Transparency data

Data Usage Agreement: customer left UK data share pilot

Published 5 September 2024

This Data Usage Agreement between HMRC and Home Office was agreed and put in place in 2023.

1. Conditions of disclosure of information between HMRC and Home Office

HMRC and Home Office disclose this information by virtue of the legal basis of section 56 of the Digital Economy Act (DEA), disclosure for the purpose of ‘taking action in connection with fraud against a public authority’ on the condition that HMRC and Home Office undertake to:

• complete a Data Protection Impact Assessment (DPIA)
• adhere to the DEA Code of Practise and complete all relevant documentation and have ministerial approval
• adhere to this Data Usage Agreement (DUA)

A DPIA has been completed by HMRC and Home Office to go alongside this DUA.

1.1 Purpose

HMRC Benefits and Credits administer Child Benefit payments. Various risks exist within these areas, with a specific risk entitled ‘customer abroad’. This relates to customers who leave the UK permanently or for prolonged periods of time without notification to HMRC. Whether customers’ actions are fraudulent, this results in benefits being paid incorrectly and accrues losses to the Exchequer.

Unlike other benefit regimes, Child Benefit may have very little contact with the customer. Effectively, Benefits and Credits could receive a claim for a new-born and the next contact with the customer could be at the child’s 16th birthday.

HMRC estimate the losses through this risk, within Child Benefit, equate to £10 million to £30 million per annum.

There is a requirement to match passenger entry and exit data from Home Office systems against Child Benefit data to identify customers who may be residing abroad without notifying HMRC.

1.2 Data specification

The Home Office hold passenger entry and exit data which would show individuals who have left the UK and may not have returned. Various scenarios have been discussed with Home Office, however, a mutually acceptable approach would be to carry out a pilot exercise to test the viability of this initiative, as follows:

• Benefits and Credits extract a random 200,000 customers from its Child Benefit adult customer data (200,000 records equates to 2.5% of the Child Benefit customer base - as this is a completely random sample of customers, the volumes are required for statistical accuracy)
• the data is passed to Home Office via the Secure Data Exchange System (SDES)
• Home Office match this information against their arrivals and exits data to establish those customers who have left the UK without return within a specific period
• Home Office returns the results via SDES
• HMRC use the data to initiate enquiries, to substantiate the identified risk

The data supplied to Home Office from Child Benefit will be:

• customer National Insurance number
• customer name
• customer date of birth
• customer addresses

The data returned by Home Office will be:

• passenger National Insurance number
• passenger name
• passenger date of birth
• date left UK
• destination
• accompanying passengers (if available)

1.3 Legal basis

Under section 18(1) of the Commissioners for Revenue and Customs Act (CRCA) 2005, HMRC is bound by a strict duty of confidentiality, meaning that HMRC officers may not disclose information HMRC holds for its functions. However, HMRC information may be disclosed where one of the statutory exceptions in section 18(2) CRCA 2005 apply or where disclosure is permitted under any other enactment pursuant to section 18(3) CRCA 2005.

Any person who discloses HMRC information which identifies a taxpayer without a lawful basis to do so under either section 18(2) or (3) of CRCA 2005 potentially commits a criminal offence of wrongful disclosure pursuant to section 19 CRCA 2005. A person found guilty of an offence may receive an unlimited fine, imprisonment of up to two years or both.

In this case, disclosure is permitted by virtue of part 5, chapter 4 of the DEA 2017 and section 56. This permits disclosure between specified persons for the purposes of acting in connection with fraud against a public authority. 

Specified persons for the purposes of section 56 powers are set out in schedule 8 of the DEA 2017 and include Home Office at paragraph 1 and HMRC at paragraph 14.

1.4 Lawful basis

The lawful basis for HMRC and Home Office is UK General Data Protection Regulation (GDPR) article 6(1)(e), ‘processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’, namely the exercise of a function of the Crown, a Minister of the Crown, or a government department (Data Protection Act 2018, section 8(d)).

1.5 Data controller

Under UK GDPR this will be a data controller to data controller relationship between HMRC and Home Office for the transfer of personal data contained within HMRC’s Child Benefit dataset.

HMRC and Home Office are independent data controllers whilst the data is held on their respective sites using definitions as set out in the Data Protection Act 2018.

Article 24 of the GDPR provides further information on the responsibility of a data controller.

1.6 Data security

HMRC will undertake to:

• move, process and destroy data securely, in line with the principles set out in HM Government Security Policy Framework
• only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need (linked to purpose) to see the information will have access to it
• HMRC will store all data supplied by the Home Office, on a non-networked system with restricted access to members of the Benefits and Credits analytics team who are directly involved in the data share and only keep it for the time it is needed, and then destroy it securely on agreement of all parties and supply confirmation to Home Office
• not onwardly disclose the information without the prior authorisation of Home Office other than what is provided for in section 56 of the Digital Economy Act
• comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
• mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in  Government Security Classifications (GSCs) and in particular as set out in the Annex – Security Controls Framework to the GSC

Home Office will undertake to:

• process personal data in compliance with the mandatory requirements set out in the Security Policy Framework and the GSC and the 4 further government security standards (cyber security, physical security, personnel security and incident management)
• ensure effective measures are in place to protect personal data in their care and manage potential or actual incidents of loss of the personal data

Such measures will include, but are not limited to:

• personal data should not be transferred or stored on any type of portable device unless absolutely necessary and, if so, it must be encrypted to the FIPS 140-2 standard and protected with a strong password
• participants will take steps to ensure that all staff are adequately trained and are aware of their responsibilities under the DPA Legislation and this DUA
• access will be permitted to authorised personnel from the Home Office Data Services and Analytics team who have the appropriate security clearance to handle the data (Security Cleared (SC)) and have a genuine business need to access the data
• not onwardly disclose the information without the prior authorisation of HMRC other than what is provided for in section 56 of the DEA

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

1.7 Data file transfer

HMRC and Home Office agree to:

• ensure that the Child Benefit data file is sent to Home Office
• send the data by the Secure Data Exchange System (SDES)
• ensure the data match output file is sent by SDES to HMRC

1.8 Requests for information

This section covers all requests for information relating to this agreement and data share, it is not limited to Freedom of Information (FOI) requests or Subject Access Requests (SARs).

Freedom of Information

If an FOI request relating to this information is made to the Home Office, their FOI team will engage HMRC’s FOI team regarding the potential impact of disclosure.

HMRC FOI mailbox

Home Office FOI mailbox

Subject Access Requests

Data subjects are entitled to exercise their data subject rights when their personal data is processed. Where either party receives a data subject request, the party receiving the request will, where appropriate to do so, notify the other relevant party to allow them the opportunity to make representation on the potential impact of disclosure.

HMRC Subject Access Request

Home Office Subject Access Request mailbox

1.9 Disputes, security and data breaches

Any disputes or security and data breaches relating to this information transfer should be reported to the contact listed.

In the event that HMRC or Home Office become aware of a suspected or actual incident affecting the confidentiality, integrity and availability of the information in its possession or control, each party will report the incident using their reporting procedure and immediately notify the other party. For personal data, each party also agrees to work to the Information Commissioner’s Office requirements, reporting without undue delay (if it meets the threshold for reporting) and within 72 hours.

1.10 Costs

At this point, HMRC are not expecting any costs for this data matching activity.

1.11 Disputes

This content has been withheld because of exemptions in the Freedom of Information Act 2000.