Transparency data

Memorandum of Understanding: Supporting the identifying of potential fraudulent company applications to the Cultural Recovery Fund

Published 19 March 2026

This Memorandum of Understanding (MoU) between HM Revenue and Customs (HMRC) and Department for Culture, Media and Sport (DCMS) and Arts Council England (ACE) was agreed and put in place in 2025.

1. Introduction

This MoU sets out the information sharing arrangement between the aforementioned participants. For the context of this MoU ‘information’ is defined as a collective set of data or facts that when shared between the participants through this MoU will support the participants in delivering the purpose of the data sharing activity described in section 3 below.

Information will only be exchanged where it is lawful to do so. The relevant legal bases are detailed within this agreement. It should be noted that exchange covers all transfers of information between the participants, including where one participant has direct access to information or systems in the other.

This MoU is not intended to be legally binding. It documents the respective roles, processes, procedures, and agreements reached between HMRC and the participants. This MoU should not be interpreted as removing, or reducing, existing legal obligations or responsibilities of each Participant, for example as Controllers under the UK General Data Protection Regulations (UK GDPR).

2. Purpose and benefits of the data sharing agreement

2.1. Purpose

This is a one-off pilot data share and is expected to commence in June 2025 with the pilot lasting for 12-months.

The Culture Recovery Fund (CRF) was an unprecedented fund set up to tackle the crisis that faced cultural organisations and heritage sites during the coronavirus (COVID-19) pandemic. Without targeted support, DCMS expected large-scale financial failures arising from the pandemic during 2020 to 2021, with many organisations likely to close permanently if support was not available by September 2020. In July 2020 the Culture Secretary announced the £1.57 billion package, to help the UK’s cultural, arts and heritage institutions survive the pandemic, supporting their long-term sustainability. The fund’s primary objective was to rescue cultural and heritage organisations at risk of financial failure in the financial year 2020 to 2021 due to COVID-19. DCMS is accountable for this fund.

The purpose of this data share is to detect fraud against organisations and businesses who have submitted applications for a grant during the COVID-19 pandemic.

The CRF awarded grants to organisations based on a number of criteria, such as cultural significance, however in most cases turnover of the applicant organisation was an important variable and one of the key determinant factors in the size of the award.

As can be the case with funding schemes, there are those who take advantage and file false turnover figures in order to inflate the grant size that they receive.

DCMS will share the data received from HMRC with ACE, an executive non-departmental public body sponsored by DCMS, in order for them to carry out investigations into the false claims made to their allocation of grant money.

The data share will seek to identify those organisations and businesses who applied for a CRF grant and had declared falsified earnings in order to receive more money with the potential outcome of repayment of grant and possible criminal charges. If fraud is suspected, then DCMS will seek to refer the case to ACE for their further investigation. This may then lead to ACE requesting a copy of the company tax return from the applicant and, should this show no legitimate explanation for the discrepancy, then they would issue a request for repayment of the funds and consider law enforcement involvement as appropriate.

HMRC considers that the disclosure of information to DCMS is necessary and proportionate in order to support them with their aim of identifying fraudulent company applications to the Cultural Recovery Fund. HMRC data will not be directly sent to the businesses or organisations, rather it will be used to detect a fraudulent claim. Should action need to be taken against a business or organisation this will be done from requested company tax return direct from the applicant.

2.2. Aims of data share

This data share seeks to match turnover data from the year preceding COVID-19, for example financial year (FY) 2019 to 2020 plus FY 2020 to 2021 and 2021 to 2022 to identify the following potential frauds:

• applications by companies which were not trading prior to COVID-19 (as was a requirement of the grant)
• applications by companies for an excessive grant based on inflated turnover (as the grants were intended to be no more than 25% of pre-COVID-19 turnover)
• false declarations made with respect to turnover on application to the CRF

The data share should allow for an initial indication of substantial deviation from expected or declared turnover figures. Those grants which are flagged as significant discrepancies will be investigated by ACE. DCMS expect that in some cases there may be legitimate explanations and other false positives, as turnover was not the sole determining factor, however, DCMS do expect to find cases of fraud and deliberate overstatement of need.

