Transparency data

Potential Apprenticeship Levy funding fraud

Published 19 October 2023

This Data Usage Agreement for potential apprenticeship levy funding fraud was agreed and put in place in 2020.

1. Conditions of disclosure of information by HMRC

The Education and Skills Funding Agency (ESFA) is an executive agency of the government of the United Kingdom accountable for funding education and skills for children, young people and adults. ESFA is sponsored by the Department for Education.

ESFA will provide a sample of circa 10,000 apprenticeship records to HMRC as a one-off exercise. HMRC will disclose information on apprenticeship identity and employment status to ESFA for investigation by virtue of section 56 of the Digital Economy Act 2017 - for the purposes of combatting fraud against the public sector - and to the Cabinet Office (anonymised) for analytical purposes by virtue of section 74 of the Digital Economy Act 2017.

Legal gateway approved by HMRC 10 December 2019.

1.1 Definitions

Agreed purposes: as set out in clause 2 of this agreement.

Controller, data controller, processor, data processor, data subject, personal data, processing and appropriate technical and organisational measures: as set out in the data protection legislation.

Data protection legislation: all legislation and regulatory requirements in force from time to time relating to the use of personal data and the privacy of electronic communications, including, without limitation, the Data Protection Act 2018 and the General Data Protection Regulation ((European Union) 2016/679).

Permitted recipients: the parties to this agreement, the employees of each party required to perform the agreed purposes, any third parties engaged to perform obligations in connection with this agreement as agreed by the parties.

Shared personal data: the personal data to be shared between the parties set out in clause 3 of this agreement.

1.2 Purpose

ESFA fund learning providers to deliver training to apprentices. Learning providers are paid per apprentice registered. Funding is paid in monthly instalments. Funding is calculated and data held in an Individual Learner Record (ILR) submitted to the ESFA by the learning provider.

A learning provider can fraudulently misrepresent the number of apprentices it is providing training to by providing fictitious or cloned identity details. When a learning provider initially creates an ILR record with ESFA, they undertake all identity checks on behalf of ESFA. No further independent checks are undertaken to verify the identity details provided by the learning provider.

Payments continue if the learning provider periodically submits updates of the ILR to the ESFA. If a learner discontinues their training course, it is the responsibility of the learning provider to notify ESFA to cease funding. At this point there may also be opportunity for a learning provider to fraudulently fail to disclose course termination and claim further funding by continuing to submit updates to the learners record which would release funds.

HMRC are the only organisation with the data available to undertake verification of both National Insurance number and employment status. HMRC data could be used to confirm the identity of the apprentice and the validity of the National Insurance number. HMRC employment data could be used to confirm employment status and indicate whether the apprentice has received a wage from the declared employer in the time declared. Using HMRC data as an indicator of potentially fraudulent behaviour, ESFA will contact learning providers as part of a compliance exercise and progress any non-compliant providers for investigation and recover. This pilot will begin to enable ESFA to say with certainty what the extent of fraudulent behaviour is.

Specifically, ESFA would like to explore if HMRC data matching could provide evidence of the existence of fraud, and where it does exist provide confirmation of:

• whether apprentice can be matched to HMRC data (a proxy indicator of identity)
• whether the apprentice was in receipt of a wage from the declared employer during the period of provided learning
• whether the apprentice commenced new employment during the period of provided learning (an indication of course withdrawal or change of circumstance)

This supports the policy objective of ESFA to ‘provide assurance that funding is used for its agreed purposes, and act swiftly and effectively in cases of suspected fraud and irregularity’, thereby supporting the overarching objective to ‘act on behalf of the Secretary of State to assure the proper use of public funds’ (ESFA Business Plan 2019 to 2020).

1.3 Data specification

Annex A contains the data specification for the ESFA apprenticeship scheme.

Annex B contains the HMRC data specification and matching methodology.

1.4 Data security

• move, process and destroy data securely i.e. in line with the principles set out in HM government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
• only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information will have access to it
• only keep it for the time it is needed, and then destroy it securely
• not onwardly disclose that information without the prior authorisation of HMRC other than provided for in section 57 of the Digital Economy Act
• comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
• mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, and in particular as set out in the Annex – Security Controls Framework to the Government Security Classifications
• comply with ICO standards relating to data security breaches and follow due procedure when reporting and investigating breaches of this nature

1.5 Data flow

An overview of the data flow is provided as per Annex C

Both parties agree to:

• for the ESFA data file, ensure that data from ESFA is sent to HMRC by government secure email, password protected with password sent separately to the nominated person within the HMRC RIS Team

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

• ensure that the data match output for the ESFA file is sent by HMRC to ESFA data.sharing@education.gov.uk - the data must be sent via government secure email, password protected with password sent separately to the nominated user within the ESFA project team

• ensure that the data match outputs for the ESFA file are sent by HMRC to the Cabinet Office. The data must be anonymised and sent via government secure email, password protected with password sent separately. The data file will retain an ESFA unique identifier and the requested HMRC data specification but will not include any personal identifiable information such as names, addresses, dates of birth or the like

• HMRC will destroy the ESFA file and the data match outputs upon confirmation of receipt from both the Cabinet Office and ESFA. ESFA and the Cabinet Office will destroy HMRC match outputs upon completion of the pilot or after 6 months of receipt, whichever is soonest. ESFA will only retain HMRC data for longer if it is being used as part of an active counter fraud investigation

1.6 Data protection

All parties agree that HMRC and ESFA are both separately data controller, as defined by the data protection legislation for the personal data they provide to meet the agreed purposes.

