Data Sharing for the
Prevention of Fraud
Code of practice for public authorities disclosing
information to a specified anti-fraud organisation under
sections 68 to 72 of the Serious Crime Act 2007
Data Sharing for the
Prevention of Fraud
Code of practice for public authorities
disclosing information to a specified anti-fraud
organisation under sections 68 to 72 of the
Serious Crime Act 2007
Presented to Parliament pursuant to
section 71 of the Serious Crime Act 2007
© Crown copyright 2008
The text in this document (excluding the Royal Arms and other departmental
or agency logos) may be reproduced free of charge in any format or medium
providing it is reproduced accurately and not used in a misleading context.
The material must be acknowledged as Crown copyright and the title of the
document specified.
Where we have identified any third party copyright material you will need to
obtain permission from the copyright holders concerned.
For any other use of this material please write to Office of Public Sector
Information, Information Policy Team, Kew, Richmond, Surrey TW9 4DU or
e-mail: [email address]
link to page 4 link to page 5 link to page 6 link to page 7 link to page 7 link to page 8 link to page 8 link to page 9 link to page 11 link to page 11 link to page 11 link to page 12 link to page 12 link to page 13 link to page 13 link to page 14 link to page 15 link to page 16 link to page 21
Data Sharing for the Prevention of Fraud
Contents
Foreword by the Parliamentary Under-Secretary of State for Crime Reduction
3
Foreword by the Information Commissioner
4
Introduction
5
Background
5
The effect of section 68 of the SCA
6
Deciding to share personal information
6
Fairness and transparency
7
Information sharing standards
9
Rights of data subjects
9
Retention of shared information
9
Security of shared information
10
Access to personal information under the FOIA and the DPA
10
Review
11
Compliance with the Code
11
Role of the Information Commissioner
12
Appendix 1: Legislative summary
13
Appendix 2: Extracts from statutory provisions
14
Appendix 3: Good practice examples of layered fair processing notices for public authorities
19
1
Data Sharing for the Prevention of Fraud
Foreword by the
Parliamentary Under-
Secretary of State for
Crime Reduction
Fraud costs the UK at least £13.9 billion a year.
Preventing fraud is clearly better than tackling it once
it has happened. Sharing data about fraud or suspected
fraud is a very good way – and often the only practical
way – to prevent further fraudulent activity and help
identify those responsible.
Public authorities have a particular responsibility
to ensure that taxpayers’ money is not taken out of
the system fraudulently. Losses suffered by public
authorities as a result of fraud reduce their ability to
provide cost-effective public services. We believe that
more can and should be done through the proper
sharing of data to prevent fraud. The specification of
anti-fraud organisations under the Serious Crime Act
2007 will enable public authorities to share data with
the private sector in order to reduce the opportunity
for criminals to profit at the taxpayer’s expense.
Of course, it is vital that the benefits of sharing data
for the purposes of fraud prevention are balanced
against the rights of the individual. By following
the requirements of this Code of Practice, public
authorities will be able to ensure that the sharing of
data is necessary and proportionate, and that both
individuals’ rights and the public purse are protected.
Vernon Coaker
Parliamentary Under-Secretary of State
for Crime Reduction
3
Data Sharing for the Prevention of Fraud
Foreword by the
Information Commissioner
Fraud prevention is a key priority for the public and
private sectors alike. The powers under the Serious
Crime Act 2007 allow public sector information to
be exchanged with the private sector so that fraud
can be detected, targeted and prevented on a much
wider scale. However, the powers under the Act must
be considered in the context of any Data Protection
Act requirements. Specifically, information must be
shared in a manner that is proportionate, and any
organisations using this information sharing gateway
must take steps to ensure that they only share such data
as is necessary for the prevention of fraud.
Where multiple partners engage in information
sharing, being transparent and enabling individuals to
exercise their rights to know how their information
is being used is crucial. Equally, the importance of
security when sharing personal information has never
been as prominent as in recent months, and this must
remain a major priority for any organisation wishing to
share personal information.
I welcome this high-level Code of Practice in terms of
setting out some broad principles and considerations
for participants. I also welcome the Home Office’s
commitment to make any organisation participating
in these information sharing arrangements subject to
audit by the Information Commissioner’s Office. The
next key step is for organisations to define and agree
the detail around what data will be shared and how
any data protection risk will be minimised. Personal
information is both an asset and a liability, and I
expect any organisation involved in sharing personal
information under the Serious Crime Act to treat it as
such. Complying with the requirements of this Code
will allow participants to identify those individuals
involved in fraudulent activity while protecting the
rights of the majority who are not.