2.3. How will data being shared help achieve those aims?

The data that DCMS receive from HMRC will identify those with turnover falsifications in the grant application process as HMRC have access to tax and earnings data that DCMS do not. DCMS will then use this data to provide information to ACE in order for repayment and potential criminal charges to be brought against the offending businesses.

2.4. Benefits of the data share

There are no direct benefits to HMRC other than to support DCMS in their aim of identifying fraudulent company applications to the CRF.

The benefits of this data share to DCMS are as follows:

• identification of fraud which can then be investigated and recovered
• identification of control gaps in ongoing and future grant schemes
• serves as a statistically valid fraud measurement exercise for the purpose of assessing overstatement of need and turnover fraud allowing DCMS to inform risk appetite and wider corporate governance
• if successful may allow for future HMRC data sharing to mitigate future risks of fraud
• demonstrates government commitment to investigating potential abuse of COVID-19 support schemes of which there is a significant public interest

3. Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessments have been completed by both participants in this agreement. The details of which are found below.

Organisation	DPIA Reference Number	Date DPIA was registered	Date DPIA was last reviewed
HMRC	15644 (screening only)	02 Oct 2024	02 Oct 2024
DCMS	2024/03/GRAFT	19 Nov 2024	19 Nov 2024

4. Relationships under UK GDPR in relation to any personal data being exchanged under this agreement

No personal data is being exchanged under this agreement.

5. Handling of Personal Data and Security

Where participants bear the responsibility of a Data Controller, they must ensure that any personal data received pursuant to this MoU is handled and processed in accordance with the current 7 UK GDPR principles.

Additionally as part of the Government, HMRC and participant 2 and 3 must process personal data in compliance with the mandatory requirements set out in HM Government Functional Standard GovS 007: Security issued by the Cabinet Office when handling, transferring, storing, accessing or destroying Information assets.

Participants must ensure effective measures are in place to protect personal data in their care and manage potential or actual incidents of loss of the personal data. Such measures will include, but are not limited to:

• personal data should not be transferred or stored on any type of portable device unless absolutely necessary, and if so, it must be encrypted, and password protected to an agreed standard
• participants will take steps to ensure that all staff involved in the data sharing activities are adequately trained and are aware of their responsibilities under the DPA, UK GDPR and this MoU
• access to personal data received by participants pursuant to this MoU must be restricted to personnel on a legitimate need-to-know basis, and with security clearance at the appropriate level
• participants will comply with the Government Security Classifications Policy (GSCP) where applicable

6. Duration, frequency and volume of the data sharing

Date MoU comes into effect	MoU formal review date	MoU cease date	Frequency and volume of data being shared
01 June 2025	31 May 2026	01 June 2026	This is a one-off data share pilot, consisting of approximately 6,000 companies and businesses. Anticipated to start in June 2025

7. Legal considerations and basis to share data between the participants

HMRC has specific legislation within the Commissioners for Revenue and Customs Act (CRCA) (2005) which covers the confidentiality of information held by the department, when it is lawful to disclose that information and legal sanctions for wrongful disclosure. For HMRC, disclosure of information is precluded except in certain limited circumstances, broadly for the purposes of its functions, where there is a legislative gateway or with customer consent. Unlawful disclosure relating to an identifiable person constitutes a criminal offence. The criminal sanction for unlawful disclosure is detailed at section 19 of the CRCA 2005.

Data can only be shared where there is a legal basis for the exchange and for the purposes described in this MoU as specified at Section 10 below. No data should be exchanged without a legal basis and all exchanges must comply with our legal obligations under both the Data Protection Act (DPA) 2018 and Human Rights Act (HRA) 1998.

7.1. Legal basis for HMRC to disclose data

HMRC will disclose data to DCMS and Arts Council England using Section 56 of the Digital Economy Act 2017

7.2. Legal basis for DCMS and ACE to disclose data

DCMS and Arts Council England will disclose data to HMRC using Section 56 of the Digital Economy Act 2017

7.3. Lawful basis under UK GDPR to process personal data

Not applicable as no personal data is being exchanged.

8. Data to be shared

A dataset of approximately 6,000 companies will be extracted by DCMS Counter Fraud from the databases of ACE and transferred via Secure Data Exchange Service (SDES) to HMRC RIS GovDET in Microsoft Excel spreadsheet.

