Official
Process-specific MoU
Memorandum of Understanding
between
Department for Work and Pensions
and
Her Majesty’s Revenue and Customs
In Respect of Data Sharing of Personal Information with Data and
Analytics
If you require further help, please contact your Senior Responsible Officer (SRO) (DWP) or Data Guardian
(DG)(HMRC) in the first instance.
If necessary, your SRO or DG will contact Central Policy Information Policy and Disclosure team,
Security & Information or others as appropriate for additional advice and support.
Version: 9.0
Page 1 of 29
MoU Reference Number: MOU-UA-
P0001
Official
Glossary of key terms
In this Agreement the following words and phrases will have the following meanings:
B&C
Benefits and Credits
CESG
UK government’s National Technical Authority for
Information Assurance
CRCA
Commissioners for Revenue and Customs Act
D&A
Data and Analytics
Data Controller
has the meaning given in
Part 1 (1) DPA 1998
Data Processor
has the meaning given in
Part 1 (1) DPA 1998
Data Protection Legislation
means the Data Protection Act 1998, the EU Data
Protection Directive 95/46/EC, the Regulation of
Investigatory Powers Act 2000, the
Telecommunications (Lawful Business Practice)
(Interception of Communications) Regulations 2000 (SI
2000/2699), the Electronic Communications Data
Protection Directive 2002/58/EC, the Privacy and
Electronic Communications (EC Directive) Regulations
2003 and all applicable laws and regulations relating to
processing of personal data and privacy, including
where applicable the guidance and codes of practice
issued by the Information Commissioner
Data Subject
has the meaning given in
Part 1 (1) DPA 1998
DF(LPS)
Department of Finance , Land and Property Services
Departments
Refers explicitly to the DWP and HMRC for the basis of
this document. References to any other Government
Department will be explicitly referenced where
required.
DFC
Department for Communities
DPA
Data Protection Act 1998
DWP
Department for Work and Pensions
FoIA
Freedom of Information Act 2000
HMRC
Her Majesty’s Revenue and Customs
UNCLASSIFIED
Version: 9.0
Page 2 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
2
Official
LA
Local Authorities
Law
means any applicable law, statute, bye-law, regulation,
order, regulatory policy, guidance or industry code, rule
of court or directives or requirements of any Regulatory
Body, delegated or subordinate legislation or notice of
any Regulatory Body
MOU
Memorandum of Understanding
NIHE
Northern Ireland Housing Executive
Partners
means partners to this Agreement, namely the
Secretary of State for Work and Pensions and Her
Majesty’s Revenue and Customs
Processing & Process
has the meaning given in
Part 1 (1) DPA 1998
Personal data
has the meaning given in
Part 1 (1) DPA 1998
Regulatory Bodies
means those government departments and regulatory
statutory and other entities, committees and bodies
which, whether under statute, rules, regulations, codes
of practice or otherwise, are entitled to regulate,
investigate, or influence matters dealt with in this
Agreement and “Regulatory Body” shall be construed
accordingly
Sensitive personal data
has the meaning given in
Part 1 Section 2 of the DPA
1998
UNCLASSIFIED
Version: 9.0
Page 3 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
3
Official
Signatory Details
DWP Senior
Responsible Owner
HMRC Senior
(Customer Services Security and
Responsible Owner
Information Business Partner)
HMRC Senior
( RIS Analysis –CNI)
Responsible Owner
Version History
Version
Date
Summary of changes
Changes
marked
0.1
09/07/2010 Draft version
No
0.2
06/08/2010 Draft Version
No
0.3
08/09/2010 Draft Version
No
0.4
10/01/2011 Draft Version
No
0.5
04/02/2011 Final Version
No
1.0
04/02/2011 Final Version
No
1.1
06/10/2011 Draft Version
No
1.2
24/10/2011 Final Version
No
2.0
24/10/2011 Final Version
No
2.1
09/11/2011 Final Version
No
3.0
09/11/2011 Final Version
No
4.0
23/07/2012 Final Version
No
UNCLASSIFIED
Version: 9.0
Page 4 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
4
Official
4.1
10/12/2012 Draft Version
No
4.2
17/01/2013 Draft Version
No
4.3
07/02/2013 Draft Version
No
4.4
01/03/2013 Final Version
No
5.0
01/03/2013 Final Version
No
5.1
01/05/2014 Draft Version
No
5.2
10/06/2014 Draft Version
No
5.3
01/07/2014 Draft Version
No
6.0
01/07/2014 Final Version
No
6.1
26/05/2015 Draft Version
Yes
6.2
26/06/15
Draft Version
Yes
6.3
15/07/15
Draft Version
Yes
6.4
30/07/15
Draft version
Yes
7.0
21/08/15
Final Version
No
7.1.
