Transparency data

The detection of fraud in Scottish income assessed funding applications

Published 19 March 2026

Applies to Scotland

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/fraud-detection-scottish-income-assessed-funding-application-2024/the-detection-of-fraud-in-scottish-income-assessed-funding-applications

This Memorandum of Understanding (MoU) between HM Revenue and Customs (HMRC) and Student Awards Agency Scotland (SAAS) was agreed and put in place in 2024.

1. Introduction

This MoU sets out the information sharing arrangement between the aforementioned participants. For the context of this MoU ‘information’ is defined as a collective set of data and facts that when shared between the participants through this MoU will support the participants in delivering the purpose of the data sharing activity described in section 2 below.

Information will only be exchanged where it is lawful to do so. The relevant legal bases are detailed within this agreement. It should be noted that ‘exchange’ covers all transfers of information between the participants, including where 1 participant has direct access to information or systems in the other.

This MoU is not intended to be legally binding. It documents the respective roles, processes, procedures, and agreements reached between HMRC and the participants. This MoU should not be interpreted as removing, or reducing, existing legal obligations or responsibilities of each participant, for example as controllers under the UK General Data Protection Regulations (UK GDPR).

2. Purpose and benefits of the data sharing agreement

2.1 Purpose

HMRC considers that the disclosure of information to SAAS is necessary and proportionate because it will enable the identification, prevention and investigation of fraud in Scottish income assessed funding applications.

SAAS is an Executive Agency of the Scottish Government and therefore exercises the functions of the Scottish Ministers. It has responsibility for administering higher education student funding under The Student Support (Scotland) Regulations 2022.

SAAS assesses and provides financial support to students applying for an eligible higher education course, who meet residency and household income eligibility criteria. At the point of application, all students are required to provide information relating to themselves and any declared relevant sponsors including the full names, date of birth (DoB), address, postcode, and National Insurance Number (NINO). The annual relevant income received by the applicant and any declared sponsors is also captured:  

  • where a student applies for an independent bursary, they will also provide personal and income details for their partner

  • where a student applies for a young person’s bursary, they will also provide personal and income details of their sponsors (parent or guardian)

Student and sponsor data will be matched to HMRC data to:

  • confirm the associated address of the applicant and declared partner or parents or guardians (sponsors) in the data and confirm income
  • for certain applications (as detailed under at Section 9) if there are additional occupants within the address at the time of application, and whether those persons have an income, will be indicated by a Y or N flag

HMRC data will allow SAAS to verify what a student has declared and their entitlement to funding and also confirm that students have been awarded the correct amount of funding for this session. 

A pilot was conducted in 2023 between SAAS and HMRC and this confirmed the effectiveness of this concept.  However, the pilot was reactive and retrospective checking due to unforeseeable delays, therefore a further pilot is required to share data monthly during the academic session.

This new pilot will be focused on fraud identification and prevention by sharing data monthly in real time, and where possible prior to funding payments being made by SAAS. Given current delays it is anticipated that this pilot will commence in September 2024 so some analysis will be undertaken following commencement of payment. When this occurs SAAS will recalculate awards to re-coup funding or stop payment to prevent loss to fraud.

The financial benefits from the 2023 pilot data share are listed below:

  • fraud Prevented – £532,788.00
  • total amount passed to SAAS Recoveries team – £284,089.00
  • total amount repaid - £80,690.00

2.2 Aims of data share

SAAS will use HMRC data to validate the information submitted by the applicant and identify potential instances of fraud.  

If suspected fraud is identified, SAAS will complete internal checks prior to contacting any student or sponsors for clarification.  If there is no co-operation, SAAS may proceed to re-assess the student’s eligibility or conduct a fraud investigation, this will be on a case-by-case basis dependent on available evidence.

2.3 How will data being shared help achieve those aims?

HMRC is a non-ministerial department established by The Commissioners for Revenue and Customs Act 2005 (CRCA 2005).

HMRC are the UK’s Tax, Payments and Customs Authority and through these functions HMRC collects the data that is necessary and relevant to support SAAS in detecting potential fraud in income assessed funding applications.

