Data Sharing for the
Prevention of Fraud
Code of practice for public authorities disclosing information to a specified anti-fraud organisation under sections 68 to 72 of the Serious Crime Act 2007 Data Sharing for the
Prevention of Fraud
Code of practice for public authorities
disclosing information to a specified anti-fraud
organisation under sections 68 to 72 of the
Serious Crime Act 2007
Presented to Parliament pursuant to
section 71 of the Serious Crime Act 2007
In this Code of Practice we have used the term
corporate or other person which enables or
“arrangements with a SAFO” to mean a disclosure
facilitates any sharing of information to prevent
that meets this test.
fraud or a particular kind of fraud, or which has any of these functions as its purpose or one of its
11. Appendix 1 provides further details of the
purposes.
legislative scheme.
2 See data protection principles 1 and 2 – www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_9#sch1 3 See data protection principle 3 – www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_9#sch1
6 Data Sharing for the Prevention of Fraud
15. The new condition covers a wide range of
• the types and levels of fraud that they may be
processing in addition to disclosures under section
subject to;
68 of the SCA. Sensitive personal data is defined
• whether disclosing information to a SAFO
in section 2 of the DPA and includes, for example,
would be a good use of their resources in
the commission or alleged commission by the data
reducing fraud;
subject of any offence, his racial or ethnic origin, his political opinions and his religious beliefs.4
• the type of information they will be disclosing
Public authorities must ensure that any sensitive
and how this can be minimised to that which is
personal data is handled appropriately and in
necessary to prevent fraud or a particular kind
accordance with data protection legislation.
of fraud; and
• whether the information sharing mechanisms of
16. The information disclosed may be of any kind.
the SAFO will suit the purposes of the public
Types of information could include, for example,
authority.
the identifying details of individuals suspected of fraudulently obtaining services.
20. The SAFO may be able to provide advice on
the disclosure of information based on previous
17. However, public authorities must not disclose
experience, or may be willing to undertake a trial
excessive information and must only disclose the
or a pilot exercise ahead of final decisions being
minimum information necessary for the purposes
made. Any trial or pilot exercise must be DPA-
of preventing fraud or a particular kind of fraud.
compliant. Under the DPA, a data controller is defined as “a person who (either alone or jointly
InFoRmATIon ShARIng DoCUmenT
or in common with other persons) determines
18. In practice the information disclosed will be
the purposes for which and the manner in which
governed to a large extent by the requirements of
any personal data are, or are to be, processed”.
the arrangements with a SAFO under which the
Both the public authority and the SAFO will
public authority intends to disclose information.
have obligations as data controllers under their
Public authorities should prepare an agreed
information sharing arrangements. The SAFO information sharing document with the SAFO,
will also have had to meet certain requirements in
setting out mutually agreed standards on areas such
order to be specified under the SCA.
as the use, handling and security of information. This should incorporate the requirements of this
Fairness and transparency
Code of Practice and follow the Information Commissioner’s Office’s (ICO) information
21. Public authorities will be required to ensure that
sharing framework code.5
their data sharing practices are fair and transparent. SAFOs will also be required to have fair and
19. When deciding whether or not to disclose
transparent processes in place for disclosing and
information under arrangements with a SAFO,
receiving data. Public authorities must satisfy
public authorities should consider:
themselves that these processes are satisfactory before any data is shared. Public authorities that
• whether in their own individual circumstances
disclose information to SAFOs will need to
it would be sensible to take part in the
be aware of and comply with these processes
arrangements;
when sharing information under arrangements
• whether in their own individual circumstances
with them.
they can meet the requirements of the DPA in participating;
4 See DPA section 2 – www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_2#pt1-l1g2 5 www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/pinfo-framework.pdf
7 Data Sharing for the Prevention of Fraud
FAIR PRoCeSSIng noTICeS
people become aware of the measures taken by the
22. The DPA requires data controllers to inform
organisations involved to detect fraud.