10/01/17
Draft Version
No
7.2
30/01/17
Draft Version
No
8.0
07/2/2017
Final Version
NO
8.1
29/01/18
Draft Version
No
8.2
22/02/18
Draft Version
No
8.3
27/02/18
Draft Version
No
8.4
14/03/18
Draft Version
No
8.5
10.04.18
Draft Version
No
9.0
11.04.18
Final Version
No
Review Dates
Version
Publication date
Review date
1.0
04/02/2011
October 2011
2.0
24/10/2011
October 2012
3.0
09/11/2011
October 2012
4.0
23/07/2012
October 2013
UNCLASSIFIED
Version: 9.0
Page 5 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
5
Official
5.0
03/04/2013
April 2014
6.0
24/07/2014
July 2015
7.0
21/08/2015
August 2016
8.0
07/02/2017
February 2018
9.0
11/04/2018
February 2019
UNCLASSIFIED
Version: 9.0
Page 6 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
6
link to page 2 link to page 4 link to page 4 link to page 5 link to page 9 link to page 10 link to page 10 link to page 10 link to page 11 link to page 12 link to page 12 link to page 13 link to page 13 link to page 14 link to page 14 link to page 14 link to page 15 link to page 15 link to page 16 link to page 16 link to page 17 link to page 17 link to page 17 link to page 19 link to page 20
Official
Contents
Glossary of key terms
2
Signatory Details
4
Version History
4
Review Dates
5
Introduction
9
Purpose of the data share
10
Data items to be shared
10
How data will be shared
10
Legal Power
11
Data Controller relationship
12
Onward Disclosure
12
Data Quality Assurance
13
Data Security
13
Data Retention and Destruction
14
Subject Access Requests
14
Freedom of Information Requests
14
Security Incidents
15
Liaison and Monitoring Arrangements
15
Resolving Issues
16
Review
16
Termination
17
Appendices
17
Appendix A – Contact details for key members of staff from Partner organisations
17
Appendix B – List of Data Items DWP is sharing with HMRC
19
Appendix C – List of Data Items HMRC is sharing with DWP
20
UNCLASSIFIED
Version: 9.0
Page 7 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
7
link to page 22 link to page 24 link to page 25 link to page 27
Official
Appendix D – Legal Gateways for the Sharing of Information
22
Appendix E Document Control Personnel
24
Appendix F – Savings & Investments Data Exchange
25
Signatories
27
UNCLASSIFIED
Version: 9.0
Page 8 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
8
Official
Introduction
1.
This Memorandum of Understanding ( MOU) sets out the data sharing arrangements
between the “
Partners”, that is Her Majesty’s Revenue and Customs and the Secretary
of State for Work and Pensions (DWP), in relation to the sharing of personal data held by
HMRC with the Data and Analytics section of DWP.
2.
This MOU describes the regular strategic data exchanges between HMRC and DWP
Data and Analytics (D&A). The DWP operates a number of IT systems to support the
delivery of its services across the United Kingdom. These IT systems are utilised by the
Department for Communities (DFC) to deliver its operational commitments. DWP data
exchanges documented in the MOU therefore include customers of DFC. This MOU
relates to the bulk exchange (as detailed in Appendix B &C) of information assets
between HMRC and DWP and does not replace or supersede other MOUs that support
inter-departmental understandings, for example between HMRC Benefits & Credits, DWP
& DFC for the provision of Live Service to deliver Child Benefit and Tax Credits. All
MOUs between HMRC and DWP will stand independently of each other.
3.
This MOU documents the lawful basis for this data sharing initiative, together with the
principles and processes for securely exchanging and using information. The Partners
agree to observe all the obligations set out in this MOU.
4.
This MOU is not a contract and is not legally binding. It does not create a legal power for
either Partner to lawfully exchange and process personal information, and it does not
provide indemnity from action under the DPA or any other law.
