Transparency data

Data Usage Agreement: Combatting fraud in Department for Work and Pensions Universal Credit Self Declaration system

Published 22 July 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/combatting-fraud-in-universal-credit-self-declaration-2023/data-usage-agreement-combatting-fraud-in-department-for-work-and-pensions-universal-credit-self-declaration-system

This Data Usage Agreement between HMRC and Department for Work and Pensions was agreed and put in place in 2023. 

Conditions of disclosure of information by HMRC

Digital Economy Act, 2017, Section 56, enables the disclosure of a sample of HMRC Construction Industry Scheme Reform subcontractor data within an agreed specified period, as it is in line with the statutory purpose of “the taking of action in connection with fraud against a public authority” on the condition that DWP undertake to:

  • complete a Data Protection Impact Assessment (DPIA)

  • adhere to this Data Usage Agreement (DUA)

Purpose

This data share covers a pilot with DWP to check the feasibility of merging HMRC Construction Industry Scheme and DWP Universal Credit data to estimate the level of potential fraud within the Universal Credit population. DWP may investigate some cases where significant discrepancies are found. This was part of the initial business case and is necessary to determine if the initiative is worth developing into a business-as-usual process.

One of the requirements for applicants for Universal Credit is a declaration of income, including self-employed earnings. DWP has identified a fraud risk in that, while self-employed earnings (and expenses) are reported by customers of Universal Credit, these are accepted without any formal verification of this self-declaration, which presents an opportunity for fraudulent claims to be made. DWP have reported that incorrectly declared self-employment is a major source of fraud in DWP.

This project aims to assist DWP in identifying and investigating fraud in self-employed declarations made to DWP in support of claims for Universal Credit. The aim of this exercise is to match Universal Credit applicants, whose claims include declared income from self-employment via the Construction Industry Scheme data, to that CIS data and in particular to match declared income as per Universal Credit claims to income reported under the Construction Industry Scheme for relevant periods over a 12-month time frame.

The data share will enable estimation of the likely scale of fraud due to under-reporting of earnings in Universal Credit by subcontractors.

Results of this pilot will be presented to the Debt and Fraud Board for evaluation and consideration of moving to a possible regular business as usual sharing activity, if there is a sufficient business case.

Justification  

As this is a pilot study, the exercise will be based on a random sample of 150,000 Construction Industry Scheme subcontractors. Of this population we estimate around 21,000 may be present in Universal Credit, and this is the population of interest. If fraud is present in, say 5%, of these 21,000 cases then DWP would have approximately 1000 possible cases to consider. This is the minimum size which DWP require to estimate the size of the overall fraud issue. Whilst the exact match rates between Construction Industry Scheme and Universal Credit, and the fraud rates are unknown, our best estimate an initial population of 150,000 individuals would be necessary to give a robust sample size.

After discussion with DWP it was agreed to focus on the time period corresponding to the tax year 2020 to 2021, to minimise any issues caused by late or amended Construction Industry Scheme submissions from contractors. As HMRC tax periods do not align with Universal Credit assessment periods, we will include all Construction Industry Scheme data for the random sample for two months either side of this date meaning February 2020 to June 2021 inclusive.

S56 DEA allows HMRC to disclose information we hold for our functions with another person within schedule 8 (which DWP are) for the purpose of taking action in connection with fraud against a public authority. This would include loss to a public authority or the exposure of a public authority to a risk of loss.

This purpose is clearly to identify fraud against a public authority so would be covered under (4)(b) and (c) detecting and investigating fraud of this kind.

The data shared is purely for the purpose stated here, and not suitable for re-use in other contexts. There is no automated decision making involved.

Detailed process and data involved

The data share will be undertaken in 3 stages to ensure that only data that is proportionate to this exercise is included, creating the least impact on individuals. The level of data shared will also be sufficient to have confidence in any matched outputs.

Stage 1: HMRC Data requested

The initial stage will require HMRC to export data for a random sample of 150,000 Construction Industry Scheme subcontractors who are self-employed individuals within the agreed specified period, and will include:

  • National Insurance number (as Construction Industry Scheme uses Unique Tax References as an identifier, a Unique Tax References to National Insurance number conversion will be required where a National Insurance number doesn’t exist in Construction Industry Scheme).

  • name

Stage 1a: DWP Data Match

DWP will undertake data matching and analysis on the HMRC exported data. Where there is a match to the Universal Credit claim, DWP will flag these matches for stage 2 of this exercise. If there is no match on DWP systems, then the subcontractor record will be deleted (from DWP’s systems) and removed from any further consideration.

