Transparency data

Conditions of disclosure of information by HMRC to Leeds City Council for the purposes of preventing and combating fraud against a public authority

Published 22 July 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/the-disclosure-of-information-by-hmrc-to-leeds-city-council-2023/conditions-of-disclosure-of-information-by-hmrc-to-leeds-city-council-for-the-purposes-of-preventing-and-combating-fraud-against-a-public-authority

​ This Data Usage Agreement between HMRC and Leeds City Council was agreed and put in place in 2023.

Reason for variation request to pilot

Following sign off on this pilot by the review board and subsequent ministerial approval in April 2024, LCC shared the initial data set for matching with HMRC on 30th April 2024.

It was identified as a result of the data matching, that some data items documented in the original business case (commencement date of newly opened accounts, account sort code and closure date of account) were either not available or subject to availability to HMRC, therefore affecting usability of the dataset for the purposes of the pilot.

Following discussions between LCC and HMRC, the data specifications have been reviewed, modified, and agreed to optimise and achieve the objectives of this pilot.

With the addition of LCC’s ID reference numbers, further data minimisation controls have also been agreed and implemented, due to LCC no longer requiring the return of personal identifiers from HMRC.

Due to the modification of the data specifications, the original pilot duration of 12 months from 30 April 2024 to 29 April 2025 is no longer sufficient to share the relevant data and for LCC to complete a full analysis. LCC, along with HMRC’s agreement, would therefore like to request to extend the duration of the pilot by 6 months.

The pilot commenced on 30 April 2024 and will now conclude on 31 October 2025.

This DUA (and accompanying DPIAs) have been reviewed and amended to reflect the changes to the data specification and duration of this pilot.

Any changes to this DUA will be marked in bold italics.

HMRC

Under section 18(1) of the Commissioners for Revenue and Customs Act (CRCA) 2005, HMRC is bound by a strict duty of confidentiality meaning that HMRC officers may not disclose information HMRC holds for its functions.

However, HMRC information may be disclosed where one of the statutory exceptions in section 18(2) CRCA 2005 apply or where disclosure is permitted under any other enactment pursuant to section 18(3) CRCA 2005.

Any person who discloses HMRC information which identifies a taxpayer without a lawful basis to do so under either section 18(2) or (3) of CRCA 2005 potentially commits a criminal offence of wrongful disclosure pursuant to section 19 CRCA 2005.

A person found guilty of an offence may receive an unlimited fine, imprisonment of up to two years or both.

In this particular case, disclosure by HMRC to Leeds city council is permitted by virtue of part 5, chapter 4 of the Digital Economy Act (DEA) 2017 and in particular section 56.

This permits disclosure between specified persons for the purposes of taking action in connection with fraud against a public authority.

Specified persons for the purposes of section 56 powers are set out in schedule 8 of DEA 2017 and include HMRC at paragraph 14 and Leeds city council at paragraph 17.

Leeds city council

Disclosure by Leeds city council to HMRC is permitted by virtue of part 5, chapter 4 of the Digital Economy Act (DEA) 2017 and in particular section 56. This permits disclosure between specified persons for the purposes of taking action in connection with fraud against a public authority.

Specified persons for the purposes of s.56 powers are set out in schedule 8 of DEA 2017 and include HMRC at paragraph 14 and Leeds city council at paragraph 17.

Lawful Basis for processing personal data 

HMRC

The lawful processing of personal data by HMRC will be undertaken in line with article 6:1(e) of the UK GDPR (performance of a task in the public interest or exercise of official authority) and section 8(d) DPA 2018 (the exercise of a function of the Crown, a minister of the Crown, or a government department).

Leeds city council

The lawful basis is UK GDPR Article 6(1)(e) processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller namely the exercise of a function of the Crown, a minister of the Crown or a government department (Data Protection Act 2018, section 8(d)).

And, Article 9(2)(g) of UK GDPR (processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject domestic law;) and section10(3) subsections (2) and (3) make provision about the processing of personal data described in article 9(1) of the (prohibition on processing of special categories of personal data) in reliance on an exception in one of the following points of article 9(2) (b) substantial public interest.

It has been determined that the processing meets the special condition of preventing fraud, under 14(1) schedule 1 Part 1 of the Data Protection Action 2018.