5.
This MOU does not remove or reduce legal obligations or responsibilities on either
Partner, for example as data controllers under the DPA. The Partners have entered into
this MOU for the purposes of the Data Protection Principles set out in
Schedule 1 to the
DPA and the Seventh Data Protection Principle in particular, which requires that:
“Appropriate technical and organisational measures shall be taken against unauthorised or
unlawful processing of personal data and against accidental loss or destruction of, or damage
to, personal data.”
UNCLASSIFIED
Version: 9.0
Page 9 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
9
Official
6.
This MOU will commence when the final version has been signed by or on behalf of all
Partners and will terminate in accordance with paragraphs 47 and 48. This MOU will
supersede the previous agreement signed on 07.03.17.
7.
Both departments are subject to the forthcoming General Data Protection Regulation
which takes effect from 25 May 2018. Note that GDPR compliance may trigger additional
changes to this MoU.
Purpose of the data share
8.
The purpose of this MOU is to set out the arrangement for, and to give effect to the
scheduled bulk data exchanges between HMRC and D&A of DWP, detailed in Appendix
B and Appendix C.
9.
As part of the overarching strategy for a more joined-up government and better use of
information, both parties undertake to continue to work together to identify opportunities
to evolve information sharing to help realise the potential of information across
government.
10.
Any future strategic data shares which are not currently incorporated will need to be
entered into this agreement. These additional data shares must be inserted via the
amendment process detailed at paragraph 45 and with the agreement of both parties.
11.
Tactical ad-hoc data exchanges to support non-regular activities will not form part of this
understanding; these exchanges will be managed separately.
12.
This document seeks to articulate and support the sharing of data between the two
departments, but operational detail regarding the delivery mechanisms and financial
arrangements of individual activities are documented separately elsewhere.
Data items to be shared
13.
This MOU relates to the bulk exchange (as detailed in Appendix B and Appendix C) of
information assets between HMRC and DWP (D&A)_
How data will be shared
UNCLASSIFIED
Version: 9.0
Page 10 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
10
Official
14.
In addition to the legal considerations, DWP and HMRC have agreed arrangements in
place for how exchanges of data will be managed and operated. These arrangements
provide a framework for staff within each of the organisations, to ensure that exchanges
are legitimate, formally authorised and that confidentiality is maintained.
See details at:
Appendix B &C – Bulk data Exchanges
Appendix B&C – Schedule of Data Provision
Appendix F
– Savings & Investments Data Exchange
Legal Power
15.
This MOU documents legal gateways for exchange of bulk data; this does not override
the need to comply with relevant legislation and respective departmental processes. Its
aim is to inform stakeholders of the high level commitment for the supply of information to
support the core business of the two departments.
16.
Section 127 of the Welfare Reform Act 2012 allows information held by HMRC, or any
person providing services to HMRC, for the purposes of HMRC functions to be supplied
to:
DWP
A Northern Ireland Department; or
Any person providing services to DWP or the Northern Ireland Department,
for the purposes of social security functions, which include child maintenance functions.
17.
For the purpose of Section 127 DWP functions are defined as:
UNCLASSIFIED
Version: 9.0
Page 11 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
11
Official
Social Security (This includes Child Maintenance)
Employment and training
The investigation and prosecution of tax credit offences on behalf of HMRC and
Child Maintenance
HMRC functions are those defined at Schedule 1 of the Commissioners of Revenue and
Customs Act 2005.
18.
Where information supplied under this section has been used for purposes for which it
was supplied, it is lawful for it to be used for any purposes for which information held for
those purposes could be used.
Data Controller relationship
19.
Data will be supplied (shown in Appendix B&C) on the understanding that it may only be
used in accordance with the purposes set out in the relevant legislation under which it has
been provided. HMRC / DWP will become data controllers upon receipt of the other
department’s information, as defined in the Data Protection Act 1998 unless the receiving
department is considered as Data Processor under the Act. These exceptions are stated
in Appendix B&C of this MOU.
Onward Disclosure
20.
