Consultation outcome

Government Response - Consultation on extending the National Fraud Initiative (NFI) data matching to new purposes

Updated 22 August 2022

Executive summary

The effective use of the right data at the right time can support how the Government works, ensure value for money, enable more effective decision making, and make sure that public services work for those that use them. The Government remains committed to improving the use of data in the process of government and public service delivery.

The National Fraud Initiative (NFI) has demonstrated the benefits and opportunities in using data more effectively. Launched in 1996, the NFI has supported the fraud detection capabilities of public bodies enabling data matching on data at a national level. To date it has achieved cumulative fraud prevention and detection savings of over £2 billion and wider benefits for participants.

Extending the data matching of the NFI to the additional purposes set out in the Local Audit and Accountability Act 2014 has scope to provide benefits over time, as have been delivered in the counter-fraud context, for the public purse and society.

The consultation on extending the NFI to new purposes and a proposed accompanying Code of Data Matching Practice to govern its possible application was published on 10 February 2021 and ran for 12 weeks. The consultation asked a broad range of questions and gave specific consideration to equalities and data protection-related concerns.

There were over 390 responses to the consultation, from across a wide range of stakeholders and interested parties. This included individuals, special interest groups, and public and private sector organisations. The Government wishes to thank all those who took the time and effort to respond to the consultation, and for the contributions received.

The Cabinet Office has thoroughly reviewed the comments and feedback provided.

Many consultees felt that the NFI should be extended to one or more of the additional new purposes. Many respondents were critical, and the majority of those that were critical emphasised the need for appropriate safeguards and mitigations to protect individuals and their privacy.

This document summarises feedback to the consultation, and the Government response to the consultation.

In line with the Government’s commitment to doing more to prevent and detect fraud, including the creation of the new Public Sector Fraud Authority, fraud will remain the focus of the NFI in coming years. Therefore, the Government will not be extending the NFI to new purposes at this current time.

The Cabinet Office will continue to work closely with key stakeholders and interested parties on the new purposes, listening carefully to feedback, to ensure that any future extension fully considers user needs.

The Government understands the concerns expressed by participants relating to data access, use of data, and privacy, and is committed to ensuring that any technical, legal or ethical risks associated with enhanced data use are thoroughly considered as part of new data activities. The Cabinet Office will continue to explore these in the NFI context.

The consultation on extension relates to England only. The NFI may undertake data matching on behalf of Audit Scotland, Audit Wales and the Northern Ireland Audit Office on data collected from bodies in the respective administrations where purposes are provided for across UK Parliament and devolved legislation.

Background

The Government remains committed to improving the use of data in the process of government and public service delivery, and to ensuring that public bodies have the means to allow them to share data easily, to improve their efficiency and delivery of services. The Cabinet Office has a central role in ensuring and creating efficiencies across Government, including through the enhanced use of data.

More needs to be done to ensure that the public purse is used as efficiently and effectively as possible - maximising every taxpayer penny and pound, and supporting the delivery of world-leading public services. This is particularly important in the current climate, where the impact of COVID-19 presents new challenges to public services and the public purse.

Sharing data quickly, effectively and responsibly, across different organisations, has scope to deliver a range of benefits. This has been recognised as central to the response to COVID-19 in effectively keeping people safe, and supporting the economy.

Extending the NFI to new purposes

Since its launch in 1996 the NFI has achieved consistent, high-value outcomes, achieving cumulative fraud prevention and detection savings of over £2 billion through data matching. Since 2008, annual fraud prevention and detection savings have been no less than £200 million every 2 years, reflecting recovered overpayments and forward savings for participants. Since 2020 the NFI has targeted the fraudulent use of COVID-19 support schemes, obtaining £5.4 million in savings.

NFI participants can also experience a range of other benefits from NFI data matches, and any level of investigation. For example, anomalies identified through data matches that are initially investigated as fraud may subsequently be used to update the accuracy of official records, or review and amend processes for data collection and recording, which could in turn support the identification of fraud or improve service delivery. They may also provide organisations with an enhanced knowledge about the extent and types of fraud risks their organisations might face.

The Government has consulted on whether the NFI should be extended to four new purposes. The four purposes are explicitly provided for in the primary legislation that underpins the NFI - the Local Audit and Accountability Act 2014 (LAAA). These purposes are: i) the prevention and detection of errors and inaccuracies; ii) the recovery of debt owed to public bodies; iii) the apprehension and prosecution of offenders; and iv) the prevention and detection of crime.

The improved use of data, greater data sharing, and increased data matching, could deliver benefits across these four areas, supplementing wider government and public sector efforts, while delivering efficiency savings and social outcomes for citizens. Data matches from the NFI data matching service are designed to improve the efficiency of government and public sector bodies, helping taxpayer money to go further.

The Cabinet Office has engaged with a range of different bodies to understand the appetite for extension of the NFI, and the benefits available. Research has supplemented this wider engagement and has provided useful insight. For example, in a 2018 study the Cabinet Office explored how useful extension to each of the purposes would be for a range of bodies. Almost 200 organisations responded, including local authorities, NHS bodies, police, fire and rescue authorities and housing associations. When asked to rate how useful extending to each individual new purpose would be to their organisation, where 5 was completely useful and 0 not at all, the percentage of respondents rating a 3 or over for each purpose ranged between 34% and 73%.

The Cabinet Office has also examined interest in extending the NFI to purposes outside of the four purposes provided for by the LAAA. While interest is low at present, the Government may consult on extending the data matching service of the NFI to support other areas in the future, if there is significant interest in doing so from stakeholders and interested parties.