Data sent from DCMS and ACE to HMRC:

• DCMS_Companies House Registration Number
• DCMS_URN
• Company name
• Incorporation Date
• Company registered address line 1
• Company registered address line 2
• Company registered address town
• Company registered address county
• Company registered address country
• Company registered address postcode

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

HMRC will only return data when there is a confirmed match. Non matches will not be returned to DCMS and will be removed from the spreadsheet in full.

Data sent from HMRC to DCMS and ACE:

• DCMS_URN
• DCMS_Companies House Registration Number
• HMRC_Companies House Registration Number
• Corporation Tax (CT) registration date
• 2019 to 2020 CT Total turnover from trade or profession
• 2020 to 2021 CT Total turnover from trade or profession
• 2021 to 2022 CT Total turnover from trade or profession
• accounting period start date for 2019 to 2020
• accounting period end date for 2019 to 2020
• accounting period start date for 2020 to 2021
• accounting period end date for 2020 to 2021
• accounting period start date for 2021 to 2022
• accounting period end date for 2021 to 2022

The data will be shared from DCMS to HMRC via SDES and returned from HMRC to DCMS via SDES.

9. Accuracy of the data being shared

Before sharing data all participants must take all reasonable steps to ensure that the data being shared is both accurate and up to date.

The exporting department will ensure that data integrity meets their own department’s standards, unless more rigorous or higher standards are set out and agreed at the requirements stage.

Participants will notify each other of any inaccuracies of the data as they are identified.

10. Retention and destruction of data

10.1. HMRC

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

10.2. DCMS and ACE

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

11. Onward disclosure to third parties

DCMS agrees to seek permission from HMRC before any onward disclosure of information to a third party and will only disclose any information if permission is granted.

The data will be used for the purposes laid out in this MoU and must not be shared outside of DCMS, ACE without prior approval and consent of HMRC. This is covered in the use of section 56 of the DEA for the purposes of onward sharing to the 2 named executive non-departmental bodies.

All parties to this MoU agree to seek permission before any onward disclosure of information to a third party, where not already covered by this MoU, and will only disclose any information if permission is granted.

Where cases of fraud are detected, ACE will seek to obtain a company tax return from the applicant which will provide evidence and explanation of the discrepancy. DCMS would not need to use HMRC data to refer to law enforcement where needed as the further investigation would be used for this. HMRC data would be solely used to initially detect a possible case of fraud.

12. Role of each participant to the MoU

12.1. Role of HMRC

• identify the appropriate data required from HMRC IT systems and records
• provide the data to DCMS in Microsoft Excel transferred by SDES from and to agreed contact points
• only allow access to that data by the team requiring it
• ensure that staff handle this data in line with the approved secure transfer method agreed by both departments and within HMRC data security instructions
• only store the data for as long as there is a business need to do so
• move, process and destroy data securely in line with the principles set out in HM Government Functional Standard GovS 007: Security issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
• comply with the requirements in the Government Functional Standard GovS 007: Security and, in particular prepare, for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information

12.2. Role of DCMS and ACE

• identify the appropriate data required from HMRC
• only use the information for purposes that are in accordance with the legal basis under which it was received
• only hold the data for as long as there is a business need to do so
• ensure that only people who have a genuine business need to see the data will have access to it
• on receipt, store data received securely and in accordance with the prevailing central government standards, for example in secure premises and on secure IT systems
• move, process and destroy data securely in line with the principles set out in HM Government Functional Standard GovS 007: Security issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
• comply with the requirements in the Government Functional Standard GovS 007: Security and in particular prepare for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
• if participant 2 and 3 adheres to a different set of security standards they must inform HMRC what these standards are at 16.3 below and comply with any additional security requirements specified by HMRC
• seek permission from HMRC before onward disclosing information to a third party
• seek permission from HMRC if you are considering offshoring any of the personal data shared under this agreement
• mark information assets with the appropriate government security classification and apply the baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, issued by the Cabinet Office, and as a minimum the top level controls framework provided in the Annexe – Security Controls Framework to the GSC
• send the data in the above specified format via Secure Data Exchange Service agreed by both departments under the protective marking ‘Official-Sensitive’

