Data Usage Agreement: assessing potential fraud within legal aid applications
Published 5 September 2024
This Data Usage Agreement between HMRC and Legal Aid Agency was agreed and put in place in 2023.
1. Conditions of disclosure of information by HMRC
HM Revenue and Customs (HMRC) disclose information to the Legal Aid Agency (LAA) to assess potential fraud within legal aid applications.
1.1 Legal basis
HMRC disclose this information to the LAA by virtue of the legal basis of the Digital Economy Act 2017, part 5, chapter 4, section 56
1.2 Purpose
The LAA provide civil and criminal legal aid and advice in England and Wales to help people deal with their legal problems.
The LAA works with solicitors, barristers and others to provide simple, timely and reliable access to legal aid for those whose life and liberty is at stake, where they face the loss of their home, domestic violence, or where their children may be taken into care. Last year the LAA processed 400,000 legal aid applications with a spend of circa 1.7 billion.
LAA want to be able validate income for individuals who have been referred to the Counter Fraud and Investigation Team (CFI) on suspicion of fraud, to further understand if there is basis to investigate further. Furthermore, successful prosecutions for fraud are publicised more widely acting both as a deterrent to other potential fraudsters and increase the LAA’s reputation with the public.
LAA require a new intelligence stream, as evidential requirements (needed for the Means Test Review, for example) are less robust due to new ways of processing, which has heightened the risk of fraud. For example, historically it has been a lengthy procedure to process documents, so the process controls have been simplified for speed, placing the onus on LAA providers (such as solicitors, barristers or charities) to submit applications on behalf of their clients. Whilst it is still the responsibility of the client to make accurate declarations, it also places an obligation on the client’s legal representative to ensure applications are correct and to provide the LAA with a fulsome account of the client’s financial status, which means legal providers now have a more significant role to play in the Means Test Review process.
As with any process requiring human input and data entry there is an increased risk and greater potential for fraud and error. As the LAA is unable to identify fraud from the current evidential requirements, the information sought via this pilot will provide a crucial alternative source of information for corroboration
This is a trial or proof of concept, and the ultimate aim is to obtain the data directly from HMRC via an Application Programming Interface (API) if the pilot is proven successful.
LAA will provide a sample of approximately 600 CFI cases to HMRC and request HMRC Pay as You Earn (PAYE) and Self Assessment data for both the client and their partner to allow us to compare this information to what we have on file or against the allegation of potential fraud received by CFI. This may include cases where no National Insurance number is held, or for a client’s undisclosed partner where we have a name and date of birth (DoB) but no further details.
1.3 Benefits of the exchange
A list of the benefits to be achieved through the data share:
- investigating and prosecuting fraudulent legal claimants
- reduced overpayment due to fraud.- ensuring that legal aid debt is assessed correctly on applicant’s financial status -identifying fraud in the legal aid application process
There is no direct benefit to HMRC who are only supporting LAA with their functions in this pilot.
1.4 Data security
HMRC and LAA both agree to:
- move, process and destroy data securely for example in line with the principles set out in HM Government Security Policy Framework issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
- only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information will have access to it
- only keep it for the time it is needed, and then destroy it securely
- not onwardly disclose that information without the prior authorisation of HMRC
- comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information.
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
- mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications
HMRC is the data controller when HMRC processes the data, and it is within the HMRC environment. When the data has left HMRC and is received by LAA, then LAA will be the data controller.
1.5 Freedom of Information (FOI) requests
If an FOI request relating to this information is made to LAA, their FOI team will engage with HMRC’s FOI team regarding the potential impact of disclosure.
1.6 Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment is required prior to the exchange proceeding. DPIA reference number is 9970 (1 December 2022).
1.7 Records of Processing Activity (ROPA)
HMRC Records of Processing Activity (ROPA) is an inventory of all HMRC’s major processing activities involving personal data and is to be created or revised if setting up or reviewing an exchange.
1.8 Procedure
This is a one-off pilot data matching exercise.
Data matching is carried out in accordance with the agreed Risk and Intelligence Service (RIS) team quality assurance standards framework and only the most up to date information available to HMRC will be shared with LAA.
A dataset of approximately 600 individuals containing the data items listed below will be transferred from LAA via Secure Data Exchange Service (SDES) to HMRC RIS Government Data Exchange Team (GovDET) in a Microsoft Excel spreadsheet in January 2023.
Data Items from LAA to HMRC:
- individual name
- individual date of birth
- individual National Insurance number
- partner name (where applicable)
- partner date of birth (where applicable)
- partner National Insurance number (where applicable)
The HMRC RIS GovDET analyst will download and save the received file from LAA.
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
The RIS analyst will also provide a copy of the input data containing the above LAA provided data items via a secure Central Access Folder (CAF) to Benefits and Credits to undertake Benefits and Credits data matching and return the data back to GovDET so that RIS GovDET can return the full dataset to LAA.
Using Real Time Information (RTI) and Connect, HMRC RIS GovDET will match the full dataset from LAA. Where there is a confirmed match, HMRC will return data for these individuals as outlined below. If there are no positive matches, HMRC will confirm this in their response.
HMRC RIS GovDET will populate an Excel spreadsheet with employment and self-employment information as outlined below.