Background to the NFI

The NFI and its legislative basis can be used to mandate the provision of certain datasets for data matching, from specified organisations, where there is a public benefit in doing so. As a result of the ability to mandate data, the NFI is particularly effective in facilitating data matching across multiple public sector bodies, such as local authorities, at a national scale.

For fraud, mandating the provision of certain datasets for data matching has been supplemented by data matching on a voluntary basis. A range of bodies including public sector bodies and government departments may choose to participate on a voluntary basis. Private and third sector organisations may also choose to participate on a voluntary basis, providing data and accessing data matches where appropriate. The Cabinet Office supports voluntary participation where it has reasonable evidence to suggest that matching data from a voluntary participant would meet an NFI purpose and that doing so would not be in breach of data protection legislation or other data requirements. For example, in the fraud context, the NFI has allowed the participation of housing associations, for housing association data to be matched against other housing related data for the prevention and detection of fraud relating to housing tenancies.

A broad range of organisations participate in the NFI, submitting data for data matching exercises and viewing and utilising data matches. These include central government departments, local authorities, NHS bodies and select private sector bodies such as housing associations. The NFI continually works with a range of bodies to pilot the relevance and effectiveness of matching certain datasets.

Participating bodies are able to share a wide range of datasets from different sources, for matching activity. The full scale of datasets the NFI currently collects is available on GOV.UK and is set out in the NFI privacy notice.

A data processor employed by the Cabinet Office processes data to identify data matches on behalf of other bodies through the NFI, and these insights are provided by that processor directly to participants via a secure web application. The NFI does not require bodies that would like to undertake data matching to have their own processor in place.

The NFI works across government to ensure that data held by government and public authorities can be analysed and processed in the most efficient way possible, with the appropriate legal basis. For example, the Digital Economy Act 2017 (DEA) provides a framework for data sharing between public sector bodies on a permissive basis for specified purposes, and allows certain bodies to undertake data matching through their own data matching frameworks. The NFI has worked with the DEA previously to pilot data activities relating to fraud.

The NFI has a series of measures in place to ensure that data is appropriately safeguarded, which would apply to any extension of the NFI for new purposes. Robust governance and protections, including privacy and security controls, have been designed into the system and the workings of the NFI and continually reviewed since its inception in 1996. All controls are in line with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

The Cabinet Office would only ever undertake data processing where there was evidence to suggest it could support an NFI purpose - for example where there was evidence from previous data exercises, or reliable information sources such as auditors.

The NFI has operated through a secure and sophisticated web application accredited against the Government’s security policy framework for protecting government assets. This undergoes regular testing and has tight security restrictions in place, applying automatic encryption to all data sent to it, and requiring two-factor authentication for access. Participating bodies have individual user accounts, with specific permissions, and regular security monitoring takes place to identify unusual activity patterns.

A Code of Data Matching Practice (‘the Code’), NFI security policy and NFI privacy notice set out the terms and requirements of the NFI, which the Cabinet Office, any nominated processor, and all participants must have regard to.

The NFI continually reviews the relevance and effectiveness of certain datasets for fraud. Data is only mandated once proven as relevant and effective. Data matching is only ever introduced through proof-of-concept pilots. The Cabinet Office continually publishes information on its evaluation of pilot activities and publishes an overview of NFI activities and outcomes every two years through the NFI national report.

For more information on the NFI, please refer to the section below on how the NFI safeguards and manages data.

Consultation process

The Cabinet Office published the consultation document on extending the NFI to additional purposes and a proposed Code of Data Matching Practice on 10 February 2021.

Consultation materials were sent to a range of relevant stakeholders and interested parties. The consultation ran for 12 weeks and closed on 5 May 2021.

The consultation asked participants to consider a range of questions. These included whether the NFI should be extended to each purpose (the prevention and detection of errors and inaccuracies, the recovery of debt owed to public bodies, the apprehension and prosecution of offenders, the prevention and detection of crime), whether participants wanted to raise equality or data protection related concerns, and for comments on the proposed revised Code of Data Matching Practice.

Participants responded via two channels - an online survey and via email. A series of workshops were also held to provide participants with information on the proposals, which were well attended.

There was a high level of engagement throughout the consultation process. In total, there were 393 responses to the consultation. Of these, 197 were from individuals, 162 from public sector organisations, 15 from private sector organisations, 6 from special interest groups, and 13 anonymous.

The Government wishes to thank all participants for their responses to the consultation.

The Cabinet Office has thoroughly reviewed and considered the feedback provided. This response is being published outside of the usual 12-week period due to the complexity of analysing responses.

Feedback to the consultation on the NFI and its extension to other areas will be used to inform the future development of the NFI, supplementing wider engagement activities.

Analysis of responses and Government response

This section sets out the analysis of the responses received in the consultation and the Government response.

Participants who responded via the survey (in general, public and private sector bodies) generally provided responses to individual consultation questions, while email respondents (generally individuals and special interest groups) usually did not respond directly to the questions and instead provided broader free-text responses, which related to all, some or individual questions and purposes.

As a result, specific figures reflect survey responses only, though the sentiment of all responses is accounted for in the summaries below.

Overall feedback on extension of the NFI to new purposes

Summary of all consultation responses

Across email and survey respondents, many felt that the NFI should be extended to one or more of the four new purposes. At the same time, many were critical of the proposal to extend the NFI unless the extension was accompanied by safeguards to protect individuals and their privacy, and mitigations for perceived risks relating to data access.

