Transparency data

One-off data share between HMRC and Student Loans Company (SLC) to combat fraud against the public sector

Published 22 July 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/combatting-fraud-against-the-public-sector-2023/one-off-data-share-between-hmrc-and-student-loans-company-slc-to-combat-fraud-against-the-public-sector

 

This Data Usage Agreement between HMRC and Student Loans Company was agreed and put in place in 2023.

HMRC disclose this information to Student Loans Company (SLC) by virtue of the legal basis Section 56 of the Digital Economy Act 2017  disclosure of information to combat fraud against the public sector.

Skills Development Scotland (SDS) may only use the information supplied by HMRC for the purpose for which it is disclosed and may not onwardly disclose it without seeking HMRC consent.

Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment is required prior to the exchange proceeding.

HMRC Records of Processing Activity (ROPA)

HMRC will update its Records of Processing Activity, an inventory of all HMRC’s major processing activities involving personal data, when setting up the data exchange.

Purpose

The Customer Compliance team at the SLC performs investigations and analysis to prevent and detect fraud within student finance applications. This includes migrant worker investigations, where the student is only eligible for student finance if they meet the eligibility requirements, one of which is to be employed while in study.

Following an investigation by SLC based on the student finance applications from the 2021 to 2022 academic year, it was found that fraudulent applications have been made based on false employment evidence being submitted by migrant workers.

Approximately 40,000 student finance applications are received by SLC each year for migrant workers. The amount of funding per application can be up to £19,000 if tuition fees are included.

When applying for student finance, a migrant worker must provide evidence of all taxable income from employment and other means, which is then assessed in line with the eligibility criteria and either accepted or declined.

Following the SLC investigations a sample of 3,000 migrant worker accounts will be sent to HMRC to match against HMRC employment records to identify any potential fraudulent applications that require further investigation by SLC.

The sample will be a mixture of 2,000 new migrant worker applications for the year ahead (equivalent of 5%), and 1,000 will be high risk cases identified by SLC as linked to other previously identified fraudulent cases via accountancy letters, employers, contacts, common addresses, and higher education providers, which need employment verification from HMRC.

The objectives of this one-off pilot are:

  • to identify cases where there is no record of employment income on HMRC records, which would indicate a high risk that the employment status and evidence provided to SLC to gain access to student finance was not genuine

  • to identify cases where there is a discrepancy between the evidence supplied to SLC and the information held on HMRC records

Where cases are identified as either not having an employment record with HMRC or the match returns an inconsistency (for example employment has ended), a full investigation will be conducted by SLC to allow them to ask the customer further questions and/or request further evidence to identify errors/mistakes or fraudulent claims.

If SLC investigations find payment(s) have been made in error, or as a result of a fraudulent made claim, SLC will attempt to retrieve the overpayment(s) via their normal recoveries route.

Benefits of the exchange

HMRC considers that the disclosure of information to SLC is necessary and proportionate to assist SLC in their role of preventing and detecting fraud within student finance applications.

The potential SLC benefits for this exchange are as follows:

  • early identification and prevention of fraud

  • minimising financial loss - payments would be prevented following identification of a fraudulent claim

  • minimising financial loss - collection of overpayments

  • reduced fraud rate and improved protection of public funds

  • efficiency - reduced and less intrusive fraud investigations – This data sharing will allow SLC to assess the level of potential fraud within the migrant worker population so that it can be managed effectively

  • efficiency - reduced manual resource and enhanced customer experience – SLC would no longer need to contact customers for additional evidence if employment has been verified by HMRC

There are no direct benefits to HMRC for this data share other than to assist SLC with this pilot.

Procedure

A sample dataset of approx. 3,000 applicants will be transferred from SLC via Secure Data Exchange Service (SDES) to HMRC Risk Intelligence Service (RIS) Governance Data Exchange Team in Microsoft Excel spreadsheet format in July 2023.

The sample from SLC will contain 2,000 new migrant worker applications for the year ahead, selected by a random number selector tool, this sample will allow SLC to extrapolate the findings across the whole migrant worker population to determine the scale of potentially fraudulent activity.

The additional 1,000 are high risk cases identified by SLC as having links via common denominators (for example accountancy letters, employers etc) to other previously identified fraudulent migrant worker cases which need employment verification from HMRC.

