ADD PROTECTIVE MARKING OF ‘OFFICIAL – UNMARKED – MARKED - SENSITIVE’
WHEN COMPLETED, DEPENDING ON CONTENT
Process-specific MoU Template
Memorandum of Understanding (Process)
between
HMRC (CS&TD KAI Benefits and Credits) and
Department for Work and Pensions (DWP)
To support development of Universal Credit, Work Programme
and Work and Health Programme
The reference numbers of the related Umbrella MOU are: MOU-UA –P0001 and MOU-
UA-P049
Version 4.
Page 1 of 12
MoU Reference Number:
MOU-UA-P0033
ADD PROTECTIVE MARKING OF ‘OFFICIAL – UNMARKED – MARKED - SENSITIVE’
WHEN COMPLETED, DEPENDING ON CONTENT
Contents
1. Introduction
Page 3
2. Legal Basis
Page 3
3. Purpose of the agreement
Page 4
4. Procedure
Page 4
5. Security and Assurance
Page 5
6. Data Protection Act 1998 (DPA) and Human Rights Act 1998 (HRA)
Page 6
7. Freedom of Information (FOI) Act 2000
Page 6
8. Direct, (or browser) Access specific expectations
Page 6
9. Costs/charges
Page 7
10. Contact details
Page 7
11. Reporting and review arrangements
Page 8
12. Resolving issues
Page 8
13. Signatories
Page 8
14. Document Control Personnel
Page 9
15. Version History
Page 9
16. Review dates
Page 9
17. Glossary of Terms and Abbreviations
Page 10/11
18. List of Data Items
Page 11/12
Version 4.
Page 2 of 12
MoU Reference Number:
MOU-UA-P0033
ADD PROTECTIVE MARKING OF ‘OFFICIAL – UNMARKED – MARKED - SENSITIVE’
WHEN COMPLETED, DEPENDING ON CONTENT
1. Introduction
UC Evaluation - Universal Credit is a major transformation of the UK Working Age
benefit system. Amongst other objectives it aims to improve labour market outcomes by
getting more people into work, keeping them in work for longer, and promoting in-work
progression. DWP has a commitment to evaluate the impacts of Universal Credit and
test whether the projected savings of this major reform are being realised. To do this we
require, from RTI, regular detailed information on the employment status and earnings of
both UC participants and a "counterfactual" group of claimants to legacy benefits against
whom UC claimant's outcomes will be compared. This work was commissioned by
ministers and is a very high priority for DWP.
The NAO has estimated that £2.8 billion in payments will be made to Work Providers
between June 2011 and March 2020. Making best use of available information assets
(including HMRC’s RTI data) has been seen by the DWP's Permanent Secretary and
External Auditors as essential for the Department, allowing effective controls to protect
against overpaying Work Programme providers.
The recent PWC audit of Work Programme payments (following on from the review of
Serco and G4S) cited the following as a key next step for the Department’s validation
regime:
“DWP review and update the validation process to leverage data matching capabilities to reduce the risk
of fraud and error.”
Initial analysis has suggested that such an approach could significantly increase the
strength of Departmental matching. Our ability to estimate start and end dates for
missing returns will improve coverage within our matching, increasing the accuracy of
our automated employment and decrease the level of manual validation required
(estimated to generate a saving of between £200-£500k per annum).
Work Program outcomes. Utilisation of RTI is also an important feature within Work
Programme contract re-negotiations, which includes the extrapolation of Sustainment
Outcomes. Not doing this is estimated to have cost the Department £11 million at March
2014 and were this to continue until March 2020, the estimate has been placed at £25
million. It also allows for the identification of Unclaimed Provider Outcomes, which will
recognise instances where providers support participants into work but are unable to put
in an outcome claim, and it will ensure that the true performance of Work Programme is
reported.
Work and Health programme – The Work and Health Programme (WHP) is a new
provision in England and Wales which launched in November 2017. See document
below for details -
Version 4.
Page 3 of 12
MoU Reference Number:
MOU-UA-P0033
ADD PROTECTIVE MARKING OF ‘OFFICIAL – UNMARKED – MARKED - SENSITIVE’
WHEN COMPLETED, DEPENDING ON CONTENT
2. Legal Basis
The legal gateway allowing HMRC to share such information with DWP is The Welfare
Reform Act 2012, Section 127. Details of the legal gateways for the sharing data of
3. P
da
urpos
ta fo
e
r t
of th
he pu
e a
rpo
gr
se
e
s
e
o
me
f W
nt
o
rk and Health programme are set out separately in the
embedded document in section 1 of this document under Work and Health
Programme.
This transfer is also covered by the Data Sharing arrangements set out in the umbrella
MOU-UA-P0001 (Universal Credit and Work Programme) and MOU-UA-P049 (Work
and Health Programme).