The majority of public and private sector organisations that responded largely supported the extension of the NFI to some or all of the four purposes. The majority of individuals and special interest groups raised concerns, and generally opposed extension without sufficient safeguards.

Respondents in favour of extension to one or more of the additional purposes actively cited benefits, including that extension presented an opportunity for information sharing to be strengthened, and that new data matching capabilities and activities could further support efficiencies in the public sector, and yield savings for the public purse. There was significant support for data matching as a concept.

Respondents raised a number of concerns. The majority related to the need for safeguards for individuals’ and their rights to privacy and protection of their personal data.

Many of those who raised concerns suggested that access to data should be restricted. A number of respondents expressed concern at the possibility that extending the NFI would give a range of bodies access to more personal data.

Some participants expressed concern that data from data matches could be used inappropriately, to the disadvantage of certain groups - ethnic minorities, migrants, refugees and asylum seekers were frequently cited - and emphasised the need for safeguards and governance to ensure that data matches were used appropriately. There was particular concern about police and private sector access to data. Some respondents suggested that the impact of the proposals on certain groups should be rigorously assessed.

A related view to this was that there would be a need for independent or external oversight of activity relating to individuals’ data and to ensure enforcement of and compliance with the Code of Data Matching Practice for any extension. A number of respondents voiced this in relation to the police, and private sector bodies, though to a lesser extent.

A number of participants had questions relating to processes and arrangements for data collection, storage and retention and requested further clarity on the data retention practices that would apply. Some respondents emphasised that information should be up to date, to ensure that participating bodies could act on data that was as close to real time as possible.

A number of respondents sought clarity on the roles and responsibilities of the Cabinet Office and NFI participants, and many felt this was unclear in the consultation document.

Around a quarter of respondents requested that any data matching for the new purposes be preceded by a comprehensive Data Protection Impact Assessment (DPIA). Around the same proportion of participants asked that a cooling-off period be provided for NFI data matching for new purposes to be publicly reviewed.

A number of participants expressed concerns about the possible costs and impacts of extension to new purposes on participants, such as those resulting from providing data, or in following up on data match information. This was most commonly expressed by public sector respondents.

More specific concerns and queries were raised in relation to the extension of the NFI to particular purposes. These are covered against each of the questions in the section below.

There were a high number of responses on the proposed Code of Data Matching Practice. Generally, respondents in favour of extension of the NFI were content with the Code, where they provided comment. Those who opposed the principle of extension generally did not provide specific feedback on the Code. Some consultation respondents put forward suggestions about how the Code could be further enhanced, and others made suggestions about how the Code could be managed and enforced. More detail on the feedback provided on the revised Code is provided as part of the analysis of responses to individual questions later in this document.

Government response to all consultation responses

The Government has been encouraged by the high level of engagement with the consultation on extending the data matching capabilities of the NFI, and on a revised Code of Data Matching Practice.

The Government is encouraged by respondents’ recognition of a range of benefits from data matching to their own organisations, the public purse, and society more broadly.

The Government appreciates the challenges and concerns put forward by organisations and individuals in the consultation, and the broad range of suggestions on how any extension could be best designed and implemented. The Government is committed to ensuring that data is used responsibly, in a way that is lawful, secure, fair, ethical, sustainable and accountable, in any context.

Fraud is endemic across the United Kingdom. It is the most frequent crime type - it accounts for around 40% of all crime, with at least 4.4 million estimated acts in 2021. Fraud costs the government an estimated £29 to £52 billion every year.

The social and economic impacts of COVID-19, alongside technological advancements, have heightened fraud risk in the public sector and increased opportunities for both individuals and organised crime groups to commit fraud. We know that criminals have targeted financial support and loan schemes, set up by the government to help individuals and businesses in need, in the UK and internationally. Within this complex, constantly evolving climate we know that the sophistication of fraud continues to increase. We also know there is a risk that the scale of fraud will continue to increase. Action Fraud reported a 36% rise in fraud offences for the year ending June 2021 compared with the year ending June 2020.

The Government remains committed to doing more to prevent and detect fraud, and to supporting bodies in enhancing their fraud response, including through the use of data and analytics. This is particularly pressing in the current post-COVID-19 climate.

A range of measures are being introduced to enhance counter-fraud work and support government and enforcement agencies in tackling fraud, bringing fraudsters to justice, and recovering millions of pounds. This includes the introduction of the Public Sector Fraud Authority, which will work with public bodies to reduce fraud risk and loss, to find more, prevent more and recover more fraud and irregular spending.

Fraud will remain the focus of the NFI in the coming years to supplement this wider drive against fraud. Therefore, the Government will not be extending the NFI to new purposes at this current time. However, the Cabinet Office may look to consult on extending the NFI to new purposes in the future.

The Cabinet Office will continue to work closely with key stakeholders and interested parties on the future direction of the NFI and additional new purposes, listening carefully to feedback in the months and years ahead. Ahead of any extension of the NFI, further analysis and engagement would be undertaken by the Cabinet Office to examine the relative costs and benefits of each purpose, for participants and society more broadly.

Any extension of the NFI to new purposes would be implemented with a range of safeguards in place. The Cabinet Office would intend to replicate the structures and frameworks that have been in place for the NFI as have been applied for fraud in extending the NFI to any new purposes. For more information on how the NFI safeguards and manages data, please see the relevant section below.

Additional information on how the NFI would operate in the new purposes context is provided in response to individual questions below.

Feedback against individual consultation questions

Specific figures and percentages in this section relate to responses via the survey only. However, the summaries of responses reflect the qualitative feedback from both email and survey respondents.

