Transparency data

Early Learning Childcare 2023

Published 29 November 2024

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/early-learning-childcare-2023/early-learning-childcare-2023

1. Participants to the memorandum of understanding (MoU)

HM Revenue and Customs are referred to as participant 1 and Scottish Ministers are referred to as participant 2. Collectively they are referred to as the participants.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

2. Introduction

This memorandum of understanding sets out the information sharing arrangement between the aforementioned participants. For the context of the MoU, ‘information’ is defined as a collective set of data and or facts that, when shared between the participants through this MoU, will support the participants in delivering the purpose of the data sharing activity described in the sections below.

Information will only be exchanged where it is lawful to do so. The relevant legal bases are detailed within this agreement. It should be noted that ‘exchange’ covers all transfers of information between the participants, including where one participant has direct access to information or systems in the other.

This MoU is not intended to be legally binding. It documents the respective roles, processes, procedures, and agreements reached between HMRC and the participants. This MoU should not be interpreted as removing, or reducing, existing legal obligations or responsibilities of each participant, for example, as ‘controllers’ under the UK General Data Protection Regulations (GDPR).

3. Purpose and benefits of the data sharing agreement

3.1 Describe the purpose of the MoU and HMRC’s view of why it is necessary and proportionate

HMRC considers that the disclosure of information to Scottish Ministers is necessary and proportionate for the Scottish Ministers to provide Scottish local authorities with information to invite known Scottish residents to access funded Early Learning and Childcare (ELC) for eligible 2 year olds in their geographical area and to check eligibility for the same.

The Scottish Government and executive agencies (including Social Security Scotland) are part of the legal entity of the Scottish Ministers.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

References to the Scottish Government, Scottish Ministers or Social Security Scotland will, as appropriate, be read as also including reference to each of the other entities. 

3.2 What are the specific aims of the data sharing agreement?

The purpose of the data sharing agreement is:

  • the targeting of information on local ELC provision to eligible households

  • the improvement of the well-being of the eligible child and their family

  • supporting the delivery of ELC Scottish Ministers and Scottish local authority functions

It is also viewed by HMRC as necessary for cross-Government working.

Early Learning and Childcare (ELC) is defined in the Children and Young People (Scotland) Act 2014 (the 2014 Act). The duty to provide access to ELC is on Scottish local authorities, to act on behalf of Scottish Government. The duty extends to all eligible children within a local authority area. Eligibility is defined in the 2014 Act and associated secondary legislation (The Provision of Early Learning and Childcare (Specified Children) (Scotland) Order 2014, as amended or the 2014 Order). The management of this provision is governed by the data sharing agreement between Scottish Government and the 32 Scottish local authorities.

The eligibility criteria for access to ELC at age 2 includes those children whose parents get certain benefits or tax credits. 

Each local authority will only be provided access to data pertaining to their geographic area and on the basis that the data would not be used for any other purpose than ELC or shared.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

3.3 How will the data being shared help achieve those aims?

The data is necessary to invite a claim from households with eligible children only, by establishing that a Scottish resident is in receipt of a qualifying benefit (Child Tax Credit).

3.4 Describe the benefits that the participants hope to bring to individuals or society or the wider impact, such as reduction in fraud and debt, supports UK economy, benefits HMRC customers

The anticipated benefit is increased access to ELC eligible 2-year-olds, leading to:

  • long term improvement in children’s outcomes

  • increased opportunities for parents to work, study or train

  • improved family wellbeing

4. Type of data being shared under this agreement

4.1 Does this MoU agreement involve the exchange of personal data?

Yes

5. Data Protection Impact Assessment

5.1 HMRC - have you completed a Data Protection Impact Assessment (DPIA)?

DPIA reference number: 9894

Date DPIA was registered: 9 November 2022

Date DPIA was last reviewed: 9 November 2022

5.2 Participant 2 - have you completed a DPIA

DPIA reference number: 05439P

Date DPIA was registered: 24 November 2022

Date DPIA was last reviewed: 24 November 2022

6. Relationships under UK GDPR in respect of any personal data being exchanged under this agreement

6.1 Status of HMRC under UK GDPR

HMRC will be disclosing personal data under this agreement.