3.
Purpose of the agreement
This agreement applies to the continuation of data exchanges between analytical
teams in HMRC and DWP to support development of Universal Credit, Work
Programme and Work and Health Programme. In particular, it applies to data
exchanges required before permanent arrangements are in place for Real Time
Earnings (RTE).
This process MoU covers the transfer of the quarterly transfer of NINOs (Evaluation List)
from DWP and the monthly return of RTI data for those NINOs from HMRC for the
period 1 April 2017 to 31 March 2019.
4. Procedure
The Evaluation List will consist of a selection of NINOs for Work Program,
Work and Health Program and Universal Credit claimants created from DWP
administrative data by DWP Data and Analytics and sent to HMRC.
DWP will revise the Evaluation List once every three months and send the
revised list to HMRC by GFTS Secure Electronic Transfer (SET).
HMRC Data Guardian does not require the file to be cleansed of SCR’s due to
the risk of being able to compare the original and cleansed file therefore being
able to identify the SCR’s.
HMRC will supply RTI data for the NINOs provided on the latest Evaluation
List and return the data to DWP once every month. This will be sent to DWP
Data and Analytics by GFTS Secure Electronic Transfer every 3rd Friday.
When DWP Data Delivery Team receive the RTI data this will be loaded into
DWP Data Warehouse and made available approved users to undertake
evaluation as described in Paragraph 1 and will send the information to
operational staff to take appropriate action.
Data items that HMRC return to DWP are listed in section 18.
Version 4.
Page 4 of 12
MoU Reference Number:
MOU-UA-P0033
ADD PROTECTIVE MARKING OF ‘OFFICIAL – UNMARKED – MARKED - SENSITIVE’
WHEN COMPLETED, DEPENDING ON CONTENT
5. Security and Assurance
DWP agrees to:
Only use the information for purposes that are in accordance with the legal basis
under which they received it
Only hold the data while there is a business need to keep it
Ensure that only people who have a genuine business need to see the data will
have access to it.
Store data received securely and in accordance with the prevailing central
government standards, for example in secure premises and on secure IT
systems.
Move, process and destroy data securely i.e. in line with the principles set out in
HM Government
Security Policy Framework, issued by the Cabinet Office, when
handling, transferring, storing, accessing or destroying information.
Comply with the requirements in the
Security Policy Framework, and in particular
Section 2.10, to be prepared for and respond to Security Incidents and to report
any data losses, wrongful disclosures or breaches of security relating to
information.
Apply the appropriate baseline set of personnel, physical and information security
controls that offer an appropriate level of protection against a typical threat profile
as set out in
Government Security Classifications, issued by the Cabinet Office,
and as a minimum the top level controls framework provided in the Annex –
Security Controls Framework to the GSC.
Version 4.
Page 5 of 12
MoU Reference Number:
MOU-UA-P0033
ADD PROTECTIVE MARKING OF ‘OFFICIAL – UNMARKED – MARKED - SENSITIVE’
WHEN COMPLETED, DEPENDING ON CONTENT
6. Data Protection Act 1998 (DPA) and Human Rights Act 1998 (HRA)
Nothing in this Memorandum of Understanding wil limit the receiving department’s legal
obligations under the Data Protection legislation and General Data Protection Legislation
(from 25/05/2018).
All the information transferred by HMRC should be relevant, necessary and proportionate to
enable DWP to carry out their task or process.
HM Revenue and Customs and DWP will become the Data Controller (as defined in the
glossary of terms) of any personal data received from the other under the terms of this MOU.
7. Freedom of Information (FOI) Act 2000
HMRC and Public Sector Body are subject to the requirements of the Freedom of Information
Act 2000 (FOI) and shall assist and co-operate with each other to enable each department to
comply with their information disclosure obligations.
In the event of one department receiving a FOI request that involves disclosing information
that has been provided by the other department, the department in question will notify the
other to allow it the opportunity to make representations on the potential impact of disclosure.
All HMRC FOI requests must be notified to Central Policy FOI Team who will engage with the
central FOI team in the supplying organisation.
8. Direct, (or browser) Access specific expectations
Not applicable
Version 4.
Page 6 of 12
MoU Reference Number:
MOU-UA-P0033
ADD PROTECTIVE MARKING OF ‘OFFICIAL – UNMARKED – MARKED - SENSITIVE’
WHEN COMPLETED, DEPENDING ON CONTENT
9. Costs/charges
10. Contact details
Give details of all contacts for all parties to the agreement
For HMRC
For DWP
Name
Job Title
KAI Personal Tax
Data Delivery manager
Team
Knowledge, Analysis &
Data & Analytics, Data Delivery
Intelligence
GSI email
Telephone
Deputy’s name
Deputy’s GSI email
.