2.4 Benefits of the data share

The identified benefits following the pilot data share in 2023 have supported SAAS in:

  • early identification and prevention of fraud
  • minimising financial loss and reduced pressure on budgets
  • reduced fraud rate and improved protection of public funds
  • fairer process for students using early intervention to prevent future overpayments
  • efficiency: Reduced and less intrusive fraud investigations
  • transparency: Information relating to SAAS Counter Fraud Team, their responsibilities and who they share data with can be found on the SAAS website within the Fraud Protection section — students are also informed of this by letter — students knowing SAAS have access to HMRC data will hopefully encourage fraud deterrence

There are no direct benefits to HMRC other than to assist SAAS in their objectives.

3. Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessments have been completed by both participants in this agreement. The details of which are found below.

Organisation DPIA Ref Date registered last review
HMRC 13080 21 November 2023 22 August 2024
SAAS DPIA-2022-01 21 October 2022 02 August 2024

4. Relationships under UK GDPR in relation to any personal data being exchanged under this agreement

4.1 Status of HMRC under UK GDPR

HMRC will be disclosing and receiving personal data under this agreement.

Where personal data is being disclosed under this agreement, HMRC’s status will be a controller because HMRC separately determines the purpose and means of the processing of the personal data.

Where personal data is being received under this agreement, HMRC’s status will be a controller because HMRC separately determines the purpose and means of the processing of the personal data after transfer.

4.2 Status of SAAS under UK GDPR

SAAS will be disclosing and receiving personal data under this agreement.

Where personal data is being received under this agreement, SAAS status will be a controller because they separately determine the purpose and means of the processing of the personal data after transfer.

Where personal data is being disclosed under this agreement, SAAS status will be a controller because they separately determine the purpose and means of the processing of the personal data.

5. Handling of Personal Data and Security

Where participants bear the responsibility of a Data Controller, they must ensure that any personal data received pursuant to this MoU is handled and processed in accordance with the current 7 UK GDPR principles.

Additionally as part of the Government, HMRC and SAAS must process personal data in compliance with the mandatory requirements set out in HM Government Functional Standard GovS 007: Security issued by the Cabinet Office when handling, transferring, storing, accessing or destroying Information assets.

Participants must ensure effective measures are in place to protect personal data in their care and manage potential or actual incidents of loss of the personal data. Such measures will include, but are not limited to:

  • personal data should not be transferred or stored on any type of portable device unless absolutely necessary, and if so, it must be encrypted, and password protected to an agreed standard

  • participants will take steps to ensure that all staff involved in the data sharing activities are adequately trained and are aware of their responsibilities under the Data Protection Act (DPA), UK GDPR and this MoU

  • access to personal data received by participants pursuant to this MoU must be restricted to personnel on a legitimate need-to-know basis, and with security clearance at the appropriate level and

  • participants will comply with the Government Security Classifications Policy (GSCP) where applicable

6. Duration, Frequency and Volume of the data sharing

Date MoU comes into effect MoU formal review date MoU cease date Frequency and volume of the data being shared
01 September 2024 31 August 2024 31 August 2024 The first batch of data is anticipated to be shared in September 2024. Data will then be shared on a monthly basis with the data share consisting of a maximum of 100,000 individuals in total. It is difficult to determine an exact number as applications fluctuate however in the last academic year 70,000 applications for income assessed funding were received by SAAS. The majority of the applications will be received by SAAS between March and September.

HMRC has specific legislation within the CRCA 2005 which covers the confidentiality of information held by the department, when it is lawful to disclose that information and legal sanctions for wrongful disclosure. For HMRC, disclosure of information is precluded except in certain limited circumstances, broadly for the purposes of its functions, where there is a legislative gateway or with customer consent. Unlawful disclosure relating to an identifiable person constitutes a criminal offence. The criminal sanction for unlawful disclosure is detailed at section 19 of the CRCA 2005.

Data can only be shared where there is a legal basis for the exchange and for the purposes described in this MoU as specified at Section 7 below. No data should be exchanged without a legal basis and all exchanges must comply with our legal obligations under both the DPA 2018 and Human Rights Act (HRA) 1998.

HMRC disclose this information to SAAS under Section 56 of the Digital Economy Act 2017.

Also relevant are The Digital Government (Scottish Bodies) Regulations 2022. These regulations relate to the disclosure of information in relation to fraud against the public sector, pursuant to sections 56 of the DEA.

Part 5 of the Digital Economy Act 2017 Digital Economy Act 2017 provides for powers to share information to help reduce debt owed the public sector and combat fraud against the public sector.