This condition is met if the processing—

(a) is necessary for the purposes of preventing fraud or a particular kind of fraud, and

(b) consists of—

(ii) the disclosure of personal data in accordance with arrangements made by an antifraud organisation

Data protection impact assessment (DPIA)

A data protection impact assessment is required prior to the exchange proceeding.

HMRC DPIA reference number 12185

Date of DPIA: 30 November 2023

Last reviewed: 15 August 2024

Leeds city council DPIA reference: LCC and HMRC DEA Data Sharing Pilot

Date of DPIA: 6 June 2024

HMRC records of processing activity (ROPA)

HMRC will update its ROPA, an inventory of all HMRCs major processing activities involving personal data before the data exchange commences. 

Purpose

The pilot originally commenced on 30th April 2024 following ministerial approval. On approval of this variation, the pilot will be extended from 12 months to 18 months to allow additional time for the relevant data to be shared and analysed. It is anticipated that the pilot will resume in November 2024.

Adult social care departments within local authorities must assess whether or not an individual, who is receiving a care and support package, qualifies for any state assistance to help them meet their living costs.

Individuals who have savings and investments over the threshold of £23,250 must fund the cost of their care package until such a time where their savings and investments fall below this threshold.

State means-testing requires that decisions are made on the financial evidence declared by the applicant (or legal representative). Local authorities must make decisions to award assistance based on ‘the known knowns’, such as income declared, capital declared and so on. However, local authorities cannot make decisions based on ‘the unknown unknowns’ for example, that which has not been declared in the first place.

Therefore, should an applicant fail to declare their true financial circumstances, then inevitably, fraud will enter the system.

Overall, local authorities lose an estimated £2.1 billion per year to fraud according to the National Fraud Authority (2013) and this figure may be significantly understated.

This is a pilot data share involving one local authority - Leeds city council (LCC), the ultimate aim is for all English local authorities with adult social care responsibilities to access HMRC data if the pilot is proven successful.

Whilst applicants are required to declare that they have provided their true financial circumstances, adult social care financial assessors have no way of cross-checking this information to ensure claims are not fraudulent.

This pilot data share will provide the ability to verify financial information a customer has provided against HMRC records to identify potential fraud.

LCC will provide an initial file of approximately 650 existing client records to HMRC and request HMRC savings/investment and self-assessment data to allow them to compare this information to what LCC have on file.

Following that, monthly, LCC shall compile and send a file to HMRC containing any newly arising cases in the previous month of approx. 350 to 400 individual records.

LCC will request HMRC savings/investment and Self Assessment data to allow LCC to compare this information to that which has been declared by applicants wishing to claim state assistance.

Benefits of the exchange

LCC

  • fraud prevented and recovery action negated

  • resource savings – pressure on local authorities’ budgets minimised as fraud and error prevented at the gateway

  • no costly debt recovery action required if fraud discovered

  • increased public confidence that ‘government’ takes fraud seriously

  • evidence queried where it has been withheld or misrepresented to the local authority by the claimant resulting in quicker financial assessments and reducing the risk of interruption to financial assistance awards

  • where fraud is identified cases will be investigated up to and including prosecution, this will act as a deterrent for fraudulent social care applications

  • safeguarding concerns identified as early as possible, such as financial abuse by relatives, and reported appropriately for any potential safeguarding investigation to protect the vulnerable adult

  • improved customer experience – financial assistance awarded sooner

HMRC

Whilst there is a clear direct benefit to the public purse, there is no direct benefit to HMRC who are only supporting Leeds city council with this pilot for the purpose of their functions.

Procedure

The pilot originally commenced on 30 April 2024 and is anticipated to resume in November 2024. The revised pilot end date is 31 October 2025.

An initial data set of approximately 650 individuals will be shared from LCC to HMRC in November 2024. This will represent all LCC financial assessment work in progress (new financial assessment referrals and financial assessments not yet concluded).

For a period of 7 months, LCC will then send HMRC a monthly data set of approximately 350 to 400 individual records of newly arising financial assessment cases.

HMRC data will be shared with LCC which covers a retrospective period of 24 months from the start date of social care.