Deputy’s telephone
Version 4.
Page 7 of 12
MoU Reference Number:
MOU-UA-P0033
ADD PROTECTIVE MARKING OF ‘OFFICIAL – UNMARKED – MARKED - SENSITIVE’
WHEN COMPLETED, DEPENDING ON CONTENT
11. Reporting and review arrangements
It is expected that this arrangement will be in place until March 2020 for Universal Credit and
Work Program and November 2029 for Work and Health Program
This may need to be reviewed as developments in more strategic options for data share
increase in the Wider Use of data project.
12. Resolving issues
Any complaints, problems, issues etc. that are specific to the information exchanges covered by this
MoU should immediately be referred to the contacts named in section 10. If these can not be resolved
they should be reported, in writing to:
For HMRC
For DWP
Name
Job Title
Data Exchange Champion
Team Manager
Team
Data Exchange champion
DWP, Digital, Strategic Engagement and
External Data Sharing
GSI email
Telephone
13. Signatories
The final document must be signed and dated by the relevant information asset owners. In HMRC this is
usually the Director for the business area. Whilst they retain responsibility, they can nominate a delegate
to sign on their behalf e.g. the Data Guardian.
For HMRC
For DWP
Date: 19/09/2018
Date 09/05/18
Version 4.
Page 8 of 12
MoU Reference Number:
MOU-UA-P0033
ADD PROTECTIVE MARKING OF ‘OFFICIAL – UNMARKED – MARKED - SENSITIVE’
WHEN COMPLETED, DEPENDING ON CONTENT
14. Document Control Personnel
Key personnel
Name & role
Organisation (Team)
Author
HMRC – PT CPP Impacting & Change
team
Approvers
HMRC
DWP
DWP
DWP
Review Control
15. Version History
Version
Date
Summary of changes
Changes
marked
0.1
23.03.15
Initial draft
0.2
30.03.15
1.0
01.04.15
Final version
1.1
15.04.15
Process change (sec 4, para 3/4)
1.2
17.04.15
Final version – MOU Ref inc
1.3
21.04.15
Amended to reflect USB data deletion (sec 4)
1.4
23.04.15
Amended to revert to previous process (sec 4)
2.0
24.04.15
Final version
2.2
21.03.17
Remove first run, amend contact details
3.0
23.03.17
Final version
3.1
21/07/17
Amended Delivery Method
Yes
3.2
26/01/20
wording to reflect addition of Work and Health
yes
18
Program NINOs
4.0
09/05/18
Amend details regarding Legal basis/MOU for
yes
WHP , include references to WHP in section 3, 4
& 11. Extend end date from 2018 to 2019, add
GDPR, change contact details
16. Review dates
Version
Publication date
Review date
4.0
September 2018
September 2019
Version 4.
Page 9 of 12
MoU Reference Number:
MOU-UA-P0033
ADD PROTECTIVE MARKING OF ‘OFFICIAL – UNMARKED – MARKED - SENSITIVE’
WHEN COMPLETED, DEPENDING ON CONTENT
17. Glossary of Terms and Abbreviations
Definition
Interpretation
Ad Hoc Transfer
is defined as being bulk data with a protective marking of restricted
or above and the transfer is part of a pilot or project with a
definitive end date
Data Controller
has the meaning set out in section 1 of the Data Protection Act
1998, i.e. ‘a [natural or legal] person who (either alone or jointly or
in common with other persons) determines the purposes for which
and the manner in which any personal data are, or are to be,
processed’
Data Processor
has the meaning set out in section 1 of the Data Protection Act
1998, i.e. ‘in relation to personal data, any [natural or legal] person
who processes the data on behalf of the data controller’
Data Protection Legislation
means the Data Protection Act 1998, the EU Data Protection
Directive 95/46/EC, the Regulation of Investigatory Powers Act
2000, the Telecommunications (Lawful Business Practice)
(Interception of Communications) Regulations 2000 (SI
2000/2699), the Electronic Communications Data Protection
Directive 2002/58/EC, the Privacy and Electronic Communications
(EC Directive) Regulations 2003 and all applicable laws and
regulations relating to processing of personal data and privacy,
including where applicable the guidance and codes of practice
issued by the Information Commissioner
Direct Access
Covers an information sharing instance where the receiving
Department accesses the Information via direct, or browser,
access to the source system rather than as an extracted
information transfer.
This agreement will require specific terms and conditions ensuring
that access is appropriate and correctly applied, managed and
recorded.
FoIA
means the Freedom of Information Act 2000 and any subordinate
legislation made under this Act together with any guidance and/or
codes of practice issued by the Information Commissioner or
Ministry of Justice in relation to such legislation.
Granting Access
The governance and authority surrounding the authorisation of a
person to have access to a system.