individuals of how their personal information is being used. Specifically, the first data protection
LAyeReD noTICeS
principle requires the following details to be
26. The Information Commissioner recommends a
provided:
layered approach to fair processing notices; this involves giving a relatively simple first explanation
(a) the identity of the data controller (together
backed up by a more detailed explanation. Public
with the identity of any nominated
authorities should make clear where individuals
representative for the purposes of the DPA, if
can obtain further information about the type of
the authority has one);
fraud they are trying to prevent, and how, why and with whom their information is being shared (by,
(b) the purpose or purposes for which the data is
for example, providing web links to more detailed
intended to be processed; and
information, or contact details for a named person
(c) any further information that is necessary to
such as the key contact on data sharing or a data
enable the processing to be fair.
protection officer).
23. The provision of this information is known as a
27. Arrangements should be in place for dealing with
fair processing notice.
questions and complaints about data sharing. Roles and responsibilities in both the public authority
24. Participating public authorities should, so far as
and the SAFO should be agreed and defined
is practicable, ensure that fair processing notices
within the information sharing document.
are actively provided, or at least made readily available, to the individuals whose personal data
28. Examples of layered fair processing notices can be
the public authority will or may share. The notice
found in Appendix 3.
should clearly state that their data may be disclosed for the purposes of preventing fraud, and that
ReTRoSPeCTIve noTICeS
the data may be provided to other persons under
29. Sometimes it will not be possible to provide a
arrangements with a SAFO for this purpose.
fair processing notice at the point when data is
The notice should also contain details of how
collected. In such cases, public authorities must
individuals can find out more about the sharing of
issue retrospective fair processing notices as soon
their data. Where a public authority is only likely
as practicable, unless it is impracticable to do so
to use one SAFO, the public authority should
(because, for example, disproportionate effort
consider whether it would be appropriate to name
would be required).6 The term “disproportionate
that SAFO in the fair processing notice. In any
effort” is not defined in the DPA. What does or
event, details of the SAFO should be available on
does not amount to disproportionate effort is a
enquiry.
question of fact to be determined in each and every case. In deciding this, public authorities will
25. If the public authority is transparent in terms of
need to take into account a number of factors
how personal information is processed, individuals
including the nature of the data and the time
will be able to understand what their information
and cost involved in issuing a retrospective fair
is being used for and who is using it. They will
processing notice. These factors will need to
also know who to contact if they have concerns
be balanced against the prejudicial or potential
or queries. Furthermore, transparency can have
prejudicial effect on the data subject of failing to
the beneficial side-effect of deterring fraud, as
issue such a notice.
6 See DPA Schedule 1, Part II, paragraphs 2 and 3 – www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_9/sch1-pt2
8 Data Sharing for the Prevention of Fraud
33. Every public authority must ensure that:
Information sharing
standards
(a) there is someone with specific responsibility for
data protection issues within the organisation;
30. Public authorities should disclose information to
and
a SAFO under an information sharing document
(b) there are members of staff who are nominated
that has been agreed with the SAFO. This should
to handle subject access requests, enquiries
specify agreed arrangements for, among other
and complaints from data subjects about the
things, fair processing, data minimisation, retention
organisation’s handling of personal data.
and use of the data, security of the data and the rights of data subjects. It should follow this Code
34. If identified, any inaccurate information in the
of Practice and the ICO’s own information sharing
public authority’s records should be corrected
framework code.
and any SAFO to which the data has been passed should be notified, so that its record of the data
31. Public authorities should ensure that any data
can also be corrected.
they share with a SAFO is in accordance with the DPA.7 Among other things, the DPA principles
35. Public authorities should periodically quality-assure
require that the data shared must be up to date,
data that could be shared. Arrangements for doing
accurate, relevant, and no more than is required
so should be set out in the agreed information
for the purpose. The requirements of the SAFO
sharing document.
will largely determine what information is relevant. Public authorities must also ensure that there are agreed standards, set out within their information
Retention of shared
sharing document, for the secure transmission of
information
data to and from SAFOs.