HMRC RIS Governance Data Exchange Team analyst will download the input file and save it to a secure designated SharePoint folder.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Data matching is carried out in accordance with the agreed RIS team quality assurance standards framework and only the most up to date information available to HMRC will be shared with SLC.

HMRC will return the data to SLC via SDES. Data Exchange Requests will be in place and approved prior to any data being shared.

Data items

SLC will provide the following information to HMRC:

  • SLC unique identifier

  • forenames

  • surname

  • Date of Birth

  • National Insurance number

  • employment type (PAYE or SA)

HMRC will return the following information to SLC for matched records:

  • SLC unique identifier

  • forenames

  • surname

  • Date of Birth

  • employment type PAYE (YN)

  • employment type SA (Y/N)

  • PAYE employment - 2020 to 2021 tax year – Y/N flag

  • PAYE employment 2021 to 2022 tax year – Y/N flag

  • Self-employment 2020 to 2021 tax year – Y/N flag

  • Self-employment 2021 to 2022 tax year – Y/N flag

  • Self-employment gross income value less than £5,200* per annum 2020 to 2021 tax year – Y/N flag

  • Self-employment gross income value less than £5,200* per annum 2021 to 2022 tax year – Y/N flag

  • land and property total income Y/N flag 2020 to 2021 tax year – Y/N flag

  • land and property total income 2021 to 2022 tax year – Y/N flag

  • UK dividends 2020 to 2021 tax year – Y/N flag

  • UK dividends 2021 to 2022 tax year – Y/N flag

  • foreign income 2020 to 2021 tax year – Y/N flag

  • foreign income 2021 to 2022 tax year – Y/N flag

  • other income 2020 to 2021 tax year – Y/N flag

  • other income 2021 to 2022 tax year – Y/N flag

Note – migrant workers must receive a minimum of £5,200 per annum in self-employment income to be eligible for student finance

Where HMRC cannot match the student, no data will be returned for that application.

Data retention and storage

HMRC

HMRC RIS Governance Data Exchange Team will download the data file received from SLC via Secure Data Exchange Service and save to the secure designated Governance Data Exchange Team SharePoint folder.

Both the inbound and outbound data set will be held in the same Governance Data Exchange Team SharePoint folder and will be manually deleted by the GovDET analyst 6 months after delivery (as GovDET Team lead’s recommendation), to ensure there are no data quality issues or queries on the data received by SLC.

Auto reminders in outlook are set by the Governance Data Exchange Team analyst to delete the data files as required after delivery.

As an added level of assurance, the data deletion is also recorded on a RIS GovDET General Data Protection Regulation (GDPR) tracker document which is an excel tool outlining all data sharing and what date the data is deleted.

This is reviewed monthly by the Grade 7 RIS Governance Data Exchange Team team lead and checks are undertaken that data is deleted on time.

In the event of an analyst being absent, the Grade 7 will arrange for the deletion of the data.

SLC

The returned output from HMRC to SLC will be stored within a secure Microsoft drive in a restricted Electronic Record and Document Management (eRDM) system folder.

This will only be accessible by certain team members.

It will also be stored in line with SLC internal retention policy; up to 6 years for confirmed fraud outcomes.

Data relating to accounts where no fraud concerns are held will be deleted within 3 months of receipt.

To provide an additional level of reassurance, SLC’s security teams have been engaged to ensure that the agreed process satisfies the internal data retention and storage policy.

Data controller status

HMRC is the data controller when HMRC processes the data, and it is within the HMRC environment. When the data has left HMRC and is received by SLC, then SLC will be the data controller.

Data security

HMRC and SLC agree to:

  • move, process and destroy data securely i.e. in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information

  • only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information will have access to it

  • only keep it for the time it is needed, and then destroy it securely

  • not onwardly disclose that information without the prior authorisation of HMRC

  • comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, and in particular as set out in the Annex – Security Controls Framework to the Government Security Classifications.

Disputes

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Freedom of Information requests

If a Freedom of Information request relating to this information is made to SLC, their Freedom of Information team will engage with HMRC’s Freedom of Information team regarding the potential impact of disclosure.

Assurance

In accordance with the review and assurance agreed, a Certificate of Review and Assurance (CoRA) must be completed by both departments for the Data Usage Agreement when the data share has completed.

Costs

HMRC RIS GovDET will recharge SLC for the time taken to provide the data for this data share.

Signatures

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Back to top