The Government response to all feedback should be read alongside the responses below.

Q1. The NFI should widen the data matching purposes to include the prevention and detection of crime (other than fraud).

72% of survey respondents (147 of 202) felt that the NFI should be extended to the prevention and detection of crime other than fraud. While email respondents did not answer this question specifically, they were generally less positive and expressed concern at the principle of extension without proper safeguards.

Multiple respondents noted the opportunities from extending the NFI to this purpose. Opportunities cited included data sharing facilitating a more joined-up approach across organisations, greater efficiency in crime detection, and benefits for the public purse. Some noted that it would be beneficial if there were more frequent data collection for this purpose than under the current system for fraud, to allow information to be closer to real-time. A small number of respondents that were overall supportive voiced concerns about the potential cost and impact on participating bodies of extending the NFI to this purpose.

Of those survey and email respondents not in favour, some felt that data-sharing powers were already extensive, and that extension to this purpose would constitute an invasion of individual privacy. Some expressed concern that data could be used inappropriately, such as by the police, to inappropriately target certain groups such as ethnic minorities, as well as migrant groups, refugees and asylum seekers. Others felt that sufficient safeguards for individuals were not provided in the consultation document, and called on the need for robust data retention policies and independent external scrutiny. Some respondents sought clarity on the specific organisations that would have access to data, such as intelligence agencies, with powers and responsibilities clearly outlined.

While the responses of many email respondents were not in relation to particular purposes, they commonly sought oversight of and restrictions on police access to data records in the NFI, and that the police may use data inappropriately. They also called for external oversight of police handling.

Government response

The Government thanks all organisations and individuals who responded to the question on extending the data matching activities of the NFI for the prevention and detection of crime.

With regard to fees and impacts, the Cabinet Office is committed to minimising costs for participants in the NFI in any context. Any fees required are to fund the NFI service itself. In the new purposes context, the NFI would continue to consult on a scale of fees for matching exercises and identify where additional fees are not required. Fees would continue to be set based on datasets submitted for processing and matching. The NFI would look to keep data requirements unchanged as far as possible and data would only be mandated where there was evidence to suggest it was relevant to a certain purpose. The technology and web application for the NFI would continue to be reviewed and updated to ensure it is best supporting users in uploading data and accessing outcomes. The Cabinet Office would explore in further detail the potential costs and impacts on participants of mandating the provision of data for each new purpose ahead of any mandation, working closely with stakeholders.

Any extension of the NFI for any new purpose would be in full compliance with the requirements of data protection legislation. A series of measures would be in place to guard against the inappropriate use of data matches by participants, for example the data that participants could access would only ever be the minimum amount and type of data necessary to either validate or highlight anomalies across information. Wider measures would include a revised Code of Data Matching Practice, NFI privacy notice and NFI security policy, setting out the requirements of participants which must be adhered to.

In line with data protection legislation, the processing of data about criminal convictions, criminal offences or related security measures would need to be done with a lawful basis for processing and either ‘official authority’ or a separate condition for processing. If the NFI were to process data primarily for the detection or prosecution of crime, it would fall under the law enforcement data processing regime in part 3 of the DPA 2018. This is similar to GDPR, but imposes additional requirements, such as logging requirements on IT systems for those that process data for law enforcement purposes, to avoid miscarriages of justice. As with wider processing, under Part 3, it must be lawful and fair, specified, explicit and legitimate, not processed in a manner incompatible with the purpose for which it was collected, adequate, relevant and not excessive in relation to the purpose for which it is processed. If data were to be processed for law enforcement purposes (for the prevention and detection of crime or the apprehension and prosecution of offenders), clear distinctions would apply for the processing of different categories of personal data, such as between those who are suspected of having committed a criminal offence and those who have been convicted of a criminal offence, as required by the DPA 2018.

The specific arrangements for data collection, retention, storage and deletion that the NFI operates, which would apply for new purposes, are set out later in this document.

Ahead of any extension of the NFI, further analysis and engagement would be undertaken by the Cabinet Office to examine the relative costs and benefits of each purpose, for participants and society more broadly.

Q2. The NFI should widen the data matching purposes to include the apprehension and prosecution of offenders.

71% of survey respondents (141 of 199) felt that the NFI should be extended to the apprehension and prosecution of offenders. While email respondents did not answer this question specifically, they were generally less positive and expressed concern at the principle of extension without proper safeguards.

A number of respondents felt that it would be positive if data matching through the NFI could be used to support the apprehension and prosecution of offenders. Some felt it would lead to more offenders being identified for prosecution, supporting the tackling of crime. It was noted that extension to this purpose could create an opportunity for improved efficiency, with additional information provided through the NFI enhancing the effectiveness of police forces.

Some respondents in favour queried how the NFI would store, manage and maintain data, and how it would be accessed. Some also queried the costs and activity involved for participants if the NFI were to be extended to this purpose. A few respondents specified that they wished to minimise the information required from them as public bodies, to avoid creating new workloads.

Of those not in favour, several respondents expressed concern that extension to this purpose could not be done without strong restrictions on police access to data and safeguards to protect the privacy rights of law-abiding citizens. A number of respondents expressed concern that data matching for this purpose could lead to the harassment or unfair targeting of ethnic minorities, migrants, refugees and asylum seekers.

While the feedback from many email respondents was not in relation to particular purposes, they commonly sought oversight of and restrictions on police access to data records in the NFI and feared that the police may use data inappropriately. They also called for external oversight of police handling.

Government response

The Government thanks all organisations and individuals who responded to the question on extending the data matching activities of the NFI for the apprehension and prosecution of offenders.