36. It is a requirement of the DPA that personal
Rights of data subjects
information should be kept only for as long as necessary. How long it is “necessary” to hold such
32. It is important that the rights of data subjects
information will depend on the purpose for which
are recognised in any information sharing
the public authority holds the information, and its
arrangement. If information is processed in a
own policies and practices.
manner that does not comply with the DPA (for example, where subject access requests are not
37. Public authorities and SAFOs should agree in their
handled correctly) or is processed unlawfully
information sharing document a maximum period
or inaccurately, this will breach data protection
of time for which information shared under their
legislation. It could also breach libel laws and have
arrangements can be held.
a potentially serious effect on the data subject; for example, the sharing of inaccurate data could
38. The SAFO should ensure that data no longer
lead to services being withheld from an individual
required is destroyed promptly and rendered
who qualifies for them. Data must be processed
irrecoverable. The same will apply to data derived
in line with the rights of data subjects, and public
or produced from the original data, except where
authorities must ensure that arrangements for
section 33 of the DPA applies (in relation to data
doing this are specified in their information
processed for research purposes).
sharing arrangements with SAFOs.
7 See DPA Schedule 1 – www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_9#sch1
9 Data Sharing for the Prevention of Fraud
• taking regular back-ups of the information held
Security of shared
electronically if it will cause damage or distress
information
if lost or stolen;
• having agreed, secure methods for transferring
39. Much of the information handled by public
data; and
authorities and SAFOs will be of a sensitive nature. It is essential to have appropriate technical
• undertaking periodic audits of its security
and organisational measures in place to assure
arrangements, involving the SAFO as
the security of such information. This should
appropriate.
be set out and agreed in the information sharing document between the public authority and the
42. SAFOs will have their own security safeguards,
SAFO. When creating the information sharing
and public authorities that choose to share data
document, public authorities will want to carry out
under arrangements with them should satisfy
a risk assessment to identify the type of security
themselves that these safeguards are adequate for
problems that could occur and the effectiveness of
their purposes.
their current security measures.
43. Public authorities must also have procedures
40. The DPA requires that organisations have
in place to deal with any breaches of security.
appropriate technical and organisational measures
Examples of measures that public authorities
in place to protect personal data.8
should consider in relation to security breaches include:
41. When dealing with information that is indicative
of actual or potential fraud following data
• having procedures in place to contain the
sharing under arrangements with a SAFO, a
situation and limit the damage that any security
public authority should consider technical and
breach can cause;
organisational measures such as:
• carrying out a risk assessment of the potential
adverse consequences for individuals of any
• establishing role-based access to personal data,
security breach;
i.e. only allowing staff access to the information they need to do their jobs;
• assessing who to notify, if necessary, that a
security breach has occurred; and
• providing specialised training and supervision
for staff who have access to sensitive personal
• having procedures in place to investigate the
data;
causes of any breach and the effectiveness of the response to it.
• limiting the availability of data to selected,
named individuals within the organisation who have been suitably trained;
Access to personal
• ensuring that all computers and buildings used
information under the
for data processing have physical and logical
FoIA and the DPA
access controls limiting access to certain individuals (for example, firewalls, computer
44. Individuals whose data is shared under
passwords and secure premises);
arrangements with a SAFO will also have rights of access to information under the DPA or the Freedom of Information Act 2000 (FOIA).
8 See data protection principle 7 – www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_9#sch1-pt1
10 Data Sharing for the Prevention of Fraud
45. SAFOs will have their own policies and practices
51. Public authorities will be able to assess whether
for dealing with requests for personal information
and to what extent they wish to take part in the
under the DPA, as will public authorities. Where
data sharing arrangements made possible by the
public authorities share data under arrangements
SCA. They may wish to take part in a pilot exercise
with a SAFO, they will need to ensure that their
with a SAFO before making a final judgement.
practice is consistent with that organisation to
Any pilot exercise must comply with the DPA.
ensure that requests are handled in accordance with the DPA.