Both HMRC and DWP are bound by legislative obligations of confidentiality, with
disclosure of information by officers constituting a criminal offence except in certain
permitted circumstances broadly where there is a legislative gateway or customer
consent. For DWP staff the criminal sanction for unauthorised disclosure is detailed at
section 123 of the Social Security Administration Act 1992, for DfC staff at Section 117 of
the Social Security Administration (Northern Ireland) Act 1992 and for HMRC staff at
section 19 of the Commissioners for Revenue and Customs Act 2005. All exchanges of
information will comply with the Data Protection Act 1998, respect rights arising under the
European Convention of Human Rights, and HMRC’s statutory obligations. Appendix D
details existing statutory gateways that underpin data sharing between the two
departments.
UNCLASSIFIED
Version: 9.0
Page 12 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
12
Official
21.
Information is shared between DWP and HMRC by way of Section 127 Welfare Reform
Act 2012. This legislation allows DWP and HMRC to lawfully share information that each
has received for its lawful functions. It is a permissive gateway so any new use of
information is subject to permission from the provider. No information may be onwardly
disclosed to another party (other than service providers who are subject to the same
confidentiality criteria as the owning department and who are not data controllers, but
acting as data processors) without the permission of the providing department.
Employment and training
The investigation and prosecution of tax credit offences on behalf of HMRC, and
Child Maintenance.
22.
DWP will not onward disclose HMRC data to any outside organisation unless permitted
in law and not without prior approval by HMRC.
23.
HMRC will not onward disclose DWP data to any outside organisation unless permitted in
Law and not without prior approval by DWP.
Data Quality Assurance
24.
The exporting department will ensure that data integrity meets their department’s
standards, unless more rigorous or higher standards are required and agreed at the
requirements stage.
25.
Where queries arise from the supply of data relating to quality or integrity, a resolution
plan will be agreed within 5 working days, unless otherwise negotiated.
Data Security
26.
As part of her Majesty’s Government, both HMRC and DWP must process personal data
in compliance with the Mandatory Minimum Measures issued by HM Cabinet Office and
CESG (UK government’s National Technical Authority for Information Assurance),
including all policies and guidance in relation to information security and assurance when
handling, transferring, storing or accessing information assets.
27.
Data will be transferred in accordance with agreed and documented procedures prior to
delivery.
UNCLASSIFIED
Version: 9.0
Page 13 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
13
Official
Data Retention and Destruction
28.
Data will be retained in line with agreed DWP and HMRC policies. All data should be
securely deleted once the agreed retention period has expired in accordance with the
DWP Records Management Policy.
29.
HMRC data that is not matched with a DWP customer record following three consecutive
bulk data extract refreshes becoming available must be securely deleted from DWP
systems.
30.
The latest refresh is considered to be available when the internal DWP cleansing
processes have been completed and the latest refresh is operationally available
31.
HMRC data that has matched will be retained for up to five years for operational use
within DWP or any local authority that DWP has passed data to. All HMRC data should
be securely deleted from all systems or destroyed after five years or after it is no longer
needed for operational purposes (whichever is sooner)
32.
DWP data that has been matched will be retained for up to five years for operational use
with in HMRC or any local authority that HMRC has passed data to. All DWP Data should
be securely deleted from all systems or destroyed after five years or after it is no longer
needed for operational purposes (whichever is sooner)
Subject Access Requests
33.
As long as the data is purely used for research/statistical purposes only it is exempt from
the SAR process. Section 33 of the Data Protection Act 1998 – Research, history &
statistics applies. Subject access does not have to be given provided that the results of
the research or any resulting statistics are not made available in a form which identifies
data subjects. For any exceptions, all partners must respond to subject access requests
accordingly within the legal limit of 40 calendar days (1 calendar month from 25/05/18) .
Freedom of Information Requests
UNCLASSIFIED
Version: 9.0
Page 14 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
14
Official
34.
Partners subject to the requirements of the Freedom of Information Act 2000, will assist
and cooperate with each other, to enable each to comply with its information disclosure
obligations.
35.
Where a Freedom of Information request is received by a Partner to this agreement,
which relates to data that has been provided by another Partner, the Partner receiving the
request, will notify the other to allow it the opportunity to make representations on the
potential impact of disclosure and input to the response.
Security Incidents
36.
The Partners will follow their own internal processes on the discovery of an Information
Security Incident and advise their own security teams.
37.
In the event of any security incident where a potential or actual data loss has occurred or
where any actions undertaken highlight the potential for an uncontainable reputational
risk involving the other department’s data, then the respective incident handling contacts
must be notified as matter of urgency and within one working day of becoming aware.