Where personal data is being disclosed under this agreement, HMRC’s status will be a controller because HMRC separately determines the purpose and means of the processing of the personal data.

6.2 Status of Participant 2 under UK GDPR

Participant 2 will ​be receiving​ personal data under this agreement. They would be the controller whilst retaining the data.

Where personal data is being disclosed under this agreement, Participant 2 status will be ​a controller​ because ​they separately determine the purpose and means of the processing of the personal data.​

7. Handling of personal data and security

Where participants bear the responsibility of a data controller, they must ensure that any personal data received pursuant to this MoU is handled and processed in accordance with the current seven UK GDPR principles.

Additionally, as part of the government, HMRC and Cabinet Office must process personal data in compliance with the mandatory requirements set out in HM Government Security Policy Framework guidance issued by the Cabinet Office when handling, transferring, storing, accessing or destroying information assets.

Participants must ensure effective measurements are in place to protect personal data in their care and manage potential or actual incidents of loss of personal data. Such measures will include, but are not limited to:

  • personal data should not be transferred or stored on any type of portable device unless absolutely necessary, and if so, it must be encrypted, and password protected to an agreed standard

  • participants will take steps to ensure that all staff involved in the data sharing activities are adequately trained and are aware of their responsibilities under the Data Protection Act (DPA), UK GDPR and this MoU

  • access to personal data received by participants pursuant to this MoU must be restricted to personnel on a legitimate need-to-know basis, and with security clearance at the appropriate level

  • participants will comply with the Government Security Classifications Policy, where applicable

8. Duration, frequency and volume of the data sharing

Date MoU comes into effect: 2 January 2023

Date by which MoU needs to be formally reviewed: 1 March 2024

Date MoU will cease to be valid: 16 December 2027

8.1 Frequency and volume of data being shared

The extract will be performed weekly on a Saturday.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

The file will be polled for within the corporate tier between 3pm and 5pm each Monday and will then be transferred to the Scottish Government (following the standard HMRC corporate to external transfer pattern as detailed in the solution design document).

There is an approval only DER (Data Exchange Request) in place.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

This aligns with the MoU for Scottish Child Payment (SCP). The data is already shared with Scottish Government for the purposes of SCP, the relevant data for ELC for each Scottish local authority would be extracted from the data already shared.

Volumes:

HMRC is currently phasing out benefits in the form of tax credits, therefore the number of tax credit claims will be reduced to nil over a period of time. 

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

HMRC has specific legislation within the Commissioners for Revenue and Customs Act 2005 which covers the confidentiality of information held by the department, when it is lawful to disclose that information and legal sanctions for wrongful disclosure. For HMRC, disclosure of information is precluded except in certain limited circumstances (broadly, for the purposes of its functions, where there is a legislative gateway or with customer consent). Unlawful disclosure relating to an identifiable person constitutes a criminal offence. The criminal sanction for unlawful disclosure is detailed at section 19 of the Commissioners for Revenue and Customs Act 2005.

Data can only be shared where there is a legal basis for the exchange and for the purposes described in this MoU as specified in the sections below. No data should be exchanged without a legal basis and all exchanges must comply with our legal obligations under both the DPA 2018 and Human Rights Act (HRA) 1998.

HMRC disclose information under this MoU to Scottish Ministers by virtue of section 35(1) of the Digital Economy Act (DEA) 2017.  This provides that a specified person may disclose information to another specified person for the purposes of an objective which is an objective in relation to each of those persons. Scottish Ministers, Scottish local authorities (SLAs) and HMRC are specified persons for the purposes of s.35(1) DEA 2017.

For the purposes of disclosures under this MoU the specified objective is the Scottish Early Learning and Childcare objective as set out in the Digital Government (Disclosure of Information) (amendment) Regulations 2022.  

Under this MoU, information disclosed by HMRC to the Scottish Ministers for the purposes of the Scottish Early Learning and Childcare objective must not be further disclosed without the prior consent of HMRC pursuant to section 42(1) of the DEA 2017.  