Richard Thomas
Information Commissioner
4
Data Sharing for the Prevention of Fraud
4. Neither this Code nor the provisions of the
Introduction
SCA authorises disclosures that contravene the
DPA. The purpose of this Code is to provide
1. This Code of Practice is a requirement of
an overarching code of practice for disclosing
the Serious Crime Act 2007 (the SCA). Public
information in order to prevent fraud under
authorities must have regard to it when disclosing
arrangements with a SAFO. It will complement
information for the purposes of preventing
good data sharing policy and practice guidance,
fraud, either as a member of a specified anti-fraud
which already exists in many individual public
organisation (SAFO) specified by order under
authorities.
the SCA, or otherwise in accordance with any
arrangements made by such an organisation. It
5. The Code does not provide guidance to
does not apply to the disclosure of information
public authorities on what they should do in
by a relevant public authority when the subject
circumstances where the disclosure of information
matter of the information is within the legislative
under arrangements with a SAFO reveals
competence of the Scottish Parliament. For these
information indicative of actual or potential fraud.
purposes, a relevant public authority is one that
In such cases, public authorities should decide
has functions (whether alone or in addition to
what to do in the light of their own policies and
other functions) that are exercisable with devolved
practice and those of the relevant SAFO.
competence (within the meaning of section 54 of
the Scotland Act 1998).1
6. The Information Commissioner has been
consulted in the drafting of this Code. We have
2. Personal information must be processed in a
also consulted organisations that have shown an
manner that complies with the Data Protection
interest in being specified as SAFOs.
Act 1998 (DPA) and in accordance with the
requirements of this Code of Practice. Specifically,
information must be processed in line with an
Background
information sharing document agreed with the
SAFO (see paragraph 18).
7. Fraud costs the UK at least £13.9 billion a year.
It affects the private and public sectors alike,
3. Section 68 of the SCA enables public authorities
with many individuals perpetrating frauds against
to disclose information for the purposes of
both. It is in all our interests to prevent fraud, and
preventing fraud in accordance with arrangements
public authorities have a particular responsibility
with a SAFO. However, not all public authorities
to ensure that taxpayers’ money is not taken out of
will need to rely on section 68 to disclose
the system fraudulently.
information under arrangements with a SAFO,
because they may already have a common-law
8. The mechanism provided by the SCA for
or statutory power. As a consequence, this Code
disclosing information under arrangements with
applies not only to disclosures under arrangements
a SAFO gives public authorities an opportunity
with a SAFO that use the gateway in the SCA
to share data with the private sector for the
(section 68) but also to disclosures that are lawful
purposes of preventing fraud; for many of them,
under other statutory or common-law powers. In
this opportunity has not been available before.
all circumstances the disclosure must still be lawful
For example, the legislation will enable data
and fair in terms of the DPA.
concerning individuals suspected (on the balance
of probability) of committing fraud against the
public sector to be shared with other public and
private sector bodies, to help protect these bodies
1 See section 68(5) and (6) of the SCA.
against future frauds.
5
Data Sharing for the Prevention of Fraud
9. This Code, combined with data protection
Deciding to share personal
legislation, will ensure that data is shared in a way
that is necessary and proportionate, and that takes
information
place within a framework that properly protects
12. The DPA requires that personal information must
individuals’ rights and the security of the data.
be processed in a way that is fair, lawful and not
incompatible with the purposes for which it was
The effect of section 68 of
obtained.2 Furthermore, any information that is
the SCA
processed should be relevant and not excessive in
relation to the purpose for which it is being shared.3
10. Section 68 provides authority for disclosure
by a
public authority to a SAFO. It is not concerned
13. The processing of sensitive personal data will not
with the powers of a SAFO or any person who
be regarded as fair and lawful (in accordance with
may receive a disclosure under the power in
the first data protection principle) unless it meets
section 68. However, in order to be specified under
one of the conditions in Schedule 2 and one of the
the SCA, anti-fraud organisations will be assessed
conditions in Schedule 3 to the DPA. Section 72
against specific criteria. SAFOs must also meet
of the SCA amends Schedule 3 to the DPA to add
the requirements of the DPA. A disclosure under
to the possible conditions covering the permissible
section 68 can be to any of the persons identified
processing of sensitive personal data for the
in section 68(2)(b) (a SAFO, any member of a
prevention of fraud. The new condition will be
SAFO or any other person permitted to receive a
met if:
disclosure under arrangements with a SAFO), so
long as it:
(a) the processing is:
(i) a disclosure by a person as a member of,
(a) is for the purposes of preventing fraud or a
or otherwise under arrangements with, an
particular kind of fraud; and
anti-fraud organisation, or
(b) takes place as part of a public authority’s
(ii) any other processing (by the person who
membership of a SAFO or under some other
made the disclosure or some other person)
arrangements with a SAFO (this second
of sensitive personal data disclosed in that
possibility is to provide maximum flexibility
way; and
and takes account of the fact that not all
SAFOs will operate a membership scheme);
(b) the processing is necessary for the purposes of
and
preventing fraud or a particular kind of fraud.
(c) does not contravene the DPA.
14. Under the SCA, “an anti-fraud organisation”
means any unincorporated association, body
In this Code of Practice we have used the term
corporate or other person which enables or
“arrangements with a SAFO” to mean a disclosure
facilitates any sharing of information to prevent
that meets this test.
fraud or a particular kind of fraud, or which has
any of these functions as its purpose or one of its
11. Appendix 1 provides further details of the
purposes.
legislative scheme.