Respondents to this question raised many of the same concerns as were raised in response to the extension of the NFI to the prevention and detection of crime. The Government response provided above also applies in the context of this purpose.

Data matches via the NFI would never be the sole evidence used to prosecute someone for an offence.

Ahead of any extension of the NFI, further analysis and engagement would be undertaken by the Cabinet Office to examine the relative costs and benefits of each purpose, for participants and society more broadly.

Q3. The NFI should widen the data matching purposes to include the prevention and detection of errors and inaccuracies.

68% of survey respondents (136 of 200) felt the NFI should be extended to the prevention and detection of errors and inaccuracies. While email respondents did not answer this question specifically, they were generally less positive and expressed concern at the principle of extension without proper safeguards.

Those in support felt that errors and inaccuracies should be prevented, and that extending the data matching capabilities of the NFI to this purpose could support efficiency in the public sector. For example, it was suggested that the identification of errors in data could support the discovery of weaknesses in data processes and allow bodies to reduce the risks of inaccuracies occurring. It was noted that through enhancing the accuracy of datasets, extension to this purpose could allow for more high-quality data matching exercises to be undertaken. Additional benefits for the public were also cited. For example, a number of respondents noted that this purpose could help to ensure that those entitled to government support received their full entitlements, and that any overpayments were prevented.

Across those that were supportive, concerns were raised. Some expressed concern about the potential costs and impacts of the measure to participating authorities, such as the time and resources needed for providing data, and the risk that extension to this purpose could result in large amounts of additional work for participants. Some queried the quality of data across some datasets and whether poor quality data should be used, with some emphasising that information should be up to date. Some felt there was a need to align recording across datasets to prevent errors from occurring ahead of data matching.

Among those that felt the NFI should not be extended to this area, some felt that the safeguards set out in the consultation document for data privacy and data protection, and the mechanisms governing data access by certain organisations, were unclear or insufficient.

Some participants queried whether data processing under this purpose would be relevant, proportionate, adequate and necessary. Linked to this, some noted that many anomalies may be clerical errors of little significance, and expressed concern about the subsequent scale of data that could be processed under the identification of errors and inaccuracies which did not suggest any wrongdoing. Particular concerns were raised in the context of this purpose about the potential access of certain bodies to potentially large amounts of personal data. Some noted that many organisations have their own data cleansing and data integrity processes in place, and felt extension to this purpose would be an unnecessary burden.

Government response

The Government thanks all organisations and individuals who responded to the question on extending the data matching activities of the NFI for the prevention of errors and inaccuracies.

The Cabinet Office is committed to minimising costs and impacts for participants in the NFI and would take a series of actions to minimise these as far as possible. More information on this is set out above.

As noted above, a series of measures would be in place to guard against the inappropriate use of data matches by all NFI participants, and to scrutinise activity. The extension to and implementation of the NFI for any new purpose would be in full compliance with data protection legislation. It would be adequate, relevant and accurate, kept up to date, and kept for no longer than necessary, for the purpose for which data is processed. Datasets would only be mandated for data matching where data sharing has proven benefits, through pilot activities. Pilots would be used to assess the effectiveness, relevance and proportionality of certain datasets to each data matching purpose.

The Government recognises that many bodies undertake their own data review and cleansing activities, to ensure that data is accurate and up-to-date. Data matching through the NFI could add value beyond these activities, through providing participants with anomalies from data held by a wide range of bodies at scale, and across different data records.

Ahead of any extension of the NFI, further analysis and engagement would be undertaken by the Cabinet Office to examine the relative costs and benefits of each purpose, for participants and society more broadly.

Q4. The NFI should widen the data matching purposes to include the recovery of debt owed to public bodies.

71% of survey respondents (140 of 198) felt the NFI should be extended to the recovery of debt owed to public bodies. While email respondents did not answer this question specifically, they were generally less positive and expressed concern at the principle of extension without proper safeguards.

Respondents to this question noted that extending the NFI to this purpose would support collaboration on debt across different organisations, particularly across central and local government. Debt recovery across different public bodies was highlighted as an area where increased cooperation and data sharing was needed. Some emphasised that the public expected public bodies to pursue debts and felt that further data matching for this purpose through the NFI could help to better protect the public purse. A handful of respondents noted that conventional techniques in debt recovery could sometimes lead to the write-off of significant debts. Some respondents stated that additional data could reduce the cost of tracing debt absconders through allowing public bodies to identify correct information faster than currently. It was noted that data sharing across public bodies could reduce duplicated efforts to identify the same debtors. Respondents felt data sharing through the NFI could also lead to an improved, more streamlined experience for debtors themselves.

Of those who were supportive, some expressed concerns. It was felt that extension to this purpose could increase workloads. Some felt clear structures needed to be in place for only appropriate organisations to be able to access information relating to debt recovery. A number of respondents noted that extension to this purpose should not result in organisations placing people into financial poverty, and that there be a focus on bringing debt cases out into the open.

Among those who did not feel the NFI should be extended to this purpose, some felt that data matching for debt recovery could disproportionately impact certain groups, such as ethnic minority and migrant groups and the vulnerable, who it was felt were more likely to be in debt, or would have more debt than others, particularly in the context of the COVID-19 pandemic.

As expressed by many respondents in relation to other questions, respondents stated that safeguards were needed to protect individuals’ privacy rights and that this should include limitations on access to data for certain organisations. Some sought further clarity on which organisations might have access to data obtained for this purpose. A handful of those who did not agree expressed particular concern about possible police and private sector access and use of data in relation to this purpose.