52. Having entered into such a scheme, public
authorities should, in consultation with SAFOs as
46. As data will be shared under this Code to prevent
appropriate, periodically review whether:
fraud, there may be times when it is appropriate to use section 29 of the DPA to prevent access by
• their information sharing agreements are
an individual to the data. However, this exemption
working in practice;
applies on a case-by-case basis and only where it is
• the arrangements are an appropriate and
likely to prejudice the processing in question.
effective anti-fraud measure;
47. Under the FOIA, a person has the right to be told
• fair processing notices are relevant and
whether information is held by a public authority
appropriate;
and to be given a copy (unless it is exempt). Public
• the quality of the data held by the public
authorities should have in place practices and
authority and any partner organisations is of
procedures in order to fulfil the requirements
agreed standards;
of the legislation.
• retention periods are being complied with and
continue to meet business needs;
48. Under the data sharing arrangements covered by
this Code, it is likely that public authorities and
• security remains adequate;
the private sector will share personal data with one
• any security breaches are investigated, with
another. In dealing with FOIA requests, public
lessons learned and acted on in an appropriate
authorities must comply with the FOIA while
fashion; and
at the same time being mindful of the potential interests of the private sector organisations with
• individuals are being given access to the
which they share information. Arrangements
information they are entitled to.
should be put in place to ensure consultation between the relevant parties when such requests
Compliance with the Code
are made and before a reply is given.
53. Where the Home Office becomes aware that the
requirements of this Code are not being followed
Review
in practice, it will notify the public authority and
By The home oFFICe
ask it to introduce measures to comply. The Home
49. The Home Office will periodically review, by
Office may unspecify SAFOs that do not comply
sample, arrangements between public authorities
with the SCA or data protection legislation, and
and SAFOs to ensure their compliance with
may notify the ICO.
this Code.
54. Any general questions and concerns should be
By PUBLIC AUThoRITIeS
addressed to the Home Office in the first instance.
50. This Code covers the disclosure of data by public
authorities under arrangements with a SAFO for the purpose of preventing fraud.
11 Data Sharing for the Prevention of Fraud
Role of the Information
Commissioner 55. Questions and concerns relating to the DPA
should be referred to the ICO, which may be contacted at:
The Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
ICO helpline: 08456 30 60 60 01625 54 57 45
E-mail: mail@ico.gsi.gov.uk
Website: www.ico.gov.uk (use the online enquiries form rather than the above e-mail address for questions regarding the legislation for which the Information Commissioner is responsible)
56. During the Parliamentary passage of the
SCA, the Government gave an undertaking that the Information Commissioner would be given access to audit and inspect data sharing arrangements between public authorities and SAFOs. It is a condition of being specified that anti-fraud organisations will give the Information Commissioner such access. Participating public authorities must also provide access so that the Commissioner can assess compliance with the DPA generally.
12 Data Sharing for the Prevention of Fraud
The power of disclosure in section 68 can be used by
APPenDIX 1
any public authority in the UK except a relevant public authority in relation to information whose subject
Legislative summary
matter would be within the legislative competence of the Scottish Parliament.
Section 68 of the SCA provides for public authorities to disclose information for the purposes of preventing
“Public authority” means any public authority within
fraud, or a particular kind of fraud, as a member of
the meaning of section 6 of the Human Rights Act
a specified anti-fraud organisation or otherwise in
1998.
accordance with any arrangements made with such an organisation.