Scottish local authorities, however, are also specified persons for the purposes of section 35 of the DEA 2017 and Scottish local authorities operate Scottish Early Learning and Childcare within their jurisdictions. For the purposes of this MoU therefore, HMRC give their general consent for Scottish Ministers to disclose information obtained by them under this MoU to Scottish local authorities for the purposes of the Scottish Early Learning and Childcare objective only.   

Scottish Ministers and Scottish local authorities will only use the information received under this MoU for the purposes for which it has been disclosed.  Scottish Ministers will ensure that only those Scottish local authorities with genuine business needs to view the information will have access to it.

For the avoidance of doubt, no other onward disclosure of information received by Scottish Ministers under this MoU is authorised by this MoU.  Under section 42(1) DEA 2017, Scottish Ministers must therefore obtain prior consent for any onward disclosure by them of information received under this MoU other than for disclosures made to a Scottish local authority under the clause referenced above.

Any Scottish local authority which receives information from Scottish Ministers by virtue of this MoU is prohibited from further disclosing that information under section 42(1) DEA 2017 without HMRC’s permission.   

All persons who receive information from HMRC by virtue of this MoU are reminded of section 42(3) DEA 2017 and that any person who discloses personal information received under this MoU without HMRC consent may be guilty of an offence.

10. Lawful basis under UK GDPR to process personal data

Personal data can only be processed (transferred, disclosed) where there is a valid lawful basis/bases as set out in article 6 of UK GDPR.

Public Task 

Article 6(1)(e) of the GDPR states that: ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

10.2 Enter the relevant lawful basis for Participant 2 to process (share) personal data

Scottish Ministers will grant access for Scottish local authorities to the data of tax credits claimants, after it has been compared and contrasted with universal credits data received from DWP. This disclosure is by virtue of legal basis as described in Digital Economy Act 2017. A full list of the 32 Scottish local authorities and the geographical volumes of ELC eligible claimants for each SLA is included at Annex G.

11. Data to be shared and systems it will be derived from

11.1 Describe the types of data or data fields being shared and their source systems

The type of data to be shared is data of tax credits claimants residing in Scotland. This data is already shared with Scottish Ministers via the existing Scottish Child Payment data feed, under MoU reference P-742.

This is a weekly file transfer.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

This is done through a clerical process dealt with by a team within HMRC. This data is shared for the purposes of providing social security benefits only. The revised legislation (Digital Economy Act 2017) allows the shared data to be used for broader purposes such as childcare.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

11.2 What is the Government security classification for the data to be shared?

Official

11.3 Is there any special category data, sensitive data or criminal offence data being shared?

This data does not include Special Customer Records (SCR). The exception process for SCRs alongside any other anomalous records can be checked manually by contacting the dedicated team in HMRC. This exception process is documented in Annex D.

12. How will the data be shared

12.1 Describe the method by which data will be transferred under this agreement

Scottish Ministers have access to HMRC data for this purpose via 2 different methods:

  • a weekly file data transfer from HMRC provides child responsibility data

  • the clerical process is where the child responsibility cannot be easily identified

A weekly scan will be taken to provide delta change details of all known Scottish residents who meet the qualifying criteria, including claims which have certain changes or have ceased. The file will be transferred following the standard HMRC corporate to external transfer (file transfer) pattern.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Scottish Government have confirmed that they have a dedicated file server for Other Government Departments (OGD).

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

The data will be encrypted at rest prior to transfer.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

HMRC already provides data to Scottish Ministers in a weekly data scan as detailed previously. 

The following personal data are required by SG for processing ELC

  • client name and address

  • client National Insurance number 

  • the existence of a child of the relevant age (18 to 36 months)

  • the receipt of a qualifying benefit administered by HMRC, working tax credit and child tax credit; child tax credit only

  • whether any earnings (as defined for purposes of tax credits) are at or below the defined threshold currently £7,920 a year or less for those in receipt of working tax credit and child tax credit; £17,005 or less for those on child tax credits only - these are currently amended annually

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Sottish Ministers and HMRC have agreed a process for border postcodes where some of the addresses will be in Scotland and some in England. HMRC will follow the One Scotland Mapping Agreement (OSMA) to determine where the address resides. This will be static and will not be refreshed. OSMA is used to determine who is a known Scottish resident for Scottish rate taxpayer purposes, so a standard approach is being followed.