2 See data protection principles 1 and 2 – www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_9#sch1
3 See data protection principle 3 – www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_9#sch1
6
Data Sharing for the Prevention of Fraud
15. The new condition covers a wide range of
• the types and levels of fraud that they may be
processing in addition to disclosures under section
subject to;
68 of the SCA. Sensitive personal data is defined
• whether disclosing information to a SAFO
in section 2 of the DPA and includes, for example,
would be a good use of their resources in
the commission or alleged commission by the data
reducing fraud;
subject of any offence, his racial or ethnic origin,
his political opinions and his religious beliefs.4
• the type of information they will be disclosing
Public authorities must ensure that any sensitive
and how this can be minimised to that which is
personal data is handled appropriately and in
necessary to prevent fraud or a particular kind
accordance with data protection legislation.
of fraud; and
• whether the information sharing mechanisms of
16. The information disclosed may be of any kind.
the SAFO will suit the purposes of the public
Types of information could include, for example,
authority.
the identifying details of individuals suspected of
fraudulently obtaining services.
20. The SAFO may be able to provide advice on
the disclosure of information based on previous
17. However, public authorities must not disclose
experience, or may be willing to undertake a trial
excessive information and must only disclose the
or a pilot exercise ahead of final decisions being
minimum information necessary for the purposes
made. Any trial or pilot exercise must be DPA-
of preventing fraud or a particular kind of fraud.
compliant. Under the DPA, a data controller is
defined as “a person who (either alone or jointly
InFoRmATIon ShARIng DoCUmenT
or in common with other persons) determines
18. In practice the information disclosed will be
the purposes for which and the manner in which
governed to a large extent by the requirements of
any personal data are, or are to be, processed”.
the arrangements with a SAFO under which the
Both the public authority and the SAFO will
public authority intends to disclose information.
have obligations as data controllers under their
Public authorities should prepare an
agreed
information sharing arrangements. The SAFO
information sharing document with the SAFO,
will also have had to meet certain requirements in
setting out mutually agreed standards on areas such
order to be specified under the SCA.
as the use, handling and security of information.
This should incorporate the requirements of this
Fairness and transparency
Code of Practice and follow the Information
Commissioner’s Office’s (ICO) information
21. Public authorities will be required to ensure that
sharing framework code.5
their data sharing practices are fair and transparent.
SAFOs will also be required to have fair and
19. When deciding whether or not to disclose
transparent processes in place for disclosing and
information under arrangements with a SAFO,
receiving data. Public authorities must satisfy
public authorities should consider:
themselves that these processes are satisfactory
before any data is shared. Public authorities that
• whether in their own individual circumstances
disclose information to SAFOs will need to
it would be sensible to take part in the
be aware of and comply with these processes
arrangements;
when sharing information under arrangements
• whether in their own individual circumstances
with them.
they can meet the requirements of the DPA in
participating;
4 See DPA section 2 – www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_2#pt1-l1g2
5 www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/pinfo-framework.pdf
7
Data Sharing for the Prevention of Fraud
FAIR PRoCeSSIng noTICeS
people become aware of the measures taken by the
22. The DPA requires data controllers to inform
organisations involved to detect fraud.
individuals of how their personal information is
being used. Specifically, the first data protection
LAyeReD noTICeS
principle requires the following details to be
26. The Information Commissioner recommends a
provided:
layered approach to fair processing notices; this
involves giving a relatively simple first explanation
(a) the identity of the data controller (together
backed up by a more detailed explanation. Public
with the identity of any nominated
authorities should make clear where individuals
representative for the purposes of the DPA, if
can obtain further information about the type of
the authority has one);
fraud they are trying to prevent, and how, why and
with whom their information is being shared (by,
(b) the purpose or purposes for which the data is
for example, providing web links to more detailed
intended to be processed; and
information, or contact details for a named person
(c) any further information that is necessary to
such as the key contact on data sharing or a data
enable the processing to be fair.
protection officer).
23. The provision of this information is known as a
27. Arrangements should be in place for dealing with
fair processing notice.
questions and complaints about data sharing. Roles
and responsibilities in both the public authority
24. Participating public authorities should, so far as
and the SAFO should be agreed and defined
is practicable, ensure that fair processing notices
within the information sharing document.
are actively provided, or at least made readily
available, to the individuals whose personal data
28. Examples of layered fair processing notices can be
the public authority will or may share. The notice
found in Appendix 3.
should clearly state that their data may be disclosed
for the purposes of preventing fraud, and that
ReTRoSPeCTIve noTICeS
the data may be provided to other persons under
29. Sometimes it will not be possible to provide a
arrangements with a SAFO for this purpose.
fair processing notice at the point when data is
The notice should also contain details of how
collected. In such cases, public authorities must
individuals can find out more about the sharing of
issue retrospective fair processing notices as soon
their data. Where a public authority is only likely
as practicable, unless it is impracticable to do so
to use one SAFO, the public authority should
(because, for example, disproportionate effort
consider whether it would be appropriate to name
would be required).6 The term “disproportionate
that SAFO in the fair processing notice. In any
effort” is not defined in the DPA. What does or
event, details of the SAFO should be available on
does not amount to disproportionate effort is a
enquiry.
question of fact to be determined in each and
every case. In deciding this, public authorities will
25. If the public authority is transparent in terms of
need to take into account a number of factors
how personal information is processed, individuals
including the nature of the data and the time
will be able to understand what their information
and cost involved in issuing a retrospective fair
is being used for and who is using it. They will
processing notice. These factors will need to
also know who to contact if they have concerns
be balanced against the prejudicial or potential
or queries. Furthermore, transparency can have
prejudicial effect on the data subject of failing to
the beneficial side-effect of deterring fraud, as
issue such a notice.