Information Asset Owner
means the individual within a directorate, normally the Director,
(IAO)
responsible for ensuring that information is handled and managed
appropriately
Law
means any applicable law, statute, bye-law, regulation, order,
regulatory policy, guidance or industry code, rule of court or
directives or requirements of any Regulatory Body, delegated or
subordinate legislation or notice of any Regulatory Body
Provisioning Access
The technical channels through which access is made possible,
including the request tools associated with this.
Version 4.
Page 10 of 12
MoU Reference Number:
MOU-UA-P0033
ADD PROTECTIVE MARKING OF ‘OFFICIAL – UNMARKED – MARKED - SENSITIVE’
WHEN COMPLETED, DEPENDING ON CONTENT
Public Sector Body
This will generally be another government department (OGD) but
could be another public sector body (e.g. Local Authority).
Information sharing with a private sector body with which HMRC
has a commercial relationship needs to be covered by a
commercial contract, not an MoU.
Regulatory Bodies
means those government departments and regulatory statutory
and other entities, committees and bodies which, whether under
statute, rules, regulations, codes of practice or otherwise, are
entitled to regulate, investigate, or influence matters dealt with in
this Agreement and “Regulatory Body” shall be construed
accordingly
Senior Information Risk
Provides high level assurance of compliance with HMRC’s
Owner (SIRO)
Information Asset data protection obligations. HMRC’s SIRO is
Mark Dearnley, HMRC Chief Digital & Information Officer, Director
of Chief Digital & Information Officer Group.
Abbreviation
Description
CRCA
The Commissioners for Revenue and Customs Act
MoU
Memorandum of Understanding
FOIA
Freedom of Information Act
FOI
Freedom of Information
HMRC
Her Majesty’s Revenue and Customs
PSB
Public Sector Body
SPF
Security Policy Framework
CAF
Controlled Access Folder
SCR
Secure Customer Record
18. List of Data Items
1
Record_Type
2
Cwh_Income_Tax_Year_Key
3
Tax_Year_Indicator
4
Hmrc_Office_Number
5
Paye_Scheme_Reference
6
Employer_Name_1
7
Employer_Name_2
8
Employer_Trade_Name_1
9
Employer_Trade_Name_2
10
Valid_Nino
11
Employee_Surname
12
Employee_Forename_1
13
Employee_Forename_2
14
Employee_Initials
15
Date_Of_Birth
16
Gender
17
Nps_Employment_Seq_No
Version 4.
Page 11 of 12
MoU Reference Number:
MOU-UA-P0033
ADD PROTECTIVE MARKING OF ‘OFFICIAL – UNMARKED – MARKED - SENSITIVE’
WHEN COMPLETED, DEPENDING ON CONTENT
18
Payroll_Id
19
Rti_Start_Date_Sk
20
Rti_Leaving_Date_Sk
21
Pyt_Taxable_Pay_In_Period
22
Pyt_Non_Tax_Or_Nic_Payment
23
Pyt_Dedns_From_Net_Pay
24
Pyt_Pay_After_Stat_Dedns
25
Pyt_Bfits_Taxed_Via_Payroll
26
Pyt_Emp_Pen_Cont_Paid
27
Pyt_Items_Subject_To_Class1nic
28
Pyt_Emp_Pen_Cont_Notpaid_Net
29
Pyt_Tax_Deducted_Or_Refunded
30
Nlt_Gross_Erng_For_Nics_Inpd
31
Nlt_Emp_Contribns
32
Taxable_Pay_Ytd
33
Total_Tax_Ytd
34
Nlt_Emp_Contribns_Ytd
35
Hrs_Worked_Desc
36
Rti_Pay_Frequency_Sk
37
Payment_Date
38
Weekly_Period_Number
39
Monthly_Period_Number
40
Earnings_Periods_Covered
41
Payment_After_Leaving
42
Irregular_Payment
43
Merger_Indicator
44
Ips_Id
45
Rti_Bacs_Pmt_Status_Sk
46
Occupational_Pension
47
On_Strike
48
Unpaid_Absence
49
Ytt_Bfits_Paid_Via_Payroll_Ytd
50
Ytt_Emp_Pen_Cont_Paid_Ytd
51
Ytt_Emp_Pen_Cont_Notpaid_Ytd
52
Tax_Code
53
Multiple_Ips_Count
54
Bacs_Payment_Amount
55
Ytt_Smp_Ytd
56
Rti_Ni_Letter_Type_Sk
57
Rti_Directors_Nic_Sk
58
Late_Reason
59
Exempt_Electronic
60
Nino
61
Rti_Ips_Sk
62
End_Of_Record
Version 4.
Page 12 of 12
MoU Reference Number:
MOU-UA-P0033