13. Monitoring and reviewing arrangements

• this MoU relates to a regular exchange that must be reviewed annually to assess whether the MoU is still accurate and fit for purpose (not applicable in this case as it is a pilot)
• reviews outside of the proposed review period can be called by representatives of any participant — any changes needed as a result of that review may be agreed in writing and appended to this document for inclusion at the formal review date
• technical changes necessary to improve the efficiency of the exchange that do not change the overarching purpose can be made without the requirement to review formerly the MoU during its life cycle but must be incorporated at the formal review stage
• a record of all reviews will be created and retained by each participant

14. Assurance arrangements

• HMRC has a duty of care to assure any data that is passed on to others. Processes covered by this MoU will be subject to annual reviews. HMRC may also choose to introduce ad hoc reviews. Assurance will be provided by the annual completion of a Certificate of Review and Assurance (CoRA). The assurance processes should include checking that any information sharing is achieving its objectives (in line with this MoU) and that the security arrangements are appropriate given the risks
• participant 2 and 3 agree to provide HMRC with a signed CoRA within the time limits specified upon request
• HMRC reserves the right to review the agreed risk management, controls, and governance in respect of this specific agreement

15. Security breaches, security incidents or loss unauthorised disclosure of data

The designated points of contact are responsible for notifying all participants in writing in the event of loss or unauthorised disclosures of information within 24 hours of the event. The DEA Secretariat must be informed.

The designated points of contact will discuss and agree the next steps relating to the incident, taking specialist advice where appropriate. Such arrangements will include (but will not be limited to) containment of the incident and mitigation of any ongoing risk, recovery of the information, and notifying the Information Commissioner and the data subjects. The arrangements may vary in each case, depending on the sensitivity of the information and the nature of the loss or unauthorised disclosure.

16. Subject Access Requests

In the event that a Subject Access Request (SAR) is received by any participant they will issue a formal response on the information that they hold following their internal procedures for responding to the request within the statutory timescales. There is no statutory requirement to re-direct SARs or provide details of the other participant in the response. However, each participant will notify the other if a SAR is received in respect of any personal data shared under this agreement.

• HMRC Contact
• DCMS Contact
• ACE Contact

Full details of data subject’s rights in relation to processing of personal information can be found in each participant’s Privacy Notice, see links below. Also, see ICO guidance:

• HMRC Privacy Notice
• DCMS Personal Information Charter
• Arts Council England Privacy Notice
• ICO Data Sharing Code of Practice – The rights of individuals

17. Freedom of Information Act (FOI) 2000

All participants are subject to the requirements of the Freedom of Information Act (FoIA) 2000 and shall assist and co-operate with each other to enable each organisation to comply with their information disclosure obligations. In the event of one participant receiving an FoI request that involves disclosing information that has been provided by any other participant the organisation in question will notify the other to allow it the opportunity to make representations on the potential impact of disclosure.

• HMRC FOI Contact
• DCMS FOI Contact
• ACE FOI Contact

18. Issues, disputes, and resolution

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

19. Costs

RIS Government Data Exchange Team will recharge for all cross-government data exchanges where there is no reciprocal benefit to HMRC. Recharges are based on resource costs, including both governance and analytical resource and are in line with HMRC Fees and Charges guidance.

DCMS will be responsible for covering the costs of this data share as the primary body in this data share.

20. Termination

This MoU may be terminated by giving 3months’ notice by any participant. All participants to this MoU reserve the right to terminate this MoU with 3months’ notice in the following circumstances:

• by reason of cost, resources, or other factors beyond the control of the HMRC or participant 2 or 3
• if any material change occurs which, in the opinion of HMRC and participant 2 or 3 following negotiation significantly impairs the value of the data sharing arrangement in meeting their respective objectives

In the event of a significant security breach or other serious breach of the terms of this MoU by any Participant the MoU will be terminated or suspended immediately without notice. In the event of a failure to cooperate in a review of this MoU or provide assurance the agreement may be terminated or suspended without notice. The DEA Secretariat must be informed.

21. Signatories

This content has been withheld because of exemptions in the Freedom of Information Act 2000.