6 See DPA Schedule 1, Part II, paragraphs 2 and 3 – www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_9/sch1-pt2
8
Data Sharing for the Prevention of Fraud
33. Every public authority must ensure that:
Information sharing
standards
(a) there is someone with specific responsibility for
data protection issues within the organisation;
30. Public authorities should disclose information to
and
a SAFO under an information sharing document
(b) there are members of staff who are nominated
that has been agreed with the SAFO. This should
to handle subject access requests, enquiries
specify agreed arrangements for, among other
and complaints from data subjects about the
things, fair processing, data minimisation, retention
organisation’s handling of personal data.
and use of the data, security of the data and the
rights of data subjects. It should follow this Code
34. If identified, any inaccurate information in the
of Practice and the ICO’s own information sharing
public authority’s records should be corrected
framework code.
and any SAFO to which the data has been passed
should be notified, so that its record of the data
31. Public authorities should ensure that any data
can also be corrected.
they share with a SAFO is in accordance with the
DPA.7 Among other things, the DPA principles
35. Public authorities should periodically quality-assure
require that the data shared must be up to date,
data that could be shared. Arrangements for doing
accurate, relevant, and no more than is required
so should be set out in the agreed information
for the purpose. The requirements of the SAFO
sharing document.
will largely determine what information is relevant.
Public authorities must also ensure that there are
agreed standards, set out within their information
Retention of shared
sharing document, for the secure transmission of
information
data to and from SAFOs.
36. It is a requirement of the DPA that personal
Rights of data subjects
information should be kept only for as long as
necessary. How long it is “necessary” to hold such
32. It is important that the rights of data subjects
information will depend on the purpose for which
are recognised in any information sharing
the public authority holds the information, and its
arrangement. If information is processed in a
own policies and practices.
manner that does not comply with the DPA (for
example, where subject access requests are not
37. Public authorities and SAFOs should agree in their
handled correctly) or is processed unlawfully
information sharing document a maximum period
or inaccurately, this will breach data protection
of time for which information shared under their
legislation. It could also breach libel laws and have
arrangements can be held.
a potentially serious effect on the data subject;
for example, the sharing of inaccurate data could
38. The SAFO should ensure that data no longer
lead to services being withheld from an individual
required is destroyed promptly and rendered
who qualifies for them. Data must be processed
irrecoverable. The same will apply to data derived
in line with the rights of data subjects, and public
or produced from the original data, except where
authorities must ensure that arrangements for
section 33 of the DPA applies (in relation to data
doing this are specified in their information
processed for research purposes).
sharing arrangements with SAFOs.
7 See DPA Schedule 1 – www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_9#sch1
9
Data Sharing for the Prevention of Fraud
• taking regular back-ups of the information held
Security of shared
electronically if it will cause damage or distress
information
if lost or stolen;
• having agreed, secure methods for transferring
39. Much of the information handled by public
data; and
authorities and SAFOs will be of a sensitive
nature. It is essential to have appropriate technical
• undertaking periodic audits of its security
and organisational measures in place to assure
arrangements, involving the SAFO as
the security of such information. This should
appropriate.
be set out and agreed in the information sharing
document between the public authority and the
42. SAFOs will have their own security safeguards,
SAFO. When creating the information sharing
and public authorities that choose to share data
document, public authorities will want to carry out
under arrangements with them should satisfy
a risk assessment to identify the type of security
themselves that these safeguards are adequate for
problems that could occur and the effectiveness of
their purposes.
their current security measures.
43. Public authorities must also have procedures
40. The DPA requires that organisations have
in place to deal with any breaches of security.
appropriate technical and organisational measures
Examples of measures that public authorities
in place to protect personal data.8
should consider in relation to security breaches
include:
41. When dealing with information that is indicative
of actual or potential fraud following data
• having procedures in place to contain the
sharing under arrangements with a SAFO, a
situation and limit the damage that any security
public authority should consider technical and
breach can cause;
organisational measures such as:
• carrying out a risk assessment of the potential
adverse consequences for individuals of any
• establishing role-based access to personal data,
security breach;
i.e. only allowing staff access to the information
they need to do their jobs;
• assessing who to notify, if necessary, that a
security breach has occurred; and
• providing specialised training and supervision
for staff who have access to sensitive personal
• having procedures in place to investigate the
data;
causes of any breach and the effectiveness of
the response to it.
• limiting the availability of data to selected,
named individuals within the organisation who
have been suitably trained;
Access to personal
• ensuring that all computers and buildings used
information under the
for data processing have physical and logical
FoIA and the DPA
access controls limiting access to certain
individuals (for example, firewalls, computer
44. Individuals whose data is shared under
passwords and secure premises);
arrangements with a SAFO will also have rights
of access to information under the DPA or the
Freedom of Information Act 2000 (FOIA).