Wrongful disclosure of information held by a public authority is usually covered by the DPA. Section 69 of
An anti-fraud organisation is defined in the SCA as
the SCA creates an offence relating to making a further
“any unincorporated association, body corporate or
disclosure of information that has been disclosed by
other person which enables or facilitates any sharing
a public authority under arrangements with a SAFO,
of information to prevent fraud or a particular kind
other than in certain specified circumstances listed
of fraud or which has any of these functions as its
in section 69(2). In practice, this provision currently
purpose or one of its purposes”.9 An anti-fraud
relates only to HM Revenue and Customs (HMRC)
organisation becomes specified by an order made by
information, disclosed by HMRC itself, which reveals
the Secretary of State. At present there are six specified
the identity of the person to whom it relates. The
anti-fraud organisations:
offence could be extended to information held by other public authorities by order under the SCA, but
• CIFAS;
there are no current plans to do so.
• Experian Limited;
Finally, the SCA also amended Schedule 3 to the
• Insurance Fraud Investigators Group;
DPA by adding a new condition, relating to the
• N Hunter Limited:
sharing of data under arrangements with an
• the Insurance Fraud Bureau; and
anti-fraud organisation, for the processing of sensitive personal data.
• the Telecommunications United Kingdom Fraud
Forum Limited.
This Code has been prepared in accordance with section 71 of the SCA, which requires the Secretary
The SCA provides that the information disclosed can
of State to prepare and keep under review a code
be of any kind and may be disclosed to the SAFO, any
of practice with respect to the disclosure, for the
member of it, or any other person to whom disclosure
purposes of preventing fraud, of information by
is permitted by the arrangements concerned.
public authorities as members of SAFOs or otherwise in accordance with any arrangements made by such
The SCA further provides that disclosure under the
organisations. The Secretary of State must consult
arrangements does not breach any obligation of
any SAFO, the Information Commissioner and such
confidence owed by the public authority disclosing the
other persons as he considers appropriate in preparing
information, or any other restriction on the disclosure
the Code. Public authorities sharing data under the
of information. It does not, however, authorise any
arrangements are required to have regard to the Code.
disclosure that contravenes the DPA (or is prohibited
A copy, and any alteration to it, must be laid before
by Part 1 of the Regulation of Investigatory Powers
Parliament.
Act 2000, which deals with the interception of communications).
9 See section 68(8) of the SCA – www.opsi.gov.uk/acts/acts2007/ukpga_20070027_en_6#pt3-ch1-pb1-l1g68
13 Data Sharing for the Prevention of Fraud
Extracts from the relevant legislation can be found at
APPenDIX 2
Appendix 2.
The full text of the Act is available at:
extracts from statutory
www.opsi.gov.uk/acts/acts2007/pdf/
provisions
ukpga_20070027_en.pdf
This appendix sets out extracts from the following statutory provisions:
• Schedules 1–3 of the Data Protection Act 1998
regarding fair processing requirements;
• section 29 of the Data Protection Act 1998; • section 68 of the Serious Crime Act 2007; • section 71 of the Serious Crime Act 2007; and • section 72 of the Serious Crime Act 2007.
1. FAIR PRoCeSSIng ReqUIRemenTS In The
DATA PRoTeCTIon ACT 1998 The first data protection principle Schedule 1, Part I, paragraph 1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
Schedule 1, Part II
Interpretation of the principles in Part I The first principle 1 (1) In determining for the purposes of the first
principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.
(2) Subject to paragraph 2, for the purposes of the
first principle data are to be treated as obtained fairly if they consist of information obtained from a person who –
14 Data Sharing for the Prevention of Fraud
(a) is authorised by or under any enactment to
(3) The information referred to in sub-paragraph (1) is
supply it, or
as follows, namely –
(b) is required to supply it by or under any
(a) the identity of the data controller,
enactment or by any convention or other
(b) if he has nominated a representative for
instrument imposing an international obligation on
the purposes of this Act, the identity of that
the United Kingdom.