8. Lawful basis under UK GDPR to process personal data

Personal data can only be processed (transferred or disclosed) where there is a valid lawful basis as set out in Article 6 of UK GDPR – see ICO guidance

8.1 Lawful basis for HMRC to disclose data

The lawful processing of personal data will be undertaken in line with Article 6:1(e) of the UK GDPR (performance of a task in the public interest or exercise of official authority) and section 8(d) DPA 2018 (function of a government department).

8.2 Lawful basis for SAAS to disclose data

Under Article 6 of GDPR the processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority.

9. Data to be shared

All applications that fit the criteria for the academic session, which are received by SAAS from 01 March 2024 until 31 March 2025, will be analysed.

The initial data is anticipated to be shared with HMRC in September 2024 and will include all applications received by SAAS from 01 March 2024 to date.  Following on from this, data will be shared with HMRC on a monthly basis for the remainder of the academic session, up to 31 March 2025.  The pilot will end on 31 August 2025.

The previous pilot validated income data retrospectively and the new pilot will be in real time and where possible, prior to payment being made by SAAS.

The data to be sent from SAAS to HMRC will be extracted from SAAS processing system, StEPS, where all student data is held.

SAAS will be sharing personal details with HMRC for individuals who have applied for either an independent bursary or young student bursary.

Data sent from SAAS to HMRC for independent bursary applications:

Where an application is received for an independent bursary, SAAS will provide the following data for the students, and their partner (where provided):

  • student reference number
  • student full name
  • student DoB
  • student NINO (where available)
  • full address and post code
  • funding start date
  • partner full name
  • partner NINO
  • partner income declared

Data sent from SAAS to HMRC for young student bursary applications:

Where an application is received for a young student bursary, SAAS will provide the following data for the student, and their sponsor (parent or guardian):

  • student reference number
  • student full name
  • student DoB
  • student NINO (where available)
  • full address and post code
  • sponsor 1 full name
  • sponsor 1 NINO
  • sponsor 1 income declared
  • sponsor 2 full name
  • sponsor 2 NINO
  • sponsor 2 income declared

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Data sent from HMRC to SAAS for independent bursary applications:

HMRC will return the following data for the students, and their partner (where provided):

  • student reference number
  • student full name
  • student DoB
  • student NINO
  • full address and post code
  • partner full name
  • partner NINO

HMRC will also provide the following data for the students, and their partner (where available):

  • partner income declared
  • employment income (funding year 1)
  • occupational pension (funding year 1) - (Y or N)
  • relevant Self-Assessment (SA) income (funding year 1)
  • SA self employment income (funding year 1) - (Y or N)
  • SA property income (funding year 1) - (Y or N)
  • SA foreign income (funding year 1) - (Y or N)
  • employment income (funding year 2)
  • occupational pension (funding year 2) - (Y or N)
  • relevant SA income (funding year 2)
  • SA self employment income (funding year 2) - (Y or N)
  • SA property income (funding year 2) - (Y or N)
  • SA foreign income (funding year 2) - (Y or N)
  • additional occupants – (Y or N)
  • additional occupants with income – (Y or N)
  • House of multiple occupancy (HMO) – (Y or N)

Data sent from HMRC to SAAS for young student bursary applications:

Where an application is received for a young student bursary, HMRC will return the following data for the student, and their sponsor (parents, stepparents, legal guardians, parents’ partners, or civil partners):

  • student reference number
  • student full name
  • student DoB
  • student NINO
  • full address and post code
  • sponsor 1 full name
  • sponsor 1 NINO

HMRC will also provide the following data for the student, and their sponsor (parents, stepparents, legal guardians, parents partners or civil partners):

  • sponsor 1 income declared
  • sponsor 1 employment income (funding year 1)
  • sponsor 1 occupational pension (funding year 1) - (Y or N)
  • sponsor 1 relevant SA income (funding year 1)
  • sponsor 1 SA self employment income (funding year 1) - (Y or N)
  • sponsor 1 SA property income (funding year 1) - (Y or N)
  • sponsor 1 SA foreign income (funding year 1) - (Y or N)
  • sponsor 1 employment income (funding year 2)
  • sponsor 1 occupational pension (funding year 2) - (Y or N)
  • sponsor 1 relevant SA income (funding year 2)
  • sponsor 1 SA self employment income (funding year 2) - (Y or N)
  • sponsor 1 SA property income (funding year 2) - (Y or N)