Government response

The Government thanks all organisations and individuals who responded to the question on extending the data matching activities of the NFI for the recovery of debt owed to public bodies.

The Cabinet Office is committed to minimising costs for participants in the NFI and would take a series of actions to minimise costs and impacts as far as possible. More information on these is set out above.

As set out above, extension to and implementation of the NFI for any new purpose would be in full compliance with data protection requirements. A series of measures would be in place to guard against the inappropriate use of data matches by all participants and to scrutinise activity. Measures would include a revised Code of Data Matching Practice, NFI privacy notice and NFI security policy, setting out the requirements of participants, which must be adhered to.

The Government is committed to delivering fair debt outcomes for all - taking a robust approach to those who defraud the public purse, ensuring that those who can pay on time but choose not to are incentivized to repay, and reducing the mental and physical impact of debt recovery, in particular on those who are vulnerable or in financial hardship.

All government debt management practices must comply with the standards on debt, including Managing Public Money, the Consolidated Budgeting Guidance, and the mandatory elements of the Debt Functional Standard. They should align with the Government’s Debt Strategy and the advisory elements of the Standard, which both include the principle of fairness. The Government continues to explore ways that debt management practices can be supported and improved - for example, the Debt Management Vulnerability Toolkit and Breathing Space Schemes have been designed to support enhanced debt management across the public sector.

With regard to equalities concerns, ahead of any extension of the NFI, the Cabinet Office would undertake an up-to-date equalities impact assessment for each new purpose. In extending, where negative or positive impacts were identified, the Cabinet Office would implement mitigating measures. Equalities impacts would be considered on an ongoing basis.

Ahead of any extension of the NFI, further analysis and engagement would be undertaken by the Cabinet Office to examine the relative costs and benefits of each purpose, for participants and society more broadly.

There were 129 survey responses to this question, although the majority of those (87) did not raise equality-related concerns. Email respondents did not respond specifically to this question.

Some raised concern over how data matches would be used, and felt any extension should be accompanied by assurances from participants that data was being used appropriately and not to target or harass certain groups and those with protected characteristics. Some felt that oversight should be in place to review requests for data. A number of respondents felt all participants in the NFI should conduct equality impact assessments ahead of any data being shared for data matching for any of the additional purposes.

Some used the opportunity to express concern about the impacts of extending the NFI for the recovery of debt owed to public bodies, feeling that this may lead to the targeting of certain groups.

A few respondents expressed concern over private sector access to sensitive and personal information and about how this information could be used.

A small number of respondents expressed concern that increased data sharing through extension of the NFI could impact the use of services by individuals, such as the NHS or local authority services.

Government response

The Government thanks all organisations and individuals who responded to this question.

As noted above, if the NFI were to extend to any additional purpose, the equalities impacts would be fully assessed and mitigating measures would be implemented for any positive or negative impacts.

Please refer to the Government responses to previous individual questions regarding many of the points raised against this question.

Q6. Do you have any views on the updates to the Code of Data Matching Practice?

There were 123 survey responses to this question. Those who opposed the principle of extension of the NFI to any purpose generally did not comment on the revised Code. A handful of email respondents provided comments on this question.

Generally, respondents in favour of extension of the NFI to one or more additional purposes were content with the proposed Code of Data Matching Practice, where they provided comment.

Respondents put forward thoughts and suggestions on the Code. These included that the Code provide further information on: the role of the Cabinet Office and participants in the NFI; which bodies would be able to access what data; individuals’ rights over their data; and the success criteria for further processing of data. Some sought more information on: the projected impacts of extension on participants; procedures for data storage and access; the safeguards in place for data access; and greater clarity on protections for child and patient data.

Some participants expressed their views on how the Code should be managed and enforced in the new purposes context. It was suggested that those required to operate under the Code undertake training in it, that compliance audits be undertaken to ensure compliance by an independent body and that remedial or disciplinary action be taken for breaches of the Code. It was also suggested that an independent regulator review requests for data matching, that the Code be regularly reviewed and updated, and that practical guidance be developed on how compliance with the Code would be achieved.

Government response

The Government thanks all organisations and individuals who responded to this question and for the feedback and suggestions provided on the revised Code.

The Code is a central part of the governance of the NFI and this would remain the case if the NFI was extended to new purposes. All NFI data controllers and processors must have regard to the Code - it must also be adopted by any organisation conducting or participating in NFI data matching exercises.

The Code clarifies the roles and responsibilities of organisations involved in the NFI and requirements of participation, in line with data protection legislation. It sets out which data can be processed and accessed, and the rights of individuals. It also outlines what data matches show and how they should be used.

If the NFI were to be extended to any new purpose, the Code would be updated and the Government would consider the feedback provided on the proposed Code. A revised Code would be published on GOV.UK ahead of any data submission or data matching for new purposes.

Q7. Do you have any views on the proposals to extend the data matching purposes in relation to data protection?

There were 130 responses to this question, although many respondents flagged that they had no other views or concerns in relation to data protection than those already expressed. Email respondents did not respond specifically to this question.

Survey responses referred to the need for organisations to update their existing privacy notices for any new purposes or create new privacy notices. Several respondents sought clarity on who the data controllers in the NFI were, and on the data that different bodies could access, including the private and third-sectors, with some suggesting access be limited for certain bodies.

Several respondents sought clarity on safeguards to protect privacy rights, including strong restrictions on the types of data that could be shared, on data retention practices, and on DPIAs. Some emphasised the need for external oversight of access to and the handling of data, such as for the police. Some suggested that access to data be overseen by a third party, to safeguard against potential abuse. Penalties for breaking data security rules were also suggested. The need to be able to hold individual users to account was emphasised.