RIS GovDET will provide the following data items:
- latest base address
- latest nominated address
- employer name
- start date
- leaving date
- self-assessment business description
- self-assessment business address
- date registered on self-assessment
- latest return year
- interest and dividends
- partnership income
- state pension
- trusts income
- UK property income
- foreign income
- other income
- business start date
- business end date
- self-assessment tax deducted
- chargeable to National Insurance contributions (NIC)
- turnover
- other business income
- trading allowance
- pay Year to Date (YTD)
- tax YTD
- tax deducted or refunded
- payment date
- taxable pay in period
- NIC deducted
- tax year
- gross pay in period
- pay frequency
- other deductions
- partner latest base address
- partner latest nominated address
- partner employer name
- partner start date
- partner end date
- partner self-assessment business description
- partner self-assessment business address
- partner date registered on self-assessment
- partner latest return year
- partner interest and dividends
- partner partnership income
- partner state pension
- partner trust income
- foreign income
- partner other income
- partner business start date
- partner business end date
- partner self-assessment tax deducted
- partner chargeable to NIC
- partner turnover
- partner other business income
- partner trading allowance
- partner pay YTD
- partner tax YTD
- partner tax deducted or refunded
- partner payment date
- partner taxable pay in period
- partner NIC deducted
- partner tax year
- partner gross pay in period
- partner pay frequency
- partner other deductions
Using the tax credits system Benefits and Credits will match the LAA data to Tax Credits information as listed below and will return this to RIS GovDET via secure CAF transfer:
- entitlement
- Working Tax Credits (WTC) element
- WTC gross YTD
- Child Tax Credit (CTC) gross YTD
- payment profile date
- next WTC amount
- regular WTC amount
- next CTC amount
- regular CTC amount
- WTC frequency
- CTC frequency
- payment start
- payment end
- partner entitlement
- partner WTC gross YTD
- partner CTC gross YTD
- partner payment profile date
- partner next WTC amount
- partner regular WTC amount
- partner next CTC amount
- partner regular CTC amount
- partner WTC frequency
- partner CTC frequency
- partner payment start
- partner payment end
Upon receipt of the Benefits and Credits matched data, the RIS GovDET analyst will combine the matched HMRC employment/self-employment data with the HMRC B&C matched Tax Credits data.
The combined data will then be shared with LAA via SDES.
Along with the above list of matched data items the below original LAA data fields will be returned also:
LAA data items
- individual name
- individual date of birth
- individual National Insurance number
- partner name (where applicable)
- partner date of birth (where applicable)
- partner National Insurance number
1.9 HMRC Data retention and storage
HMRC RIS GovDET will download the data file received from LAA via SDES.
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
It will be manually deleted by the GovDET analyst 6 months after delivery of the data (as per GovDET Team lead’s recommendation) to ensure there are no data quality issues or queries on the data received by LAA.
Auto reminders in outlook are set by the GovDET analyst to delete the data as required after delivery.
As an added level of assurance, the data deletion is also recorded on a RIS GovDET General Data Protection Regulation (GDPR) tracker document which is an Excel tool outlining all data sharing and what date the data is deleted. This is reviewed on a monthly basis by the Grade 7 (G7) RIS GovDET lead and checks are undertaken that data is deleted on time. In the event of an analyst being absent, the G7 will arrange for the deletion of the data. Once B&C have received the file via the secure CAF from RIS GovDET they will store the data.
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
The input and outputs of the matched data will be held for 6 months after delivery of the data to address any potential data quality issues or queries on the data.
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
B&C have a workbook which outlines all the data deletion dates which is manually checked by the G7 each month to ensure the data has been deleted according to the deletion schedule.
LAA Counter Fraud will keep the pilot data for a year to analyse before the data is deleted.
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
For specific individuals of interest in the data set, LAA Counter Fraud will keep the specific data, as part of an investigation file, for 6 years (plus an additional 3 years if recovery action is taken) from the conclusion of the investigation and then destroy.
LAA have advised that all LAA data for debt and fraud is hosted on Ministry of Justice (MoJ) IT infrastructure which is all on UK hosted servers. Some of MoJ data hosted via MoJ’s 3rd party IT provider is backed up in data centres in the EU, however, LAA have confirmed on 4 October 2022 that HMRC data will only be stored and backed-up in the UK.
1.10 Onward disclosure
If fraud is discovered LAA may share relevant information with police or the Crown Prosecution Service (CPS) for the purposes of their investigation.
LAA is not a prosecuting authority and they rely on the police if they want to prosecute in a case where fraud has been proven. A determination would be made on a case-by-case basis, if a case is to be referred to be police. This would be in line with the Criminal Procedure and Investigation Act 1996, and the Attorney Generals Guidelines on Disclosure and would only be on cases where a decision to charge and prosecute a client has been made.
This would be permissible under section 56 of Digital Economy Act 2017 by virtue of section 59(2) DEA 2017 as HMRC will give a ‘general consent’ for LAA to share relevant data with the police and CPS only, and only for the purposes and duration of the pilot.
1.11 Certificate of Review and Assurance
In accordance with the review and assurance agreed, a Certificate of Review and Assurance (CoRA) must be completed by both departments following the end of the pilot.
1.12 Disputes - HMRC and LAA
Any disputes relating to this information transfer should be reported to:
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
1.13 Costs
HMRC RIS GovDET will recharge LAA for the time taken to provide the data for this data share.
1.14 Signatures
This content has been withheld because of exemptions in the Freedom of Information Act 2000.