  • sponsor 1 SA foreign income (funding year 2) - (Y or N)

  • sponsor 2 full name
  • sponsor 2 NINO
  • sponsor 2 income declared
  • sponsor 2 employment income (Funding year -1)
  • sponsor 2 occupational pension (Funding year -1) - (Y or N)
  • sponsor 2 relevant SA income (Funding year -1)
  • sponsor 2 SA self employment income (Funding year -1) - (Y or N)
  • sponsor 2 SA property income (Funding year -1) - (Y or N)
  • sponsor 2 SA foreign income (Funding year -1) - (Y or N)
  • sponsor 2 employment income (Funding year -2)
  • sponsor 2 occupational pension (Funding year -2) - (Y or N)
  • sponsor 2 relevant SA income (Funding year -2)
  • sponsor 2 SA self employment income (Funding year -2) - (Y or N)
  • sponsor 2 SA property income (Funding year -2) - (Y or N)

  • sponsor 2 SA foreign income (Funding year -2) - (Y or N)

  • additional occupants — (Y or N)
  • additional occupants with income — (Y or N)
  • House of Multiple Occupancy (HMO) — (Y or N)

Points to note:

  • where HMRC cannot match the student, no data will be returned for that application

  • where HMRC has matched the student, they will then match the partners or sponsors — where HMRC cannot match the partner or sponsors, no data will be returned for that application (sponsor or applicant)

  • in instances where 2 sponsors are provided, they will both need to match for either of them to be returned

  • where the student and partner or sponsors have matched, HMRC will look to provide a Y or N indicator where there is additional occupant information for the following:

  • additional occupants — (Y or N) — flag to indicate whether other people between 25 and 65 years old are living at the property
  • additional occupants with income — (Y or N) — flag to indicate if additional occupants living at the property between the ages of 25 and 65 have an income
  • HMO — (Y or N) — flag to indicate whether there are there 6 or more people with 3 or more surnames living at the property

There are parameters in place where the following data is excluded by HMRC

  • excluding income at address for earners who are under the age of 25
  • excluding income at address for earners who are over the age of 65

10. How the data will be shared

The data will be shared both inbound to HMRC and outbound to SAAS by Secure Data Exchange Service (SDES).

11. Accuracy of the data being shared

Before sharing data all participants must take all reasonable steps to ensure that the data being shared is both accurate and up to date.

The exporting department will ensure that data integrity meets their own department’s standards, unless more rigorous or higher standards are set out and agreed at the requirements stage.

Participants will notify each other of any inaccuracies of the data as they are identified.

12. Retention and destruction of data

12.1 HMRC

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

12.2 Student Awards Agency Scotland

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

13. Onward disclosure to third parties

For the avoidance of doubt, HMRC has not provided consent to SAAS to enable onward any disclosure of HMRC information and sanctions outlined in s59(3) of the Digital Economy Act 2017 (which mirrors CRCA 2005, s19: Wrongful Disclosure).

14. Role of each participant to the MoU

14.1 Role of HMRC

  • identify the appropriate data required from HMRC IT systems and records

  • provide the data to SAAS in Microsoft Excel transferred by Secure Data Exchange Service from and to agreed contact points

  • only allow access to that data by the team requiring it

  • ensure that staff handle this data in line with the approved secure transfer method agreed by both departments and within HMRC data security instructions

  • only store the data for as long as there is a business need to do so

  • move, process and destroy data securely in line with the principles set out in HM Government Functional Standard GovS 007: Security issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information

  • comply with the requirements in the Government Functional Standard GovS 007: Security and, in particular prepare, for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information

14.2 Role of SAAS

  • identify the appropriate data required from HMRC

  • only use the information for purposes that are in accordance with the legal basis under which it was received

  • only hold the data for as long as there is a business need to do so

  • ensure that only people who have a genuine business need to see the data will have access to it

  • on receipt, store data received securely and in accordance with the prevailing central government standards, for example in secure premises and on secure IT systems

  • move, process and destroy data securely in line with the principles set out in HM Government Functional Standard GovS 007: Security issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information

  • comply with the requirements in the Security policy framework - GOV.UK and in particular prepare for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information

  • if SAAS adheres to a different set of security standards they must inform HMRC what these standards are below and comply with any additional security requirements specified by HMRC

  • seek permission from HMRC before onward disclosing information to a third party

  • seek permission from HMRC if you are considering offshoring any of the personal data shared under this agreement

  • mark information assets with the appropriate government security classification and apply the baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, issued by the Cabinet Office

  • send the data in the above specified format via Secure Data Exchange Service agreed by both departments under the protective marking ‘Official-Sensitive’

15. Monitoring and Reviewing arrangements

This MoU relates to a monthly exchange that must be reviewed if any changes to the pilot are made,  to assess whether the MoU is still accurate and fit for purpose.