Manual process

Escalation will be between nominated persons: Single Point of Contact (SPOCs) at team management level, between Social Security Scotland and HMRC operational teams in appropriate cases including, but not limited to:

  • where service delivery standards have not been met

  • where there are exceptional cases where the normal service delivery standards would have an unacceptable impact on the customer

  • to resolve any issues where National Insurance numbers are not found in the file

12.2 Will direct (or browser) access to HMRC systems be granted?

Not applicable as no direct access is given to HMRC systems.

13. Accuracy of the data being shared

Before sharing data, both participants must take all reasonable steps to ensure that the data being shared is both accurate and up to date.

The exporting department will ensure that data integrity meets their own department’s standards, unless more rigorous or higher standards are set out and agreed at the requirements stage.

Participants will notify each other of any inaccuracies of the data as they are identified.

14. Retention and destruction of data

State how long the data will be retained for by each participant and what their arrangements are for secure storage, and disposal or destruction of data

Scottish Government agree to:

  • only use the information for purposes that are in accordance with the legal basis under which they received it

  • only hold the data while there is a business need to keep it

  • ensure that only people who have a genuine business need to see the data will have access to it

  • store data received securely and in accordance with the prevailing central government standards, for example in secure premises and on secure IT systems

  • move, process and destroy data securely and in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information

  • comply with the requirements in the Security Policy Framework, and in particular prepare for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information

  • in the event of a security incident during or after transfer of information to Scottish Ministers, Scottish Ministers undertake to notify any data losses, wrongful disclosures or breaches of security relating to information originating in HMRC to the designated contacts immediately (within 24 hours of becoming aware)

  • mark information assets with the appropriate security classification and apply the baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, issued by the Cabinet Office, and as a minimum the top-level controls framework

Both parties agree to both advise and consult with the other organisation on the appropriate steps to take, where appropriate. The relevant Controller will meet their statutory obligation for example notifying the Information Commissioner’s Office or dissemination of any information to the data subjects

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Data retention

Scottish local authorities would only access tax credits data for the purposes of compiling a mailshot. The mailing list would be destroyed immediately after use.

Scottish Government would retain the tax credit data for 18 months and the data would be deleted and destroyed after the 18 months period.

Scottish Government will retain personal data on adults, where that adult has made a claim for ELC, for the standard retention period of 7 years following benefit end, in line with the Public Sector Finance Manual. 

Data for adults who have not made a claim for ELC will be deleted when the youngest child reaches 19 years of age, or sooner if the limit for the standard retention period is reached.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

14.1 State what access controls each participant will have in place to ensure access to the data will only be provided to authorised personnel with the appropriate security clearance

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

15. Onward disclosure to third parties

Participant 2 agrees to seek permission from HMRC before any onward disclosure of information to a third party and will only disclose any information if permission is granted.

There will be no onward transfer of HMRC data outside which the personal data has been obtained for the purpose of administering Scottish Government obligations under the Digital Economy Act 2017, the Social Security (Scotland) Act 2018, or without the prior authorisation of HMRC

Scottish local authorities would only be allowed to access data received from tax credit records for their own geographic location.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Scottish local authorities would only access the data for the purposes of compiling a mailshot. The mailing list would be destroyed immediately after use.