8 See data protection principle 7 – www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_9#sch1-pt1
10
Data Sharing for the Prevention of Fraud
45. SAFOs will have their own policies and practices
51. Public authorities will be able to assess whether
for dealing with requests for personal information
and to what extent they wish to take part in the
under the DPA, as will public authorities. Where
data sharing arrangements made possible by the
public authorities share data under arrangements
SCA. They may wish to take part in a pilot exercise
with a SAFO, they will need to ensure that their
with a SAFO before making a final judgement.
practice is consistent with that organisation to
Any pilot exercise must comply with the DPA.
ensure that requests are handled in accordance
with the DPA.
52. Having entered into such a scheme, public
authorities should, in consultation with SAFOs as
46. As data will be shared under this Code to prevent
appropriate, periodically review whether:
fraud, there may be times when it is appropriate
to use section 29 of the DPA to prevent access by
• their information sharing agreements are
an individual to the data. However, this exemption
working in practice;
applies on a case-by-case basis and only where it is
• the arrangements are an appropriate and
likely to prejudice the processing in question.
effective anti-fraud measure;
47. Under the FOIA, a person has the right to be told
• fair processing notices are relevant and
whether information is held by a public authority
appropriate;
and to be given a copy (unless it is exempt). Public
• the quality of the data held by the public
authorities should have in place practices and
authority and any partner organisations is of
procedures in order to fulfil the requirements
agreed standards;
of the legislation.
• retention periods are being complied with and
continue to meet business needs;
48. Under the data sharing arrangements covered by
this Code, it is likely that public authorities and
• security remains adequate;
the private sector will share personal data with one
• any security breaches are investigated, with
another. In dealing with FOIA requests, public
lessons learned and acted on in an appropriate
authorities must comply with the FOIA while
fashion; and
at the same time being mindful of the potential
interests of the private sector organisations with
• individuals are being given access to the
which they share information. Arrangements
information they are entitled to.
should be put in place to ensure consultation
between the relevant parties when such requests
Compliance with the Code
are made and before a reply is given.
53. Where the Home Office becomes aware that the
requirements of this Code are not being followed
Review
in practice, it will notify the public authority and
By The home oFFICe
ask it to introduce measures to comply. The Home
49. The Home Office will periodically review, by
Office may unspecify SAFOs that do not comply
sample, arrangements between public authorities
with the SCA or data protection legislation, and
and SAFOs to ensure their compliance with
may notify the ICO.
this Code.
54. Any general questions and concerns should be
By PUBLIC AUThoRITIeS
addressed to the Home Office in the first instance.
50. This Code covers the disclosure of data by public
authorities under arrangements with a SAFO for
the purpose of preventing fraud.
11
Data Sharing for the Prevention of Fraud
Role of the Information
Commissioner
55. Questions and concerns relating to the DPA
should be referred to the ICO, which may be
contacted at:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
ICO helpline:
08456 30 60 60
01625 54 57 45
E-mail: [email address]
Website: www.ico.gov.uk (use the online
enquiries form rather than the above e-mail
address for questions regarding the legislation
for which the Information Commissioner is
responsible)
56. During the Parliamentary passage of the
SCA, the Government gave an undertaking
that the Information Commissioner would be
given access to audit and inspect data sharing
arrangements between public authorities and
SAFOs. It is a condition of being specified that
anti-fraud organisations will give the Information
Commissioner such access. Participating public
authorities must also provide access so that the
Commissioner can assess compliance with the
DPA generally.
12
Data Sharing for the Prevention of Fraud
The power of disclosure in section 68 can be used by
APPenDIX 1
any public authority in the UK except a relevant public
authority in relation to information whose subject
Legislative summary
matter would be within the legislative competence of
the Scottish Parliament.
Section 68 of the SCA provides for public authorities
to disclose information for the purposes of preventing
“Public authority” means any public authority within
fraud, or a particular kind of fraud, as a member of
the meaning of section 6 of the Human Rights Act
a specified anti-fraud organisation or otherwise in
1998.
accordance with any arrangements made with such
an organisation.
Wrongful disclosure of information held by a public
authority is usually covered by the DPA. Section 69 of
An anti-fraud organisation is defined in the SCA as
the SCA creates an offence relating to making a further
“any unincorporated association, body corporate or
disclosure of information that has been disclosed by
other person which enables or facilitates any sharing
a public authority under arrangements with a SAFO,
of information to prevent fraud or a particular kind
other than in certain specified circumstances listed
of fraud or which has any of these functions as its
in section 69(2). In practice, this provision currently
purpose or one of its purposes”.9 An anti-fraud
relates only to HM Revenue and Customs (HMRC)
organisation becomes specified by an order made by
information, disclosed by HMRC itself, which reveals
the Secretary of State. At present there are six specified
the identity of the person to whom it relates. The
anti-fraud organisations:
offence could be extended to information held by
other public authorities by order under the SCA, but
• CIFAS;
there are no current plans to do so.
