches identified in the relevant information sharing arrangement. A breach under the debt and fraud powers should be reported to the review board for your territory.

113. For debt and fraud, the review board will inform the relevant public authorities that a breach has been reported, and will investigate the breach. In doing so, it may make one of the following findings:

• There has not been a breach and no action is required.
• A breach has taken place but is of low impact: it will notify the public authority and ask it to introduce remedial measures
• A breach has taken place and is of such seriousness that the pilot must be stopped: in this case, it will notify the public authority of the finding and inform the Minister of its recommendation
• A breach has taken place and is so serious that the public body must be removed from the schedule. In such cases, it will notify the public authority of the finding and inform the Minister of its recommendation

114. Where the Minister has been informed by the review board under the debt and fraud powers of a recommended course of action following a breach, the Minister will notify the public authority and the review board as to the course of action he wishes to pursue. The Minister may in addition notify the ICO. Authorities will be kept informed of decisions and where possible invited to make representations or comments.

115. You should address any general questions and concerns about the debt and fraud powers to the Secretariat in the first instance.

Annex A: conflicts of interest

Definition

The NAO guidance defines conflicts of interest as “a set of circumstances that creates a risk that an individual’s ability to apply judgement or act in one role is, or could be, impaired or influenced by a secondary interest. The perception of competing interests, impaired judgement or undue influence can also be a conflict of interest.” A conflict of interest may arise in respect of a company and/or an individual.

There are two types of conflicts of interest:

• actual conflict of interest - for example a material conflict between one or more interests
• potential conflict of interest - for example the possibility of a material conflict

How to manage a conflict of interest

There are a variety of ways to manage conflicts of interest and we do not propose that this Code provides an in-depth ‘how to’. However, we think it would be helpful to include some key principles for identifying and managing conflicts of interest:

• Non-public authorities should ensure they have adequate systems in place to identify and assess conflicts of interest. The rules should be clear and robust, but not overly prescriptive. Staff should also be adequately trained to identify and assess conflicts of interest.
• This process could be assisted by a conflicts of interest policy - e.g. that requires all employees to regularly declare their interests and/or when entering into new agreements. An internal or industry-wide code of ethics may also apply, where employees are required to confirm compliance.
• Conflicts of interest (actual and potential) should be identified as early as possible to avoid later issues. Information about the conflict should be adequately recorded, including any information about steps taken to manage it and any decisions made on the severity of the conflict.
• The system for managing conflicts should be audited to ensure compliance.

See the appendices in the National Audit Office download on conflicts of interest.

1. The ICO data sharing code is issued under section 52B of the Data Protection Act 1998. ↩

2. In practice authorities are likely to want to apply the Data Protection Principles to all processing of information under this Act, where they are relevant, to ensure that best practice is followed in processing such information. ↩

3. These schedules will be amended and kept up to date by regulations made by Parliament and the devolved legislatures. ↩

4. A limited exception would be for example where a dataset is held, for national security purposes, further to a warrant approved by a Judicial Commissioner under Part 7 of the Investigatory Powers Act 2016. ↩

5. See sections 43(13), 52(13) and 60(13) respectively. ↩