representative, 2
(c) the purpose or purposes for which the data are
(1) Subject to paragraph 3, for the purposes of the
intended to be processed, and
first principle personal data are not to be treated as processed fairly unless –
(d) any further information which is necessary, having regard to the specific circumstances in
(a) in the case of data obtained from the data
which the data are or are to be processed, to enable
subject, the data controller ensures so far as
processing in respect of the data subject to be fair.
practicable that the data subject has, is provided with, or has made readily available to him, the 3
information specified in sub-paragraph (3), and
(1) Paragraph 2(1)(b) does not apply where either
of the primary conditions in sub-paragraph (2),
(b) in any other case, the data controller ensures
together with such further conditions as may be
so far as practicable that, before the relevant time
prescribed by the Secretary of State by order,
or as soon as practicable after that time, the data
are met.
subject has, is provided with, or has made readily available to him, the information specified in sub-
(2) The primary conditions referred to in sub-
paragraph (3).
paragraph (1) are –
(2) In sub-paragraph (1)(b) “the relevant time” means –
(a) that the provision of that information would involve a disproportionate effort, or
(a) the time when the data controller first processes the data, or
(b) that the recording of the information to be contained in the data by, or the disclosure of
(b) in a case where at that time disclosure to a third
the data by, the data controller is necessary for
party within a reasonable period is envisaged –
compliance with any legal obligation to which the
i. if the data are in fact disclosed to such a person
data controller is subject, other than an obligation
within that period, the time when the data are
imposed by contract.
first disclosed, 4
ii. if within that period the data controller [text omitted from this extract]
becomes, or ought to become, aware that the
Schedule 2
data are unlikely to be disclosed to such a person Conditions relevant for purposes of the first
within that period, the time when the data
principle: processing of any personal data
controller does become, or ought to become, so aware, or 1–2 [text omitted from this extract]
iii. in any other case, the end of that period. 3 The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
15 Data Sharing for the Prevention of Fraud 4 3–6
The processing is necessary in order to protect the vital [text omitted from this extract] interests of the data subject. 7 5
(1) The processing is necessary –
The processing is necessary –
(a) for the administration of justice,
(a) for the administration of justice,
(b) for the exercise of any functions conferred on
(b) for the exercise of any functions conferred on
any person by or under an enactment, or
any person by or under any enactment,
(c) for the exercise of any functions of the
(c) for the exercise of any functions of the
Crown, a Minister of the Crown or a government
Crown, a Minister of the Crown or a government
department.
department, or
(2) The Secretary of State may by order –
(d) for the exercise of any other functions of a
(a) exclude the application of sub-paragraph (1) in
public nature exercised in the public interest by
such cases as may be specified, or
any person.
(b) provide that, in such cases as may be specified, 6
the condition in sub-paragraph (1) is not to be
(1) The processing is necessary for the purposes of
regarded as satisfied unless such further conditions
legitimate interests pursued by the data controller
as may be specified in the order are also satisfied.
or by the third party or parties to whom the data are disclosed, except where the processing is 8–10
unwarranted in any particular case by reason of [text omitted from this extract]
prejudice to the rights and freedoms or legitimate
2. ReLevAnT PARTS oF SeCTIon 29 oF The
interests of the data subject.
DATA PRoTeCTIon ACT 1998
(2) The Secretary of State may by order specify
29 Crime and taxation
particular circumstances in which this condition is, or is not, to be taken to be satisfied.
(1) Personal data processed for any of the following purposes –
Schedule 3
Conditions relevant for purposes of the
(a) the prevention and detection of crime,
first principle: processing of sensitive
(b) the apprehension or prosecution of offenders,
personal data
or 1 [text omitted from this extract]
(c) the assessment or collection of any tax or duty or of any imposition of a similar nature, 2 (1) The processing is necessary for the purposes of
are exempt from the first data protection
exercising or performing any right or obligation
principle (except to the extent to which it requires
which is conferred or imposed by law on the data
compliance with the conditions in Schedules 2
controller in connection with employment.
and 3) and section 7 in any case to the extent to which the application of those provisions to the
(2) [text omitted from this extract]
data would be likely to prejudice any of the matters mentioned in this subsection.