16. Role of each participant to the MoU

16.1 Role of HMRC

The following is the minimum expected of HMRC:

  • identify the appropriate data required from HMRC IT systems and records

  • provide the data to participant 2 in Excel format, transferred by secure NFI platform from and to agreed contact points

  • only allow access to that data by the team requiring it

  • ensure that staff handle this data in line with the approved secure transfer method agreed by both departments and within HMRC data security instructions

  • only store the data for as long as there is a business need to do so

  • move, process and destroy data securely, in line with the principles set out in the government Security Policy Framework issued by the Cabinet Office when handling, transferring, storing, accessing or destroying information

  • comply with the requirements in the framework, and in particular prepare for and respond to security incidents and report any data losses, wrongful disclosures or breaches of security relating to information

16.2 Role of Participant 2

The following is expected of Participant 2:

  • identify the appropriate data required from HMRC

  • only use the information for purposes that are in accordance with the legal basis under which it was received

  • only hold the data for as long as there is a business need to do so

  • ensure that only people who have a genuine business need to see the data will have access to it

  • on receipt, store data received securely and in accordance with the prevailing central government standards, for example in secure premises and on secure IT systems

  • move, process and destroy data securely, in line with the principles set out in government Security Policy Framework, issued by the Cabinet Office when handling, transferring, storing, accessing or destroying information

  • if participant 2 adheres to a different set of security standards, they must inform HMRC what these standards are at section 16.3 below and comply with any additional security requirements specified by HMRC

  • seek permission from HMRC before onward disclosing information to a third party

  • seek permission from HMRC if you are considering offshoring any of the personal data shared under this agreement

  • mark information assets with the appropriate government security classification and apply the baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out Government Security Classifications, issued by the Cabinet Office, and as a minimum the top level controls framework provided in the Annexe of Security Controls Framework to the GSC

  • once the data is shared with Scottish Ministers, it would be held on the Scottish Ministers Data Platforms team in a secured location where only Scottish Government analysts would have access.

  • the data would be accessed by the Scottish Local Authorities via a secure system and each local authority would only have access to data files for their own geographical location

16.3 If participant 2 adheres to different security standards, please state what these are here

Not applicable.

17. Monitoring and reviewing arrangements

This MoU relates to a regular exchange that must be reviewed annually to assess whether the MoU is still accurate and fit for purpose.

Reviews outside of the proposed review period can be called by representatives of either participant. Any changes needed as a result of that review may be agreed in writing and appended in this document at the formal review date.

Technical changes necessary to improve the efficiency of the exchange that do not change the overarching purpose can be made without the requirement to review the MoU formerly during its life cycle, but must be incorporated at the formal review stage.

A record of all reviews will be created and retained by each participant.

Appendix 2 outlines the contacts for amendments to the MoU. Appendix 1 sets out the document control and the version history of the MoU

18. Assurance arrangements

HMRC has a duty of care to assure any data that is passed on to others. Processes covered by this MoU will be subject to annual reviews from the date of sign off. HMRC may also choose to introduce ad hoc reviews.

Assurance will be provided by the annual completion of a certificate of review and assurance. The assurance processes should include checking that any information sharing is achieving its objectives, in line with this MoU, and that the security arrangements are appropriate given the risks.

Participant 2 agrees to provide HMRC with a signed certificate of review and assurance within the time limits specified upon request.

HMRC reserves the right to review the agreed risk management, controls, and governance in respect of this specific agreement.

19. Security beaches, security incidents or loss or unauthorised disclosure of data

The designated points of contact (provided at Appendix 2 of this MoU) are responsible for notifying the other participant in writing in the event of loss or unauthorised disclosures of information within 24 hours of the event.

The designated points of contact will discuss and agree the next steps relating to the incident, taking specialist advise where appropriate. Such arrangements will include (but will not be limited to) containment of the incident and mitigation of any ongoing risk, recovery of the information, and notifying the Information Commissioner’s Office (ICO) and the data subjects. The arrangements may vary in each case, depending on the sensitivity of the information and the nature of the loss or unauthorised disclosure.

20. Subject access request

In the event that a subject access request (SAR) is received by either participant, they will issue a formal response on the information that they hold following their internal procedures for responding to the request within the statutory timescales. There is no statutory requirement to redirect SARs or provide details of the other participant in the response. However, each participant will notify the other if a SAR is received in respect of any personal data shared under this agreement. Contact details are at Appendix 2.

Full details of data subject’s rights in relation to processing of personal information can be found in each participant’s privacy notice as well as ICO guidance, using the following links:

21. Freedom of Information Act 2000

Both participants are subject to the requirements of the Freedom of Information (FOI) Act 2000 and shall assist and co-operate with each other to enable each organisation to comply with their information disclosure obligations.