Government response

The Government thanks all organisations and individuals who responded to this question.

The Government is committed to ensuring that individual’s data is used responsibly, in a way that is lawful, secure, fair, ethical, sustainable and accountable and in full compliance with data protection requirements.

If the NFI were extended to new purposes, participants would need to ensure that they complied with data subject notification requirements - they could do this through publishing a privacy notice. The NFI would also publish a revised privacy notice in relation to new purposes.

Please also refer to the section below, which provides more detail on how the NFI currently safeguards and handles data in line with data protection requirements.

Q8. Is there anything additional that you wish to add?

There were 117 responses to this question. Participants used the opportunity to express their support or concern for the proposals, and many re-stated points made in response to previous questions.

Responses included the view that government bodies should be able to share information more easily than is currently the case, that a phased approach should be taken for extending the NFI, and that any data processed should be current and up-to-date. Concerns raised included the impact of additional fees and requirements and the need for an independent regulator to review data requests.

Government response

The Government thanks participants for their additional comments.

NFI safeguarding and management of data

The NFI operates in full compliance with rights and data protection legislation - including UK GDPR, the DPA 2018 and the Human Rights Act 1998. Personal data is obtained and processed in full compliance with UK GDPR and data is always processed lawfully - fairly, transparently and for specific and legitimate purposes. Data collected is adequate, relevant and accurate, kept up to date, and kept for no longer than necessary.

Data subjects are made aware of what data will be processed, how their data is processed and what action can be taken by individuals in relation to that data. NFI participants are required to inform individuals about the collection and processing of their personal data ahead of any data matching. All participants must confirm their compliance with this requirement on data subject notification.

A Code of Data Matching Practice and NFI privacy notice set out the rights of individuals, the requirements of the NFI for data processing, the specific purposes for which data can be processed, and how all relevant controllers and processors need to comply with the relevant legislative provisions.

Data Protection Impact Assessments (DPIAs) are undertaken ahead of any data matching to ensure activities are in full compliance with data protection requirements. They set out the nature, scope, context and purposes of processing, assess necessity, proportionality, and compliance measures, and identify and assess risks to individuals and measures required to mitigate those risks. DPIAs are subject to rigorous internal review.

To uphold the principle of proportionality, pilots are used to assess how far the use and matching of certain datasets and data types are proportionate and effective in highlighting anomalies in data that relate to fraud. Pilots help to ensure that only relevant data is collected and processed. They are a requirement of the Code.

Proposed data matching activities are informed by ongoing engagement and consultation with the Information Commissioner’s Office (ICO).

A range of measures are in place to ensure data matches are used appropriately by NFI participants. While participants are independent data controllers and have their own responsibilities in this capacity, they must also have regard to the terms of use and standards set out by the Cabinet Office for participating in the NFI. These are set out in the NFI Code of Data Matching Practice, NFI privacy notice and NFI security policy. The NFI makes clear that data matches must only ever be used for their intended purpose, and no decisions should be made by participants as a result of a data match, until the full circumstances are considered by an investigator.

The provisions of data protection legislation support in ensuring that data matches are used appropriately by participants. For example, participating bodies only ever receive the minimum amount and type of data necessary to either validate or highlight anomalies across official information. These same provisions also apply to data processors. The ICO and individuals may act against any data controller or a data processor regarding a breach of its obligations under UK GDPR.

NFI arrangements for the collection, retention and storage, deletion of data are in full compliance with the requirements of data protection legislation.

The NFI considers the most appropriate timescales for collecting data, considering when relevant datasets are collected and updated, and impacts on participants. All data collected is kept as up to date as possible in line with data protection requirements. To this end the quality of data is checked before any data processing is undertaken, and where required, the NFI works with data providers to enhance data quality, ahead of data matching.

The Cabinet Office intends to provide NFI participants with sufficient notice of the data required to support the preparation of data for submission. Data specification requirements are generally published at least 6 months before any data is mandated to be provided to the Cabinet Office. The Cabinet Office recognises the need for data used in matching exercises to be of a good quality, and participants also need to ensure that any data provided is accurate, complete, and kept up to date. Where NFI participants fail to comply with data submission requirements as determined by the Cabinet Office, penalties may be imposed.

The Cabinet Office employs a data processor to process personal data and this processor is contractually required to comply with data protection legislation requirements and ensure that personal data is protected and maintained as necessary. All NFI activities including the collection, holding and processing of data, and provision of data matches to participants, are managed through a bespoke web application provided by that processor. Data is held securely and all data transmissions are through that secure environment.

Cabinet Office officials and data processor staff with access to the NFI application are appropriately security-vetted. Cabinet Office officials are also required to complete data security and confidentiality training, and agree to Cabinet Office data terms, in line with data protection legislation. NFI staff must agree to additional provisions to uphold the confidentiality and security of all NFI data and data matches.

The NFI Code of Data Matching Practice sets out that personal data should not be kept for longer than is necessary, in line with UK GDPR. Data and resulting matches are retained for the minimum reasonable period necessary for participants to review and follow up on the matches. While the length of this reasonable period has varied for different NFI functions, under the current system, data and data matches have been deleted generally every 12-18 months at the latest. For the national exercise, data is currently deleted within 6 months after it is re-supplied, has passed quality checks and has been accepted for the next national data matching exercise (or after 12 months where data is not part of the national exercise). Data is irrecoverable once it is no longer required for data matching purposes. A data retention and deletion schedule is published on GOV.UK.