Contact details for these representatives are provided in Appendix A.
38.
In the event of an Information Security Incident (or where there is reasonable cause to
believe that such an incident may arise), the Partners will delay data transfers until the
cause or incident is resolved, as authorised by the signatories to this agreement. If the
incident cannot be resolved or if - in the view of the Partners – it is very serious, data
transfers will stop and will not resume until the signatories to this agreement are satisfied
with the security arrangements.
Liaison and Monitoring Arrangements
39.
Both departments recognise the need for, and commit to maintaining continued close
liaison between HMRC and DWP which is essential to continued effective operations of
both departments, to ensure effective delivery of our respective services. Details of these
arrangements are outside the scope of this document. Any information assurance issues
UNCLASSIFIED
Version: 9.0
Page 15 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
15
Official
should be passed to
contact details are provided in Appendix A.
40.
Any issues regarding the ongoing delivery aspects of the information supply should be
addressed through business as usual channels detailed in Appendix A
41.
Anticipated changes to the data specification should be communicated through business
as usual channels as detailed in Appendix A at the earliest opportunity to allow impact
analysis to be undertaken and planned changes to be considered, impacted, developed
and tested.
Resolving Issues
42.
Where the business as usual channels fail to reach agreement, the departments will
attempt to negotiate a settlement in the spirit of joint resolution, using escalation contacts,
within 20 working days of a formal notification being received. Contacts detailed in
Appendix A.
Review
43.
Scheduled formal reviews of this MOU will take place annually to assess the ongoing
effectiveness of this data sharing initiative and this agreement
.
44.
Reviews outside of this schedule can be requested by any Partner, upon giving written
notice to the other signatories.
45.
Specific individual strands of activity that may affect this MOU should be discussed at a
business as usual level to consider the possible impact on the MOU, once the potential
changes have been identified then a formal change notification should be sent to the
‘Review Control Contacts’ detailed in Appendix A
46.
External changes affecting the operational delivery responsibilities of the departments will
also necessitate the reviewing and potential amendment of this agreement.
47.
To expedite this MOU whilst HMRC internal discussions on business ownership for
strategic MOUs is undertaken, HMRC Benefit and Credit colleagues have agreed to act
UNCLASSIFIED
Version: 9.0
Page 16 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
16
Official
as a signatory of this MOU. The subsequent decision will necessitate a review of this
MOU.
Termination
48.
Any Partner can terminate this MOU, without giving a reason, on expiry of one (1)
month’s written notice to the other partners.
49.
Any Partner can terminate this MOU with immediate effect, where another Partner
breaches any of its obligations to this MOU.
50.
Termination notices should be addressed to the signatories to this MOU.
51.
In the event of termination, data will cease to be shared under the terms of this
agreement.
Appendices
Appendix A – Contact details for key members of
staff from Partner organisations
DWP – Business As Usual
Contact
E-mail
Responsibility
Data Protection Team
Information Assurance
Security Incidents
Operations
Security Incidents
Review Coordinator
FOI Requests
UNCLASSIFIED
Version: 9.0
Page 17 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
17
Official
DWP – Escalation
Contact
E-mail
Responsibility
Information Assurance
Operations
Review Coordinator
Security Incidents
Freedom of Information
Requests
HMRC – Business As Usual
Contact
E-mail
Responsibility
Legal
IMS Live Services
Review Coordinator
Security Incidents (Benefits &
Credits related)
HMRC FOI
Freedom of Information
Team
Requests
HMRC – Escalation
Contact
E-mail
Responsibility
Legal
IMS Live Services
UNCLASSIFIED
Version: 9.0
Page 18 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
18
Official
Review Coordinator
Freedom Of Information
Requests
Appendix B – List of Data Items DWP is sharing with
HMRC
Exact details of volumes and methods of transfer, should these be required are documented
within DWP and HMRC via DTRs and DMRs
Data Item
Legal Gateway
National Insurance Recording
[DWP Acting as Data Processor]
System / Bluebook
Family Resource Survey
(Consent)
Payroll Cleanse
Welfare Reform Act 2012,section 127
Child Benefit Fraud & Error
Para 6 of schedule 5 in the Tax Credits Act
Referrals
2001.