In the event of one participant receiving an FOI request that involves disclosing information that has been provided by the other participant, the organisation in question will notify the other to allow it the opportunity to make representations on the potential impact of disclosure.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

22. Issues, disputes and resolution

Any issues or disputes that arise as a result of the exchange covered by this MoU must be directed to the relevant contact points listed in Appendix 2. Each participant will be responsible for escalating the issue as necessary within their given management structure.

Where a problem arises, it should be reported as soon as possible. Should the problem be of an urgent nature, it must be reported by phone immediately to the designated business as usual contact, listed in Appendix 2, and followed up in writing the same day. If the problem is not of an urgent  nature it can be reported in writing within 24 hours of the problem occurring.

23. Costs

23.1 Will there be a charge for this service?

Yes.

The cost for the support and maintenance of this technical batch solution will be £501 per month plus standard rate VAT. VAT will be treated under Section 41 of the VAT Act 1994. However, this charge is currently raised via the initial provision of data for Scottish Child Payment under MoU reference P-742.

This arrangement will be reviewed twelve months after this agreement is signed.

HMRC will invoice Scottish Ministers on a quarterly basis, HMRC will assure the costs for the services and provide additional information required to the SG representative, including any specific issues which require clarification. Scottish Ministers will make payment to HMRC within 30 days of the invoice date or within 30 days of receipt of the invoice if there is a delay of more than 5 days between the invoice date and date of receipt.

If costs are disputed, e.g. because services have not been provided, a dispute resolution will take place.

24. Termination

This MoU may be terminated by giving 3 months notice by either participant.

Both participants to this MoU reserve the right to terminate this MoU within 3 months notice in the following circumstances:

  • by reason of cost, resources or other factors beyond the control of HMRC or participant 2

  • if any material change occurs which, in the opinion of HMRC and participant 2, following negotiation significantly impairs the value of the data sharing arrangement in meeting their respective objectives

In the event of a significant security breach or other serious breach of the terms of this MoU by either participant, the MoU will be terminated or suspended immediately without notice.

In the event of a failure to cooperate in a review of this MoU or provide assurance, the agreement may be terminated or suspended without notice.

25. Signatories

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

26. Appendices and annexes

26.1 Appendix 1 - document control

Document control personnel

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Version history

Version Date Summary of changes Changes marked
0.1   Initial draft Yes or No
1.0   Final version No

26.2 Appendix 2 - business contacts

Business as usual contacts - HMRC

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Business as usual contacts – Scottish ministers

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

27. Annexes

27.1 Annex A – glossary of terms and abbreviations

Definition Interpretation
Ad hoc transfer is defined as being bulk data with a protective marking of restricted or above and the transfer is part of a pilot or project with a definitive end date
Date controller has the meaning set out in Article 4 UK GDPR or, in respect of processing of personal data for a law enforcement purpose to which Part 3 of the Data Protection Act 2018 applies, the meaning in that Part if different
Date processor has the meaning set out in Article 4 UK GDPR or, in respect of processing of personal data for a law enforcement purpose to which Part 3 of the Data Protection Act 2018 applies, the meaning in that Part if different
Date protection legislation means the General Data Protection Regulation, the UK GDPR, the Data Protection Act 2018 and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner
Direct access covers an information sharing instance where the receiving department accesses the Information via direct, or browser, access to the source system rather than as an extracted information transfer. This agreement will require specific terms and conditions ensuring that access is appropriate and correctly applied, managed and recorded
FoIA means the Freedom of Information Act 2000 and any subordinate legislation made under this Act together with any guidance and/or codes of practice issued by the information commissioner or ministry of justice in relation to such legislation
Granting access the governance and authority surrounding the authorisation of a person to have access to a system
Human Rights Act 1998 an Act to give further effect to rights and freedoms guaranteed under the European Convention on human rights. Public authorities like HMRC must follow the act
Information Asset Owner (IAO) means the individual within a directorate, normally the director, responsible for ensuring that information is handled and managed appropriately
Law means any applicable law, statute, bye-law, regulation, order, regulatory policy, guidance or industry code, rule of court or directives or requirements of any regulatory body, delegated or subordinate legislation or notice of any regulatory body
Provisioning Access the technical channels through which access is made possible, including the request tools associated with this
Public sector body this will generally be another government department (OGD) but could be another public sector body (e.g. Local Authority). Information sharing with a private sector body with which HMRC has a commercial relationship needs to be covered by a commercial contract, not a memorandum of understanding
Regulatory bodies means those government departments and regulatory statutory and other entities, committees and bodies which, whether under statute, rules, regulations, codes of practice or otherwise, are entitled to regulate, investigate, or influence matters dealt with in this agreement and “regulatory body” shall be construed accordingly
Senior information risk owner (SIRO) provides high level assurance of compliance with HMRC’s Information Asset data protection obligations.  HMRC’s SIRO is Daljit Rehal, HMRC Chief Digital & Information Officer, Director of Chief Digital & Information Officer Group

