Transparency data

Data Usage Agreement: Bounce Back Loan turnover pilot

Published 19 October 2023

This Data Usage Agreement for Department for Business, Energy and Industrial Strategy (BEIS) sampling of Bounce Back Loan application turnover data against HMRC was approved and put in place in 2021.

1. Conditions of disclosure of information by HMRC

HMRC disclose this information to the Cabinet Office and the Department for Business, Energy and Industrial Strategy (BEIS)[footnote 1] by virtue of the legal basis of section 56 of the Digital Economy Act Disclosure (DEA) for the purpose of ‘taking of action in connection with fraud against a public authority’ on the condition that Cabinet Office and BEIS undertake the following:

  • complete a Data Protection Impact Assessment (DPIA)
  • adhere to the DEA Code of Practice and complete all relevant documentation and have ministerial approval
  • adhere to this Data Usage Agreement

A joint DPIA has been completed by BEIS, Cabinet Office and HMRC to go alongside this Data Usage Agreement.

1.1 Purpose

This information sharing arrangement is to provide an indicative level of fraud within the BBL (Bounce Back Loan) Scheme, by comparing a sample of existing BBL applications (specifically the turnover amount stated in each - as provided by BBL applicants to lenders whereupon they make a loan application and/or top-up request) with HMRC limited company turnover data.

1.2 Data specification

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

BBL application data for a sample (up to 10,000) of Limited Companies and Sole Traders which have applied for BBL:

  • facility reference
  • purpose of loan
  • loan amount
  • facility type
  • loan term
  • business name
  • lender code
  • lender name
  • loan state
  • annual turnover
  • Standard Industrial Classification (SIC) code
  • postcode
  • guarantee percentage
  • created date
  • scheme facility letter date
  • initial draw date
  • repaid date
  • maturity date
  • lender demand date
  • demand to Debt To Income (DTI) date
  • cumulative amount drawn
  • SIC group
  • region
  • region order
  • constituency
  • district
  • Local Economic Partnership (LEP) 1
  • LEP 2
  • Nomenclature of Territorial Units for Statistics (NUTS) 2 code
  • NUTS 2
  • NUTS 3 code
  • NUTS 3
  • region NUTS 1 code
  • region NUTS 1
  • trading date
  • scheme
  • legal form
  • company registration
  • trading name
  • Enterprise Finance Guarantee (EFG) interest rate
  • loan purpose
  • lender type
  • fees

This dataset may contain personal information, for example in the business trading name fields.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Cabinet Office will make a subset of the data available in the secure file transfer platform Egress. The subset of the data will only relate to Limited companies and contain only the following fields:

  • Company Registration Number (CRN)
  • company name
  • company postcode

The reduced number of fields is restricted only to what HMRC requires to carry out the data matching exercise and limits unnecessary data sharing. Cabinet Office will inform HMRC that the dataset is available in Egress. HMRC will access Egress to extract the file onto their system and perform matching. The returned file will be uploaded to Egress with the following data points for each Limited company BBL applicant, where available:

  • no match
  • match and the following data:
  • CRN or company name and postcode
  • last annual turnover data recorded by HMRC
  • accounting period (for example, 2018 to 2019)

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

1.3 Data security

BEIS, HMRC and Cabinet Office will undertake to:

  • move, process and destroy data securely; ie in line with the principles set out in HM government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
  • only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information (linked to the purpose) will have access to it
  • HMRC will store all data supplied by BEIS/Cabinet Office, in a secure CAF with restricted access to members of RIS who are directly involved in the data share and only keep it for the time it is needed, and then destroy it securely on agreement of all parties
  • not onwardly disclose the information without the prior authorisation of HMRC other than what is provided for in section 56 of the Digital Economy Act
  • comply with the requirements in the Security Policy Framework, and be prepared for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
  • mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications (GSC), and in particular as set out in the Annex – Security Controls Framework to the GSC

1.4 How data will be shared

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

1.5 Data processor and data owner

HMRC and BEIS will act as data controllers and Cabinet Office will act as a data processor on behalf of BEIS and HMRC, using definitions as set out in the Data Protection Act 2018.

1.6 Freedom of Information (FOI) and Subject Access Requests (SARs)

All parties are subject to the requirements of the Freedom of Information Act 2000, and will assist and cooperate with each other, to enable each to comply with its information disclosure obligations.

Where an FOI request is received by either party to this agreement, which relates to data that has been provided by other parties, the party receiving the request will notify the other relevant parties to allow them the opportunity to make representation on the potential impact of disclosure.

BEIS FOI team mailbox

HMRC FOI team mailbox

Cabinet Office FOI team mailbox

Additionally, individuals can request access to their data. The following are the email contacts for an individual to contact the relevant organisation:

BEIS enquiries

HMRC SAR

Cabinet Office

1.7 Costs

HMRC will recharge BEIS and Cabinet Office for the time taken to provide the data and the governance documents for Cabinet Office to have the relevant data to assist in this project.

BEIS and Cabinet Office have confirmed that they have funds available for costs incurred by HMRC for this data share.

1.8 Disputes

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

  1. BEIS existed until 2023 when it was split to form the Department for Business and Trade (DBT), the Department for Energy Security and Net Zero (DESNZ) and the Department for Science, Innovation and Technology.