Summary of consultation questions

The initial survey questions requested information on the participating individual - their name, contact details, organisation represented and job title.

Questions 1 to 4 were answered on a scale of strongly agree, agree, neither agree nor disagree, disagree, strongly disagree, don’t know,

New purposes questions

Q1. The NFI should widen the data matching purposes to include the prevention and detection of crime (other than fraud). Please supply your reasons.

Q2. The NFI should widen the data matching purpose to include the apprehension and prosecution of offenders. Please supply your reasons.

Q3. The NFI should widen the data matching purposes to include the prevention and detection of errors and inaccuracies. Please supply your reasons.

Q4. The NFI should widen the data matching purposes to include the recovery of debt owed to public bodies. Please supply your reasons.

Q5. Do you want to raise any particular equality-related issues in relation to this proposal?

Q6. Do you have any views on the updates to the Code of Data Matching Practice?

Q7. Do you have any views on the proposals to extend the data matching purposes in relation to data protection?

Q8. Is there anything additional that you wish to add?

List of consultation respondents

There were over 390 responses to the consultation. Of these, 208 were submitted by the online survey and 185 were submitted by email.

Respondents to the consultation included:

Public sector bodies

  • Leicestershire County Council
  • Nottingham City Council
  • Torbay Council
  • Essex Police Fire and Crime Commissioner Fire and Rescue Authority
  • London Borough of Waltham Forest
  • Liverpool City Council
  • Shropshire Council
  • Mid and South Essex NHS Foundation
  • Northamptonshire Police
  • University of Southampton
  • Essex County Council
  • West Yorkshire Police
  • Bedfordshire Fire and Rescue Service
  • Great Yarmouth Borough Council
  • NHS Business Services Authority
  • Doncaster and Bassetlaw Hospitals NHS Trust
  • James Paget University Hospitals NHS Foundation Trust
  • Babergh and Mid Suffolk District Councils
  • Kent County Council
  • Broadland District Council and South Norfolk Council
  • Merseyside Police
  • Rother District Council
  • Office of the Police and Crime Commissioner for Leicestershire
  • Royal Borough of Kensington and Chelsea, Westminster City Council and London Borough of Hammersmith and Fulham
  • Cannock Chase District Council
  • Stockton-on-Tees Council
  • Darlington Borough Council
  • Trafford Council
  • Audit Scotland
  • Dudley Metropolitan Borough Council
  • Basildon Borough Council
  • City of London (Council)
  • Warrington Borough Council / Salford City Council
  • East Hampshire District Council and Havant Borough Council
  • Enfield Council
  • London Borough of Bexley
  • Derby City Council
  • Sheffield City Council
  • Reading Borough Council
  • North Wales Office of the Police and Crime Commissioner
  • Tendring District Council
  • London Borough of Havering
  • Devon and Somerset Fire and Rescue Service
  • Gwent Office of the Police and Crime Commissioner
  • Lincolnshire County Council
  • Kent Fire and Rescue Service
  • Adur and Worthing Councils
  • London Borough of Waltham Forest
  • National Data Guardian
  • City of Wolverhampton Council
  • Test Valley Borough Council
  • North Warwickshire Borough Council
  • Nuneaton and Bedworth Borough Council
  • Kirklees Council
  • NHS England and Improvement
  • Airedale NHS Foundation Trust
  • East Sussex County Council
  • Leeds Teaching Hospitals NHS Trust
  • NHS Barnsley Clinical Commissioning Group
  • Greater Manchester Combined Authority
  • Hastings Borough Council
  • Wigan Council
  • Crown Prosecution Service
  • Wirral Council
  • NI Audit Office
  • Transport for Greater Manchester
  • British Medical Association
  • Cumbria County Council
  • Information Commissioner’s Office
  • London Borough of Lambeth
  • British Parking Association
  • Various Government Departments

Private sector bodies

  • Amberhawk Training Limited
  • Capita
  • Jacobs
  • CW Audit
  • RSM UK
  • Synectics Solutions

Special interest groups

  • Privacy International
  • Open Rights Group
  • Med Confidential
  • Migrant’s Rights Network

Glossary of terms

Data controller: The organisation with decision making power with respect to data processing, which determines the purposes for which and the way in which data is processed. Where employees act on behalf of their employer, the employer is the controller. Data controllers must ensure that the processing of that data complies with data protection law.

Data matching: Data matching involves comparing sets of data electronically against other records held by the same or another body, to see to what extent they match and identify inconsistencies that require further investigation.

Data processing: Data processing involves any activities relating to personal data including collecting, storing, sharing and destroying personal data.

Data processor: A person or organisation (not an employee) which processes personal data on behalf of and on the instruction of a data controller. Processors have a range of direct legal obligations and the Information Commissioner’s Office and individuals may take action against a processor regarding a breach of these obligations. Data controllers must enter into a binding contract or other legal act with processors, affording compulsory provisions in line with data protection legislation.

Data protection legislation: As defined in the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). The General Data Protection Regulation has been retained in UK law as the UK GDPR following the end of the Brexit transition period. It is read alongside the Data Protection Act 2018, with technical amendments to ensure that it can function in UK law. There are a range of other data protection provisions set out in legislation that are continually reviewed.

Data subject: A person that personal data is processed about.

Information Commissioner’s Office (ICO): The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promote openness by public bodies, and data privacy for individuals. The ICO regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance and take enforcement action where appropriate.

Personal data: Any information which on its own or in conjunction with other information can identify a data subject.