• Experian Limited;
Finally, the SCA also amended Schedule 3 to the
• Insurance Fraud Investigators Group;
DPA by adding a new condition, relating to the
• N Hunter Limited:
sharing of data under arrangements with an
• the Insurance Fraud Bureau; and
anti-fraud organisation, for the processing of
sensitive personal data.
• the Telecommunications United Kingdom Fraud
Forum Limited.
This Code has been prepared in accordance with
section 71 of the SCA, which requires the Secretary
The SCA provides that the information disclosed can
of State to prepare and keep under review a code
be of any kind and may be disclosed to the SAFO, any
of practice with respect to the disclosure, for the
member of it, or any other person to whom disclosure
purposes of preventing fraud, of information by
is permitted by the arrangements concerned.
public authorities as members of SAFOs or otherwise
in accordance with any arrangements made by such
The SCA further provides that disclosure under the
organisations. The Secretary of State must consult
arrangements does not breach any obligation of
any SAFO, the Information Commissioner and such
confidence owed by the public authority disclosing the
other persons as he considers appropriate in preparing
information, or any other restriction on the disclosure
the Code. Public authorities sharing data under the
of information. It does not, however, authorise any
arrangements are required to have regard to the Code.
disclosure that contravenes the DPA (or is prohibited
A copy, and any alteration to it, must be laid before
by Part 1 of the Regulation of Investigatory Powers
Parliament.
Act 2000, which deals with the interception of
communications).
9 See section 68(8) of the SCA – www.opsi.gov.uk/acts/acts2007/ukpga_20070027_en_6#pt3-ch1-pb1-l1g68
13
Data Sharing for the Prevention of Fraud
Extracts from the relevant legislation can be found at
APPenDIX 2
Appendix 2.
The full text of the Act is available at:
extracts from statutory
www.opsi.gov.uk/acts/acts2007/pdf/
provisions
ukpga_20070027_en.pdf
This appendix sets out extracts from the following
statutory provisions:
• Schedules 1–3 of the Data Protection Act 1998
regarding fair processing requirements;
• section 29 of the Data Protection Act 1998;
• section 68 of the Serious Crime Act 2007;
• section 71 of the Serious Crime Act 2007; and
• section 72 of the Serious Crime Act 2007.
1. FAIR PRoCeSSIng ReqUIRemenTS In The
DATA PRoTeCTIon ACT 1998
The first data protection principle
Schedule 1, Part I, paragraph 1
Personal data shall be processed fairly and lawfully and,
in particular, shall not be processed unless –
(a) at least one of the conditions in Schedule 2 is met,
and
(b) in the case of sensitive personal data, at least one of
the conditions in Schedule 3 is also met.
Schedule 1, Part II
Interpretation of the principles in Part I
The first principle
1
(1) In determining for the purposes of the first
principle whether personal data are processed fairly,
regard is to be had to the method by which they
are obtained, including in particular whether any
person from whom they are obtained is deceived
or misled as to the purpose or purposes for which
they are to be processed.
(2) Subject to paragraph 2, for the purposes of the
first principle data are to be treated as obtained
fairly if they consist of information obtained from
a person who –
14
Data Sharing for the Prevention of Fraud
(a) is authorised by or under any enactment to
(3) The information referred to in sub-paragraph (1) is
supply it, or
as follows, namely –
(b) is required to supply it by or under any
(a) the identity of the data controller,
enactment or by any convention or other
(b) if he has nominated a representative for
instrument imposing an international obligation on
the purposes of this Act, the identity of that
the United Kingdom.
representative,
2
(c) the purpose or purposes for which the data are
(1) Subject to paragraph 3, for the purposes of the
intended to be processed, and
first principle personal data are not to be treated as
processed fairly unless –
(d) any further information which is necessary,
having regard to the specific circumstances in
(a) in the case of data obtained from the data
which the data are or are to be processed, to enable
subject, the data controller ensures so far as
processing in respect of the data subject to be fair.
practicable that the data subject has, is provided
with, or has made readily available to him, the
3
information specified in sub-paragraph (3), and
(1) Paragraph 2(1)(b) does not apply where either
of the primary conditions in sub-paragraph (2),
(b) in any other case, the data controller ensures
together with such further conditions as may be
so far as practicable that, before the relevant time
prescribed by the Secretary of State by order,
or as soon as practicable after that time, the data
are met.
subject has, is provided with, or has made readily
available to him, the information specified in sub-
(2) The primary conditions referred to in sub-
paragraph (3).
paragraph (1) are –
(2) In sub-paragraph (1)(b) “the relevant time” means –
(a) that the provision of that information would
involve a disproportionate effort, or
(a) the time when the data controller first processes
the data, or
(b) that the recording of the information to be
contained in the data by, or the disclosure of
(b) in a case where at that time disclosure to a third
the data by, the data controller is necessary for
party within a reasonable period is envisaged –
compliance with any legal obligation to which the
i. if the data are in fact disclosed to such a person
data controller is subject, other than an obligation
within that period, the time when the data are
imposed by contract.
first disclosed,
4
ii. if within that period the data controller
[text omitted from this extract]
becomes, or ought to become, aware that the
Schedule 2
data are unlikely to be disclosed to such a person Conditions relevant for purposes of the first
within that period, the time when the data
principle: processing of any personal data
controller does become, or ought to become,
so aware, or
1–2 [text omitted from this extract]
iii. in any other case, the end of that period.