(2) [text omitted from this extract]
16 Data Sharing for the Prevention of Fraud
(3) Personal data are exempt form the non-disclosure
(5) Nothing in this section authorises any disclosure by
provisions in any case in which –
a relevant public authority of information whose subject-matter is a matter about which provision
(a) the disclosure is for any of the purposes
would be within the legislative competence of the
mentioned in subsection (1), and
Scottish Parliament if it were included in an Act of that Parliament.
(b) the application of those provisions in relation to the disclosure would be likely to prejudice any of (6) In subsection (5) “relevant public authority” means
the matters mentioned in that subsection.
a public authority which has (whether alone or in addition to other functions) functions which are
(4)–(5) [text omitted from this extract]
exercisable within devolved competence (within the
3. ReLevAnT SeCTIonS oF The SeRIoUS
meaning given by section 54 of the Scotland Act
CRIme ACT 2007
1998 (c. 46)).
Sharing information with anti-fraud
(7) This section does not limit the circumstances in
organisations
which information may be disclosed apart from
68 Disclosure of information to prevent fraud
this section.
(1) A public authority may, for the purposes of
(8) In this section –
preventing fraud or a particular kind of fraud,
• “an anti-fraud organisation” means any
disclose information as a member of a specified
unincorporated association, body corporate
anti-fraud organisation or otherwise in accordance
or other person which enables or facilitates
with any arrangements made by such an
any sharing of information to prevent fraud
organisation.
or a particular kind of fraud or which has any
(2) The information –
of these functions as its purpose or one of its purposes;
(a) may be information of any kind; and
• “information” includes documents;
(b) may be disclosed to the specified anti-fraud
• “public authority” means any public authority
organisation, any members of it or any other
within the meaning of section 6 of the
person to whom disclosure is permitted by the
Human Rights Act 1998 (c. 42) (acts of public
arrangements concerned.
authorities); and
(3) Disclosure under this section does not breach –
• “specified” means specified by an order made by
(a) any obligation of confidence owed by the public
the Secretary of State.
authority disclosing the information; or
71 Code of practice for disclosure of
(b) any other restriction on the disclosure of
information to prevent fraud
information (however imposed).
(1) The Secretary of State must prepare, and keep
under review, a code of practice with respect to the
(4) But nothing in this section authorises any
disclosure, for the purposes of preventing fraud or
disclosure of information which –
a particular kind of fraud, of information by public
(a) contravenes the Data Protection Act
authorities as members of specified anti-fraud
1998 (c. 29); or
organisations or otherwise in accordance with any arrangements made by such organisations.
(b) is prohibited by Part 1 of the Regulation of Investigatory Powers Act 2000 (c. 23).
17 Data Sharing for the Prevention of Fraud
(2) Before preparing or altering the code, the Secretary
“7A (1) The processing –
of State must consult –
(a) is either –
(a) any specified anti-fraud organisation;
i. the disclosure of sensitive personal data
(b) the Information Commissioner; and
by a person as a member of an anti-fraud organisation or otherwise in accordance
(c) such other persons as the Secretary of State
with any arrangements made by such an
considers appropriate.
organisation; or
(3) A public authority must have regard to the code in
ii. any other processing by that person or
(or in connection with) disclosing information, for
another person of sensitive personal data so
the purposes of preventing fraud or a particular
disclosed; and
kind of fraud, as a member of a specified anti- fraud organisation or otherwise in accordance with
(b) is necessary for the purposes of preventing
any arrangements made by such an organisation.
fraud or a particular kind of fraud.