CIS Audit Events (LA&DWP NTC
Welfare Reform Act 2012,section 127
Access)
DWP (NTC joint interest load) CRA
Tax Credit Act 2002 Schedule 5
Living Together
RTE Audit Events (DWP & HMRC
Welfare Reform Act 2012 section 127
Access)
Data Exchange
Frequency
National Insurance Recording
Annually
System / Bluebook
Family Resource Survey
3 Times per year
Child Benefit Fraud & Error
Monthly
Referrals
CIS Audit Events (LA&DWP NTC
Daily
Access)
UNCLASSIFIED
Version: 9.0
Page 19 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
19
Official
DWP (NTC joint interest load) CRA
Monthly
Living Together
RTE Audit Events (DWP & HMRC
Daily
Access)
Appendix C – List of Data Items HMRC is sharing
with DWP
Exact details of volumes and methods of transfer, should these be required are documented
within DWP and HMRC via DTRs and DMRs
Data Item
Legal Gateway
Child Tax Credits 100% (Monthly)
Tax Credits Act 2002 (schedule 5)
Child Tax Credits 10% (Monthly)
Tax Credits Act 2002 (schedule 5)
Working Tax Credit 100%(Monthly)
Tax Credits Act 2002 (schedule 5)
Working Tax Credit 10% (Monthly)
Tax Credits Act 2002 (schedule 5)
New Tax Credits 100% (Weekly)
Tax Credits Act 2002,
Sch 3 Child Maintenance Act (Northern
Ireland) 2008.
New Tax Credits sample (Monthly)
Tax Credits Act 2002
New Tax Credits 100% GMS
Tax Credits Act 2002
(Weekly)
New Tax Credit Viewer Audit Trail
[DWP Acting as Data Processor]
National Insurance Record System
Welfare Reform Act 2012,section 127 and
(NIRS) 1% (Note - this is a static
section 3 of the Social Security Act 1998
dataset which is not updated)
NIRS2 1%
Welfare Reform Act 2012,section 127
and section 3 of the Social Security Act 1998
P45/46 data (Monthly)
Welfare Reform Act 2012,section 127 and
section 3 of the Social Security Act 1998,
Sch 3 Child Maintenance Act (Northern
Ireland) 2008.
P14 Earnings data (Monthly)
Welfare Reform Act 2012,section 127
and section 3 of the Social Security Act 1998,
Sch 3 Child Maintenance Act (Northern
Ireland) 2008.
Self-Assessed data (Monthly)
Welfare Reform Act 2012,section 127
and section 3 of the Social Security Act 1998,
Sch 3 Child Maintenance Act (Northern
Ireland) 2008.
UNCLASSIFIED
Version: 9.0
Page 20 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
20
Official
Savings Data: (Sch23 FA 2011)
Welfare Reform Act 2012,section 127 and
Bank and Building Society Accounts section 3 of the Social Security Act 1998,
Investment Data: PEPs, ISAs,
Pensions Act 2004, sections 234, 235,
TESSAs, VCTs, PP & SHP
Sch 3 Child Maintenance Act (Northern
Ireland) 2008.
Child Benefit/Guardians Allowance
Tax Credits Act 2002 (schedule 5) and
100% (4 weekly)
section 3 of the Social Security Act 1998,
Sch 3 Child Maintenance Act (Northern
Ireland) 2008.