3 The processing is necessary for compliance with any
legal obligation to which the data controller is subject,
other than an obligation imposed by contract.
15
Data Sharing for the Prevention of Fraud
4
3–6
The processing is necessary in order to protect the vital
[text omitted from this extract]
interests of the data subject.
7
5
(1) The processing is necessary –
The processing is necessary –
(a) for the administration of justice,
(a) for the administration of justice,
(b) for the exercise of any functions conferred on
(b) for the exercise of any functions conferred on
any person by or under an enactment, or
any person by or under any enactment,
(c) for the exercise of any functions of the
(c) for the exercise of any functions of the
Crown, a Minister of the Crown or a government
Crown, a Minister of the Crown or a government
department.
department, or
(2) The Secretary of State may by order –
(d) for the exercise of any other functions of a
(a) exclude the application of sub-paragraph (1) in
public nature exercised in the public interest by
such cases as may be specified, or
any person.
(b) provide that, in such cases as may be specified,
6
the condition in sub-paragraph (1) is not to be
(1) The processing is necessary for the purposes of
regarded as satisfied unless such further conditions
legitimate interests pursued by the data controller
as may be specified in the order are also satisfied.
or by the third party or parties to whom the data
are disclosed, except where the processing is
8–10
unwarranted in any particular case by reason of
[text omitted from this extract]
prejudice to the rights and freedoms or legitimate
2. ReLevAnT PARTS oF SeCTIon 29 oF The
interests of the data subject.
DATA PRoTeCTIon ACT 1998
(2) The Secretary of State may by order specify
29 Crime and taxation
particular circumstances in which this condition is,
or is not, to be taken to be satisfied.
(1) Personal data processed for any of the following
purposes –
Schedule 3
Conditions relevant for purposes of the
(a) the prevention and detection of crime,
first principle: processing of sensitive
(b) the apprehension or prosecution of offenders,
personal data
or
1 [text omitted from this extract]
(c) the assessment or collection of any tax or duty
or of any imposition of a similar nature,
2 (1) The processing is necessary for the purposes of
are exempt from the first data protection
exercising or performing any right or obligation
principle (except to the extent to which it requires
which is conferred or imposed by law on the data
compliance with the conditions in Schedules 2
controller in connection with employment.
and 3) and section 7 in any case to the extent to
which the application of those provisions to the
(2)
[text omitted from this extract]
data would be likely to prejudice any of the matters
mentioned in this subsection.
(2)
[text omitted from this extract]
16
Data Sharing for the Prevention of Fraud
(3) Personal data are exempt form the non-disclosure
(5) Nothing in this section authorises any disclosure by
provisions in any case in which –
a relevant public authority of information whose
subject-matter is a matter about which provision
(a) the disclosure is for any of the purposes
would be within the legislative competence of the
mentioned in subsection (1), and
Scottish Parliament if it were included in an Act of
that Parliament.
(b) the application of those provisions in relation
to the disclosure would be likely to prejudice any of (6) In subsection (5) “relevant public authority” means
the matters mentioned in that subsection.
a public authority which has (whether alone or in
addition to other functions) functions which are
(4)–(5)
[text omitted from this extract]
exercisable within devolved competence (within the
3. ReLevAnT SeCTIonS oF The SeRIoUS
meaning given by section 54 of the Scotland Act
CRIme ACT 2007
1998 (c. 46)).
Sharing information with anti-fraud
(7) This section does not limit the circumstances in
organisations
which information may be disclosed apart from
68 Disclosure of information to prevent fraud
this section.
(1) A public authority may, for the purposes of
(8) In this section –
preventing fraud or a particular kind of fraud,
• “an anti-fraud organisation” means any
disclose information as a member of a specified
unincorporated association, body corporate
anti-fraud organisation or otherwise in accordance
or other person which enables or facilitates
with any arrangements made by such an
any sharing of information to prevent fraud
organisation.
or a particular kind of fraud or which has any
(2) The information –
of these functions as its purpose or one of its
purposes;
(a) may be information of any kind; and
• “information” includes documents;
(b) may be disclosed to the specified anti-fraud
• “public authority” means any public authority
organisation, any members of it or any other
within the meaning of section 6 of the
person to whom disclosure is permitted by the
Human Rights Act 1998 (c. 42) (acts of public
arrangements concerned.
authorities); and
(3) Disclosure under this section does not breach –
• “specified” means specified by an order made by
(a) any obligation of confidence owed by the public
the Secretary of State.
authority disclosing the information; or
71 Code of practice for disclosure of
(b) any other restriction on the disclosure of
information to prevent fraud
information (however imposed).
(1) The Secretary of State must prepare, and keep
under review, a code of practice with respect to the
(4) But nothing in this section authorises any
disclosure, for the purposes of preventing fraud or
disclosure of information which –
a particular kind of fraud, of information by public
(a) contravenes the Data Protection Act
authorities as members of specified anti-fraud
1998 (c. 29); or
organisations or otherwise in accordance with any
arrangements made by such organisations.