Data matching is carried out in accordance with the agreed RIS team quality assurance standards framework.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Data items

Data items from Leeds city council to HMRC are as follows:

  • LCC ID reference number

  • first name

  • middle name

  • surname

  • NINO

  • DOB

  • address

  • postcode

  • social care start date

Data items returned from HMRC RIS government department to LCC are as follows:

  • LCC ID reference number

Data items provided from HMRC RIS government department to LCC are as follows:

Note – HMRC will be providing the below data items for the tax year relating to the social care start date, and two full proceeding tax years.

  • tax year

  • tax paid on savings/investments on all bank accounts (as per DWP fraud savings annual match)

  • interest paid on savings

  • the type of financial product, such as current account, ISA, savings account, bond

  • bank/building society name

  • sort code - where available

  • last 3 digits of account number

  • the closure date of any accounts - where available HMRC Self-Assessment data will also be returned from HMRC RIS GovDET to LCC (if available). These data items are as follows:

  • total income

  • tax due.

  • land property income

  • foreign dividend income

  • correspondence address

Note - The use of LCC ID reference number negates the need for HMRC to return personal identifiers to LCC as they can directly link back to their records on return.

Onward Disclosure

HMRC and LCC agree not to onwardly share the data received in this exchange with any external parties.

Data Retention and Storage

HMRC

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Auto reminders in outlook are set by the risk intelligence services governance department analyst to delete the data as required after delivery.

As an added level of assurance, the data deletion is also recorded on a RIS government department GDPR tracker document which is an excel tool outlining all data sharing and what date the data is deleted. This is reviewed on a monthly basis by the Grade 7 RIS government department team lead and checks are undertaken that data is deleted on time.

In the event of an analyst being absent, the Grade 7 will arrange for the deletion of the data.

Leeds City Council

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Individuals’ financial data will be extracted from the HMRC files and individually stored within the client’s social care record.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Financial assessment officers will therefore only access the data pertaining to the individual client they are assessing and not the entire data set for all clients. The financial assessor will then use the data to assist in the processing of financial assessments. LCC will manually delete all HMRC files stored in the secure network folder (password protected) 3 months after pilot ends to allow time for final data analysis to happen.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

As an added level of assurance, the council’s information governance team will also diarise the necessity to delete the files 3 months after the pilot ends.

Data Security

HMRC and LCC both agree to:

  • move, process and destroy data securely in line with the principles set out in HM government security policy framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information

  • only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information will have access to it

  • only keep it for the time it is needed, and then destroy it securely

  • not onwardly disclose that information without the prior authorisation of HMRC

  • comply with the requirements in the security policy framework

  • be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

  • mark information assets with the appropriate security classification

  • apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, and in particular as set out in the Annex – Security Controls Framework to the GSC

Data controller

HMRC is the data controller when HMRC processes the data, and it is within the HMRC environment. When the data has left HMRC and is received by LCC, then LCC will be the data controller, using definitions as set out in the Data Protection Act (DPA) 2018.

Freedom of Information Requests

Both participants are subject to the requirements of the Freedom of Information Act (FOIA) 2000 and shall assist and co-operate with each other to enable each organisation to comply with their information disclosure obligations. In the event of one participant receiving an FOIA request that involves disclosing information that has been provided by the other participant, the organisation in question will notify the other to allow it the opportunity to make representations on the potential impact of disclosure.

All HMRC FOIA requests must be notified to the central HMRC FOIA team inbox

All Leeds city council FOIA requests must be notified to DPFOI@leeds.gov.uk

Subject Access Requests (SAR)

In the event that a Subject Access Request (SAR) is received by either participant they will issue a formal response on the information that they hold following their internal procedures for responding to the request within the statutory timescales.

There is no statutory requirement to re-direct SAR or provide details of the other participant in the response. However, each participant will notify the other if a SAR is received in respect of any personal data shared under this agreement. Contact details are as below:

HMRC RIS contact for SAR

Leeds City Council contact for SAR

Costs

HMRC RIS government department will recharge for the time taken to provide the data for this data share.

Disputes

HMRC

Any disputes relating to this information transfer should be reported to:

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Leeds city council

Any disputes relating to this information transfer should be reported to:

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Signatures

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Back to top