(4) Nothing in this section applies in relation to
(2) In this paragraph “an anti-fraud organisation”
any disclosure by a relevant public authority of
means any unincorporated association, body
information whose subject-matter is a matter about
corporate or other person which enables or
which provision would be within the legislative
facilitates any sharing of information to prevent
competence of the Scottish Parliament if it were
fraud or a particular kind of fraud or which has
included in an Act of the Scottish Parliament.
any of these functions as its purpose or one of its purposes.”
(5) The Secretary of State must –
(a) lay a copy of the code, and of any alterations to it, before Parliament; and
(b) from time to time publish the code as for the time being in force.
(6) In this section –
• “information” and “public authority” have the
same meaning as in section 68;
• “relevant public authority” has the meaning
given by section 68(6); and
• “specified anti-fraud organisation” means
any person which is a specified anti-fraud organisation for the purposes of section 68.
72 Data protection rules In Schedule 3 to the Data Protection Act 1998 (c. 29) (conditions for processing sensitive personal data), after paragraph 7, insert –
18 Data Sharing for the Prevention of Fraud
LeveL 2: FULL TeXT – To Be PUBLISheD on
APPenDIX 3
The PUBLIC AUThoRITy’S weBSITe
good practice examples
Sharing of data with a specified anti-fraud
organisation
of layered fair processing
Fraud costs the public sector an estimated
notices for public
£6.47 billion a year. It is in all our interests to
authorities
prevent it. Public authorities have a particular responsibility to ensure that taxpayers’ money is not
The Information Commissioner recommends that
taken out of the system fraudulently.
a layered approach is adopted when issuing fair processing notices. The purpose of each layer is
Public authorities are required by law to protect
described in paragraph 26.
the public funds they administer. Section 68 of the Serious Crime Act 2007 was introduced as part of
Public authorities wishing to enter into data sharing
the Government’s commitment to preventing fraud.
arrangements with a SAFO must decide for themselves
Section 68 enables public authorities to disclose
the content and means of issue of fair processing
information for the purposes of preventing fraud,
notices, but good practice examples are set out below.
as a member of a specified anti-fraud organisation
They should seek to incorporate notices into existing
or otherwise in accordance with any arrangements
forms of communication wherever possible.
made with such an organisation.
LeveL 1: SUmmARy TeXT – eXAmPLe FoR
A specified anti-fraud organisation enables or
APPLICATIon FoRmS (for benefits, housing
facilitates the sharing of information for the
tenancies or employment, for example)
prevention of fraud and is specified by an order made by the Secretary of State. A full list of
This authority is under a duty to protect the public
specified anti-fraud organisations can be found at
funds it administers, and to this end may use the
{web link}
information you have provided on this form for the prevention and detection of fraud. It may also
{Name of public authority} may disclose the
share this information under arrangements with a
information you provide to a specified anti-fraud
specified anti-fraud organisation under section 68 of
organisation for the purposes of preventing fraud.
the Serious Crime Act 2007.
Disclosures of information from a public authority
For further information, see {web link to Level 2
to a specified anti-fraud organisation are subject to a
notice on authority’s website} or contact {name and
Code of Practice. This may be found at {web link}
contact details}
In addition, all disclosures must be made in accordance with the Data Protection Act 2008.
Further information For further details, please contact {name and contact details}
Details of the organisations we share information with are as follows: {detail SAFO(s)}
19 Produced by COI on behalf of the Home Office. Ref: 290510. October 2008.
Document Outline
Front Page
Contents
Foreword by theParliamentary Under-Secretary of State forCrime Reduction
Foreword by theInformation Commissioner
Introduction
Background
The effect of section 68 ofthe SCA
Deciding to share personalinformation
Fairness and transparency
Information sharingstandards
Rights of data subjects
Retention of shared information
Security of shared information
Access to personal information under theFOIA and the DPA
Review
Compliance with the Code
Role of the InformationCommissioner
APPENDIX 1 Legislative summary
APPENDIX 2 Extracts from statutory provisions
APPENDIX 3 Good practice examplesof layered fair processing notices for public authorities