(b) is prohibited by Part 1 of the Regulation of
Investigatory Powers Act 2000 (c. 23).
17
Data Sharing for the Prevention of Fraud
(2) Before preparing or altering the code, the Secretary
“7A (1) The processing –
of State must consult –
(a) is either –
(a) any specified anti-fraud organisation;
i. the disclosure of sensitive personal data
(b) the Information Commissioner; and
by a person as a member of an anti-fraud
organisation or otherwise in accordance
(c) such other persons as the Secretary of State
with any arrangements made by such an
considers appropriate.
organisation; or
(3) A public authority must have regard to the code in
ii. any other processing by that person or
(or in connection with) disclosing information, for
another person of sensitive personal data so
the purposes of preventing fraud or a particular
disclosed; and
kind of fraud, as a member of a specified anti-
fraud organisation or otherwise in accordance with
(b) is necessary for the purposes of preventing
any arrangements made by such an organisation.
fraud or a particular kind of fraud.
(4) Nothing in this section applies in relation to
(2) In this paragraph “an anti-fraud organisation”
any disclosure by a relevant public authority of
means any unincorporated association, body
information whose subject-matter is a matter about
corporate or other person which enables or
which provision would be within the legislative
facilitates any sharing of information to prevent
competence of the Scottish Parliament if it were
fraud or a particular kind of fraud or which has
included in an Act of the Scottish Parliament.
any of these functions as its purpose or one of its
purposes.”
(5) The Secretary of State must –
(a) lay a copy of the code, and of any alterations to
it, before Parliament; and
(b) from time to time publish the code as for the
time being in force.
(6) In this section –
• “information” and “public authority” have the
same meaning as in section 68;
• “relevant public authority” has the meaning
given by section 68(6); and
• “specified anti-fraud organisation” means
any person which is a specified anti-fraud
organisation for the purposes of section 68.
72 Data protection rules
In Schedule 3 to the Data Protection Act 1998 (c. 29)
(conditions for processing sensitive personal data),
after paragraph 7, insert –
18
Data Sharing for the Prevention of Fraud
LeveL 2: FULL TeXT – To Be PUBLISheD on
APPenDIX 3
The PUBLIC AUThoRITy’S weBSITe
good practice examples
Sharing of data with a specified anti-fraud
organisation
of layered fair processing
Fraud costs the public sector an estimated
notices for public
£6.47 billion a year. It is in all our interests to
authorities
prevent it. Public authorities have a particular
responsibility to ensure that taxpayers’ money is not
The Information Commissioner recommends that
taken out of the system fraudulently.
a layered approach is adopted when issuing fair
processing notices. The purpose of each layer is
Public authorities are required by law to protect
described in paragraph 26.
the public funds they administer. Section 68 of the
Serious Crime Act 2007 was introduced as part of
Public authorities wishing to enter into data sharing
the Government’s commitment to preventing fraud.
arrangements with a SAFO must decide for themselves
Section 68 enables public authorities to disclose
the content and means of issue of fair processing
information for the purposes of preventing fraud,
notices, but good practice examples are set out below.
as a member of a specified anti-fraud organisation
They should seek to incorporate notices into existing
or otherwise in accordance with any arrangements
forms of communication wherever possible.
made with such an organisation.
LeveL 1: SUmmARy TeXT – eXAmPLe FoR
A specified anti-fraud organisation enables or
APPLICATIon FoRmS (for benefits, housing
facilitates the sharing of information for the
tenancies or employment, for example)
prevention of fraud and is specified by an order
made by the Secretary of State. A full list of
This authority is under a duty to protect the public
specified anti-fraud organisations can be found at
funds it administers, and to this end may use the
{web link}
information you have provided on this form for
the prevention and detection of fraud. It may also
{Name of public authority} may disclose the
share this information under arrangements with a
information you provide to a specified anti-fraud
specified anti-fraud organisation under section 68 of
organisation for the purposes of preventing fraud.
the Serious Crime Act 2007.
Disclosures of information from a public authority
For further information, see {web link to Level 2
to a specified anti-fraud organisation are subject to a
notice on authority’s website} or contact {name and
Code of Practice. This may be found at {web link}
contact details}
In addition, all disclosures must be made in
accordance with the Data Protection Act 2008.
Further information
For further details, please contact {name and
contact details}
Details of the organisations we share information
with are as follows: {detail SAFO(s)}
19
Produced by COI on behalf of the Home Office. Ref: 290510. October 2008.
Document Outline
- Front Page
- Contents
- Foreword by theParliamentary Under-Secretary of State forCrime Reduction
- Foreword by theInformation Commissioner
- Introduction
- Background
- The effect of section 68 ofthe SCA
- Deciding to share personalinformation
- Fairness and transparency
- Information sharingstandards
- Rights of data subjects
- Retention of shared information
- Security of shared information
- Access to personal information under theFOIA and the DPA
- Review
- Compliance with the Code
- Role of the InformationCommissioner
- APPENDIX 1 Legislative summary
- APPENDIX 2 Extracts from statutory provisions
- APPENDIX 3 Good practice examplesof layered fair processing notices for public authorities