27.2 Annex B – list of data items Social Security Scotland is sharing with HMRC

Data fields Scottish Ministers is sharing with HMRC:

Data item Justification – why is it necessary?
Client name To ensure HMRC is accessing the correct customer data
Client date of birth To ensure HMRC is accessing the correct customer data
Client national insurance number To ensure HMRC is accessing the correct customer data
Client name To ensure HMRC is accessing the correct customer data
Client date of birth To ensure HMRC is accessing the correct customer data
Date of claim To ensure HMRC is accessing the correct customer data

27.3 Annex C – List of data items HMRC is sharing with Social Security Scotland

Question Yes No
Is client in receipt of WTC? Yes No
Is client in receipt of CTC? Yes No
Does the client have child responsibility? Yes No
Start date of child responsibility award    
End date of child responsibility award (if applicable)    
Reason why child responsibility ended    
Is the client in receipt of CHB? Yes No
Child Tax Credit award changes to over/under £16105    
Child Tax Credit or working tax credit award changes to over/under £6420    

27.4 Annex D – clerical operational procedure

Social Security Scotland and HMRC will comply with the following agreed operational procedures:

Where Social Security Scotland clerical responsibility team identify Tax Credit as the qualifying benefit and/or child responsibility is not clear, they will email a password protected data file from the generic Social Security Scotland mailbox clericalchildresponsibilityrequests@socialsecurity.gov.scot to the following dedicated HMRC inbox:northeast.customerprocessingbusinessimprovement@hmrc.gov.uk

The data file will contain the Social Security Scotland client data fields listed at Annex B and the Social Security Scotland clerical responsibility team telephone contact details. A subsequent email will be sent from the Social Security Scotland clerical responsibility team containing the password for the file.

HMRC will check the Tax Credit System (NTC) and provide the data listed at Annex C to Social Security Scotland clerical responsibility team by telephoning the authorised Social Security Scotland clerical responsibility team member listed on the data file. 

 If there is no record shown on NTC System, HMRC will check their child benefit system and confirm if the child being claimed for is the first or subsequent child.

The Social Security Scotland to HMRC service will be available (subject to availability) from 8:00 – 16:00 Monday to Friday excluding bank holidays and privilege days.

Social Security Scotland will create and maintain the list of the Social Security Scotland clerical responsibility team and update HMRC accordingly via HMRC SPOCs. The list will detail the Social Security Scotland clerical responsibility team advisors who have relevant permissions to contact HMRC. The list will be reviewed monthly for new joiners, leavers, change of job roles and updated and shared with HMRC on the first day of every calendar month.

Each partner are acting as data controllers for the information they share to the other contained in Annexes B and C.

Each partner agree that no costs are associated with the delivery of the services at this time. Variations to financial arrangements will be agreed by each party on review as per para 12.

All Social Security Scotland inbound and outbound calls are recorded.

27.5 Annex E – Scottish Ministers exception process contacts

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

27.6 Annex F – HMRC exception process contact

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

27.7 Annex G - 32 Scottish local authorities and geographical volume for each local authority

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Back to top