S12 Children Act 2004
Migrant Workers (Nino Allocation to
Welfare Reform Act 2012,section 127 and
overseas nationals)
section 3 of the Social Security Act 1998
Payroll Cleanse
Welfare Reform Act 2012,section 127
Child Benefit Online Audit Trail
[DWP Acting as Data Processor]
HMRC (NTC) CRA Living Together
Tax Credit Act 2002 Schedule 5
RTI Data for Evaluation purposes
Welfare Reform Act 2012,section 127
NTC Compliance Settlement Data
Welfare Reform Act 2012, section 127 and
section 3 of the Social Security Act 1998
Data Exchange
Frequency
Child Tax Credits 100%
Monthly
Child Tax Credits 10%
Monthly
Working Tax Credits 100%
Monthly
Working Tax Credits 10%
Monthly
New Tax Credits
Weekly
New Tax Credits Sample
Monthly
New Tax Credits 100% GMS
Weekly
National Insurance Recording
Not updated
System 1%
National Insurance Recording
Bi -Annually
System 2. 1%
P45/46
Monthly
P14
Monthly
Savings; Sch23 FA 2011, PEPs,
Yearly
TESSAs, ISAs, VCTs, PPs
(complete tax year)
Child Benefit / Guardians Allowance 4-weekly
100%
UNCLASSIFIED
Version: 9.0
Page 21 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
21
Official
Migrant Workers
Quarterly
Payroll Benefit
Monthly
Child Benefit Online Audit Data
Daily
HMRC (NTC) CRA Living Together
Monthly
Self-Assessed
Monthly
Self-Assessed (complete tax year)
Yearly
RTI data for evaluation purposes
Monthly
New Tax Credits Audit Data
Daily
NTC Compliance Settlement Data
Monthly
Appendix D – Legal Gateways for the Sharing of
Information
Data may be exchanged between Her Majesty’s Revenue and Customs and Department for
Work and Pensions / Department for Communities under the following legislation, regulations,
guidance and agreements or the N. Ireland equivalents:-
Schedule 5 Tax Credits Act 2002
Section 236, Schedule 10 of the Pension Act 2004
Commissioners for Revenue and Customs Act 2005
Section 127 Welfare Reform Act 2012
HMRC functions as defined in Section 127 of the Welfare Reform Act 2012
For which the Commissioners for Her Majesty's Revenue and Customs are responsible
by virtue of section 5 of the Commissioners for Revenue and Customs Act 2005 , [...] 3
Which relates to a matter listed in Schedule 1 to that Act [, or] 4[
Which is conferred by or under the Childcare Payments Act 2014;
Any further amendment to functions that may be made in law until the next review
The above should not be used in isolation, but with regard to the following:-
Data Protection Act 1998
General Data Protection Regulation from 25.05.18 and supporting UK Data Protection
Law anticipated to be the Data Protection Act 2018
UNCLASSIFIED
Version: 9.0
Page 22 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
22
Official
Human Rights Act 1998
Finance Act 1997
Social Security Administration Act 1992 Data Matching Code of Practice.
Social Security Contributions (Transfer of Functions, etc.) Act 1999 Schedule 6
Employment Act 2002
Section 3 Social Security Act 1998. The range of information covered was
amended by Paragraph 1 Schedule 6 of the Employment Act 2002 to include
employment and training as well as covering social security, child support and war
pensions.
And for fraud purposes:
Police and Criminal Evidence Act 1984 together with its Codes of Practice
(England and Wales only)
Regulation of Investigatory Powers Act 2000
Criminal Procedures Investigation Act 1996 together with its Code of Practice
(England and Wales only)
Social Security Fraud Act 2001 (S.3(1))
Northern Ireland specific legislation:
Sections 115D, 115E, 116, 116ZA and 116AA - Social Security Administration
(Northern Ireland) Act 1992
Social Security Contributions (Transfer of Functions, etc.) (Northern Ireland) Order
1999
Section 3 - Social Security Fraud Act (Northern Ireland) 2001
Employment (Northern Ireland) Order 2002
Employment (Northern Ireland) Order 2003
Pensions (Northern Ireland) Order 2005
Police and Criminal Evidence (Northern Ireland) Order 1989
UNCLASSIFIED
Version: 9.0
Page 23 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
23
Official
Appendix E Document Control Personnel
Parties
The parties to this Data Sharing Agreement are:
Department for Work and Pensions of:
Government Buildings
Peel Park
Brunel Way
Blackpool
FY4 5ES
and
Her Majesty’s Revenue and Customs of:
100 Parliament Street
London
SW1A 2BQ
Key personnel
Name
Organisation (Team)
Author
DWP D&A Data Delivery Control
Team
Approvers
DWP D&A Senior Responsible
Officer
UNCLASSIFIED
Version: 9.0
Page 24 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
24
Official
HMRC Customer Services Security
and Information Business Partner
HMRC RIS Analysis - CNI
Review
DWP D&A Data Delivery
DWP D&A Data Delivery Control
Control
Control Team
Team
HMRC Benefits & Credits
DfC Corporate Support Branch
Appendix F – Savings & Investments Data Exchange
This Appendix is included because savings and investments data is secured by legal notice for
a specific legal purpose and use of this data is restrictive. It details the specifics of the
agreement in place between both departments in relation to the following data exchanges:
Sch23 FA 2011 (savings and current accounts);
Personal Equity Plans;
Individual Savings Accounts;
Venture Capital Trusts;
Private Pensions (investments).