Reviews can be called by representatives of either participant. Any changes needed as a result of that review may be agreed in writing and appended to this document.

Technical changes necessary to improve the efficiency of the exchange that do not change the overarching purpose can be made without the requirement to review formerly the MoU during its life cycle but must be incorporated if the share is approved for business as usual in the future.

The DEA Secretariat must be made aware of any review and subsequently intended changes. These may require review board approval and ministerial approval. Business as usual would require both DEA Review Board and Ministerial Approval.

A record of all reviews will be created and retained by each participant.

16. Assurance Arrangements

HMRC has a duty of care to assure any data that is passed on to others.  Processes covered by this MoU will be subject to annual reviews, from the date of sign off. HMRC may also choose to introduce ad hoc reviews.

Assurance will be provided by the annual completion of a Certificate of Review and Assurance (CoRA). The assurance processes should include checking that any information sharing is achieving its objectives (in line with this MoU) and that the security arrangements are appropriate given the risks.

SAAS agrees to provide HMRC with a signed CoRA within the time limits specified upon request.

HMRC reserves the right to review the agreed risk management, controls, and governance in respect of this specific agreement.

17. Security Breaches, Security Incidents or loss unauthorised disclosure of data

The designated points of contact are responsible for notifying all participants in writing in the event of loss or unauthorised disclosures of information within 24 hours of the event. The DEA Secretariat must be informed.

The designated points of contact will discuss and agree the next steps relating to the incident, taking specialist advice where appropriate. Such arrangements will include (but will not be limited to) containment of the incident and mitigation of any ongoing risk, recovery of the information, and notifying the Information Commissioner and the data subjects. The arrangements may vary in each case, depending on the sensitivity of the information and the nature of the loss or unauthorised disclosure.

18. Subject Access Requests

In the event that a Subject Access Request (SAR) is received by any participant they will issue a formal response on the information that they hold following their internal procedures for responding to the request within the statutory timescales. There is no statutory requirement to re-direct SARs or provide details of the other participant in the response. However, each participant will notify the other if a SAR is received in respect of any personal data shared under this agreement.

HMRC Contact

SAAS Contact

Full details of data subject’s rights in relation to processing of personal information can be found in each participant’s Privacy Notice – links below. Also, see ICO Guidance:

HMRC Privacy Notice

SAAS Student Privacy Notice

SAAS Benefactor Privacy Notice

ICO Data Sharing Code of Practice – The rights of individuals

19. Freedom of Information Act (FOI) 2000

All participants are subject to the requirements of the Freedom of Information (FoI) Act 2000 and shall assist and co-operate with each other to enable each organisation to comply with their information disclosure obligations.

In the event of 1 participant receiving an FoI request that involves disclosing information that has been provided by any other participant the organisation in question will notify the other to allow it the opportunity to make representations on the potential impact of disclosure.

HMRC FOI Contact

SAAS FOI Contact

20. Issues, disputes, and resolution

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

21. Costs

Any time incurred by HMRC for the delivery of this data and information will be recovered and paid for by SAAS.  The costs will be recharged following the first data transfer and then monthly after each data transfer.

22. Termination

This MoU may be terminated by giving 3 months’ notice by any participant.

All participants to this MoU reserve the right to terminate this MoU with 3 months’ notice in the following circumstances:

  • by reason of cost, resources, or other factors beyond the control of the HMRC or SAAS

  • if any material change occurs which, in the opinion of HMRC and SAAS following negotiation significantly impairs the value of the data sharing arrangement in meeting their respective objectives

In the event of a significant security breach or other serious breach of the terms of this MoU by any participant the MoU will be terminated or suspended immediately without notice.

In the event of a failure to cooperate in a review of this MoU or provide assurance the agreement may be terminated or suspended without notice. The DEA Secretariat must be informed.

23. Signatories

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Back to top