Stage 2: DWP data returned to HMRC

DWP will flag to HMRC where a Universal Credit claim exists; additional personal data will also be returned by DWP to increase confidence in the next stage of data matching that HMRC will undertake. DWP will provide:

  • National Insurance number (so records can be identified)

  • DWP name

  • DWP date of birth (as additional verification)

  • number of distinct Universal Credit claims within the period agreed (as check for the dates below)

  • periods of Universal Credit claims within February 2020 to June 2021 inclusive (there may be several of these, as above, DWP to supply a comma separated list of start and end dates for each claim)

Stage 3: HMRC data matching

In cases where DWP have flagged an overlap in stage 2, HMRC will undertake a data match against the Construction Industry Scheme Reform system. Where a match is produced using the identity details provided by DWP, HMRC will export data to DWP to compare against the amount of earnings declared for Universal Credit purposes and will include:

  • National Insurance number

  • for each month overlapping with each Universal Credit claim HMRC will provide:

Data name Description
INC_TAX_ MONTH income tax month for CIS return. It is recorded in format yyyymm, where yyyy is tax year and mm is tax month which starts from the 6 of a month and ends on the 5 of next month, for example 202101 means 6 April 2020 to 5 May 2020, 202102 means 6 May to 5 June 2020 and so on, 202112 means 6 March to 5 April 2021.
TOTAL_PAYMENTS_AMT total payments made to subcontractor in each income tax month, taken from the latest version of CIS return. There may be payments from several contractors to the same subcontractor in the same month; all individual records will be aggregated for each subcontractor and month.
TOT_COST_MTRL_AMT the total cost of materials bought by a subcontractor to do a job. This amount is subtracted from the payment a contractor makes before the application of tax treatment.
TOTAL_TAX_PAID_AMT The amount of tax deducted from the payment made to the subcontractor.

To be confident that individuals are an exact match we require that there is a match between HMRC and DWP systems on National Insurance number, name and date of birth. Where it cannot be established that individuals are the same (for example different names or dates of birth recorded for the same National Insurance number) then HMRC will delete these records from the sample at the start of stage 3.

Analysis phase once receiving this (stage 3) data, DWP will collect declared Universal Credit earnings for this population, and compare the figures with the CIS returns. DWP will discuss aggregate results with HMRC, and both parties will agree a methodology to use this sample to estimate overall levels of fraud within the Universal Credit population.

DWP action

DWP provided the paragraphs below detailing how the data would be used in assessing the accuracy of claimants Universal Credit payments.

What constitutes a discrepancy: A full or partial construction industry payment over one or more consecutive months that aligns with a corresponding live Universal Credit award and corresponding assessment period(s), whether the claimant has or has not declared self-employment at the point of claim.

DWP’s main current strategic objective for fraud and error is to ‘prevent’ overpayments, DWP obtaining CISR data and analysing its potential will be primarily in this space and if the pilot is successful it may factor as a source in our future undeclared self employment risk modelling capabilities.

For the pilot we need to test it in ‘detect’ the type of DWP intervention for this will depend on the total amount of the discrepancy, if this is small, short or partial up to £3,000, this will result in compliance action, if this exceeds £3,000 the case may be routed to investigations.

Compliance action will involve an intervention with the claimant by phone, DWP will disclose Construction Industry Scheme Reform data as new evidence under ‘Sharing Information between departments under our personal charters’. The purpose of a compliance is to prove or disprove the allegation.  If, following the compliance action, a decision maker decides that benefit should reduce, if any civil penalty of £50 applies and if any resulting overpayment would be put into recovery.

Investigation action may involve an interview under caution if this is deemed to be appropriate once all relevant evidence has been gathered.  This could include evidence gathered under Social Security Administration Act 1992 s109. DWP will disclose Construction Industry Scheme Reform data as new evidence under the same personal charter. The purpose of an investigation is to prove or disprove the allegation. If, following the investigation, a decision maker decides that benefit should cease or reduce, any resulting overpayment would be put into recovery. If appropriate, an administrative penalty can be offered or the case may be submitted for prosecution.

In either intervention route detect or prevent, DWP will not automate any decision based on HMRC Construction Industry Scheme Reform data. In all cases there is a human decision first and foremost. All cases are assessed appropriately as illustrated above and will be assessed for the most suitable intervention option.

Data storage and transfer

The transfers between DWP and HMRC will be made securely through encrypted, password-protected agreed electronic transfer systems. HMRC will send the data in one file via HMRC Secure Data Exchange Service (SDES).

Data will be extracted and processed using SAS Enterprise guide in our secure project folder. Data for sharing will be extracted to password protected Excel files and stored temporarily in the Teams secure Controlled Access Folder (CAF).

Data received from DWP will also temporarily be stored in our CAF folder before being uploaded to our secure project folder in SAS Enterprise Guide.