The following detail sets out the additional assurances agreed between both departments to
support the bulk exchange of the data detailed. This additional detail does not however remove
the minimum standards requirements documented throughout the MoU, but should be seen as
building on them.
Data uses
Jobcentre Plus & Pensions, Disability & Carer Service - Referrals.
Referrals identifying potential fraud and error will be issued by electronic work lists to each
office, either via the Fraud Referral and Intervention Management System (FRAIMS) or the
UNCLASSIFIED
Version: 9.0
Page 25 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
25
Official
Generalised Matching Service Referral Management System (GMS RMS). Staff can only
access the work lists of these systems through roles and access controls and the access is
audited. Each referral within the work list will contain details relating to a DWP customer and
the bank account details identified from the HMRC data.
The HMRC data within any referral should be treated as a form of intelligence which is not
disclosable and should be treated with caution. Investigators should use their powers where
available to go directly to the bank or building society to obtain full details of the account.
Where possible other data sources should be checked to support the credibility of the HMRC
data. If this intelligence is challenged by a claimant then referrals should be made by DWP
either directly to the bank or building society concerned or internally back to HMRC It should not
be a matter for the claimant to take up with HMRC.
Referrals to Jobs and Benefit / Social Security Offices within the DfC in Northern Ireland are
included within the scope of this data use.
Local Authorities / Northern Ireland Housing Executive - Referrals.
Referrals identifying potential fraud and error for Housing Benefit and/or Council Tax Benefit will
be issued to Local Authorities (LAs) / Northern Ireland Housing Executive (NIHE) / Department
of Finance , Land and Property Services (DF [LPS]) Rates Division in work lists, by DWP
corporately approved electronic transfer methods.
There are circa 400 LAs / NIHE / DFP [LPS] offices in total including Northern Ireland. Referrals
sent to each LA / NIHE / DF [LPS] office will only relate to that LA’s / NIHE / DF [LPS] offices
benefit claimants.
LAs/NIHE / DF [LPS] offices will be subject to a MoU with the DWP covering the term of access
and handling arrangements required for these data assets.
Other Uses.
The HMRC data identified here may also be used for the following purposes.
UNCLASSIFIED
Version: 9.0
Page 26 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
26
Official
Rapid Review, a risk based process, which identifies customers whose claims are due for
review and using data identifies claims where contact with the customer is not required as no
changes have occurred.
Analytical Services Unit of the Department for Communities will develop and analyse household
administrative data to inform impact of policy changes in welfare and support benefit take-up
analysis.
The sharing of the data with the Department for Business, Energy and Industrial Strategy &
Welsh Assembly Gvt for the purpose of assessing the effectiveness of training schemes for over
19s in moving them to higher paying employment.
Any additional requirements for the use of this data will be discussed formally between both
Departments and any new uses agreed documented in the Appendix of the MoU at the next
formal review.
CMG Data Uses
Referrals identifying potential fraud and error will be issued by electronic work lists to a central
site within CMG, currently the Financial Investigations Unit, named HEO Lynn Slater.
Staff can only access the work lists as controls and the access is restricted and audited. Each
referral within the work list will contain details relating to a CMG customer and the bank account
details identified from the HMRC data.
The HMRC data within any referral should be treated as a form of intelligence which is not
disclosable and should be treated with caution. Investigators should use their powers where
available to go directly to the bank or building society to obtain full details of the account.
Where possible other data sources should be checked to support the credibility of the HMRC
data.
Signatories
Signed by
UNCLASSIFIED
Version: 9.0
Page 27 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
27
Official
Representing the Secretary of State for Work and Pensions
Name:
Full contact details:
Date: 27/04/18
Signed by
Representing HMRC
Name: Stephen Muckle
Full contact details:
Date: 24.04.18
UNCLASSIFIED
Version: 9.0
Page 28 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
28
Official
Signed by
Representing HMRC
Name:
Full contact details:
Date:12.04.18
UNCLASSIFIED
Version: 9.0
Page 29 of 29
Status: Final
MoU Reference Number: MOU-UA-P0001
29