Each party shall comply with all obligations imposed on a controller under the data protection legislation.

Each party shall:

• process the shared personal data only for the agreed purposes
• not disclose or allow access to the shared personal data to anyone other than the permitted recipients
• ensure that all permitted recipients are subject to written contractual obligations concerning the shared personal data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement
• notwithstanding the measures at clause 4, ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
• not transfer any personal data received from any party outside the EEA unless the transferor ensures that:
  • the transfer is to a country approved by the European Commission as providing adequate protection pursuant to article 45 GDPR
  • there are appropriate safeguards in place pursuant to article 46 GDPR
  • one of the derogations for specific situation in article 49 GDPR applies to the transfer
• each party shall assist the other in complying with all applicable requirements of the Data Protection Legislation. In particular, each party shall:
  • promptly inform the other party about the receipt of any data subject access request
  • provide the other party with reasonable assistance in complying with any data subject access request
  • not disclose or release any shared personal data in response to a data subject access request without first consulting the other party wherever possible
  • assist the other party, at the cost of the other party, in responding to any data request from a data subject and in ensuring compliance with its obligations under the data protection legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators
  • notify the other party without undue delay on becoming aware of any breach of the data protection legislation
  • delete or return shared personal data and copies thereof to the other party on in accordance with clause 5 or on termination of this agreement unless required by law to stare the personal data

1.7 Freedom of Information

All parties agree that if an FOI request relating to this information is made to any party, their FOI team will engage with the other parties FOI team regarding the potential impact of disclosure. All parties agree that the responsibility and final decision on responding under FOI lies with the party that received the request for information. All parties agree that if an FOI request relating to this information is made to any party, their FOI team will engage with the other parties FOI team regarding the potential impact of disclosure. All parties agree that the responsibility and final decision on responding under FOI lies with the party that received the request for information.

Where disclosure is to a third party with whom HMRC has agreed an umbrella memorandum of understanding (MoU) covering exchange of information, the signatories to this Data Usage Agreement agree to comply with the terms set out in sections 2 to 4 of the relevant umbrella MoU: (no umbrella MoU Applies to this Data Usage Agreement as this is a one off proof of concept)

Any disputes and/or breaches relating to this information transfer should be reported to ESFA and HMRC.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

2. Annex A

ESFA Applicant Data Specification
Unique Learner Number (Key)
UKPRN
Provider Name
Framework or standard name
Learning Start Date
Completion status
Actual End Date (if applicable)
Outcome
Apprentice National Insurance Number (NINO)
Apprentice Forename(s)
Apprentice Surname
Apprentice Date of Birth
Apprentice Address Line 1
Apprentice Address Line 2
Apprentice Address Line 3
Apprentice Address Line 4
Apprentice Home Postcode
Employer Name (where held)
Employer Identification Number / Companies House Number (if available)
Delivery Location Postcode - usually place of employment
Employer Address (where held)

3. Annex B

3.1 HMRC matching methodology and data output specification

Individual verification

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

• where these details match, the individuals will then be matched against employment data and Self Assessment data (see below employment status)
• if an individual doesn’t match on a minimum of name, date of birth and National Insurance number, no employment or Self Assessment data will be returned
• in instances where everything has matched apart from the National Insurance number, a flag will be created to show the National Insurance number held by ESFA may be incorrect
• fuzzy matching will be done on the names to improve the match rate

Employment status:

• for the verified individuals the National Insurance number will be used to link to employment data in Real Time Information (RTI). HMRC will provide details of applicant employments for the duration of the course (dates as provided by ESFA). -Self Assessment information will be taken from the …

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

… and will cover the tax years that the duration of the course covers

HMRC Individual Verification
Individual Matched to ESFA Name (Y/N)
Individual Matched to ESFA National Insurance Number (Y/N)
Individual Matched to ESFA Date of Birth (Y/N)
Individual Matched to ESFA Source Data Address (Y/N)
Potential Incorrect National Insurance Number (Y/N)
HMRC RTI - Earnings Information and Sources
Tax Year
Employer Name
Employer Address
Start Date
Leaving Date
Latest Payment Date
Pay Frequency
Pay In Latest Period
Taxable Pay In Period
Taxable Pay Year To Date
HMRC Self Assessment
SA Tax Year
SA Return Date
SA Employment Flag
SA Self Employment Flag

4. Annex C

4.1 Data flow

1. ESFA provide data file comprising of 10,000 apprenticeship records to HMRC Risk and Intelligence Service (RIS).
2. HMRC RIS team undertake data matching (Annex B).
3. HMRC RIS send the data matching output (Annex B) to ESFA (as data owners) and to the Cabinet Office (anonymised).
4. The Cabinet Office will use the anonymous data file to design the analytics framework for ESFA. ESFA use this to review and investigate matches where the data indicates a risk of fraud.

---