Copies of data in the CAF for DWP will be deleted as soon as transfer to DWP is complete, and copies of data in the CAF from DWP will be deleted once uploading to our SAS secure project folder is complete. Data in the SAS secure project folder will be retained until the completion of the exercise, so there is a way to address any queries arising.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

DWP: All data will be stored securely on the DWP Integrated Risk and Intelligence Service (IRIS) data services platform. The data will be stored on the DWP’s digital secure platform. Full security, encryptions and all other standards are is in place. Individual access to this is only allowable with the relevant security clearance and user role assigned to them according to their role.

At all times data storage will comply with HMRC and DWP offshoring policies. At no time will any data be held or processed outside of the UK as part of this project.

Under section 18(1) of the Commissioners for Revenue and Customs Act (CRCA) 2005, HMRC is bound by a strict duty of confidentiality meaning that HMRC officers may not disclose information HMRC holds for its functions.  However, HMRC information may be disclosed where one of the statutory exceptions in section 18(2) CRCA 2005 apply or where disclosure is permitted under any other enactment pursuant to section 18(3) CRCA 2005.

Any person who discloses HMRC information which identifies a taxpayer without a lawful basis to do so under either s.18(2) or (3) of CRCA 2005 potentially commits a criminal offence of wrongful disclosure pursuant to s.19 CRCA 2005.  A person found guilty of an offence may receive an unlimited fine, imprisonment of up to two years or both.

The legal basis for the establishment and operation of the pilot, and the analysis of personal data within it, is covered by part 5, chapter 4, section 56 of the Digital Economy Act 2017 (DEA) This provides powers for government departments / organisations to share information for the purposes of the taking of action in connection with fraud against a public authority.

Lawful basis for processing personal data

The lawful basis is under UK General Data Protection Regulation (GDPR) Article 6 (1) (e) public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.

Data Controller

Under UK GDPR this will be data controller to data controller relationship between HMRC and DWP for the transfer of personal data.

HMRC and DWP are independent data controllers whilst the data is held on their respective estates using definitions as set out in the Data Protection Act 2018.

HMRC’s status will be ​a controller​ because ​HMRC separately determines the purpose and means of the processing of the personal data prior to sending it to DWP.​

DWP will be ​a controller​ in their own right once the personal data is received on their estate.  DWP will determine the means of the processing of the personal data after transfer.

Article 24 of the UK GDPR, provides further information on the responsibility of a data controller.

Retention

The HMRC data shared with DWP will be held for a period of no more than 12 months from the date the data is sent from HMRC to DWP, after which it will be destroyed. DWP will confirm to HMRC in writing after the data has been destroyed. HMRC will retain a copy of the data it sends to DWP whilst the project is in progress to help address any queries and delete this following the end of the project.

Data sent by DWP to HMRC in stage 2 will only be used for matching the sample required by DWP at stage 3 and will be deleted immediately once this sample is received by DWP.

This agreement will terminate once the exchange set out above has been completed and the pilot exercise has been completed.

Security

DWP will:

Move, process and destroy data securely i.e. in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information.

Only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information (linked to the purpose) will have access to it. 

Store the data in a secure on the DWP IRIS data services platform with restricted access to members of the team who are directly involved in the data share with the relevant security clearance and only keep it for the time it is needed, and then destroy it securely on agreement of all parties.

Not onwardly disclose HMRC information without the prior consent of HMRC in accordance with Section 59 of the Digital Economy Act.

Any person who receives HMRC data from DWP may not onwardly disclose the data without HMRC’s prior consent in accordance with Section 59 of The Digital Economy Act.

Comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to the information provided within 24 hours.

Mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications.

Freedom of Information and Subject Access Request

HMRC and DWP are subject to the Freedom of Information Act 2000, and will assist and cooperate with each other, to enable each to comply with its information disclosure obligations.

Where a Freedom of Information (FOI) request is received the party receiving the request will notify the other relevant party to allow them the opportunity to make representation on the potential impact of disclosure:

Data subjects are entitled to exercise their data subject rights when their personal data is processed.  This is documented in each departments DPIAs. Where either party receives a data subject request, the party receiving the request will, where appropriate to do so, notify the other relevant party to allow them the opportunity to make representation on the potential impact of disclosure.

HMRC: HMRC subject access requests

DWP: DWP subject access requests

Security incidents

In the event that DWP become aware of a suspected or actual incident affecting the confidentiality, integrity and availability of the HMRC information in its possession or control, DWP will report the incident through DWP’s incident procedure and immediately notify the HMRC contacts named above within 24 hours.  For personal data, DWP also agrees to work to Information Commissioner’s Office requirements, reporting without undue delay (if it meets the threshold for reporting) and within 72 hours.

  Disputes

Any disputes relating to this information transfer should be reported to:

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Back to top