Transparency data

Memorandum of Understanding: sharing of employment data to enable the detection and prevention of fraud and error within the apprenticeships programme

Published 19 October 2023

This memorandum of understanding for the sharing of employment data to enable the detection and prevention of fraud and error within the apprenticeships programme was agreed and put in place in 2023.

1. Participants to the MoU

Both participants to this memorandum of understanding (MoU) reserve the right to terminate this MoU with 3 months’ notice in the following circumstances: - by reason of cost, resources, or other factors beyond the control of the HMRC or participant 2 - if any material change occurs which, in the opinion of HMRC and participant 2 following negotiation significantly impairs the value of the data sharing arrangement in meeting their respective objectives

In the event of a significant security breach or other serious breach of the terms of this MoU by either participant, the MoU will be terminated or suspended immediately without notice.

In the event of a failure to cooperate in a review of this MoU or provide assurance the agreement may be terminated or suspended without notice.

The process memorandum of understanding (MoU) register ID / reference is: MoU-P-79

HM Revenue and Customs (HMRC) is referred to as ‘participant 1’ and Department for Education (DfE) is referred to as ‘participant 2’. Collectively they are referred to as ‘the participant(s)’.

1.1 Participant 1 - HMRC

Address: HMRC, 100 Parliament Street, London, SW1A 2BQ

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

1.2 Participant 2 – Department for Education (DfE)

Address: Department for Education, Cheylesmore House, Quinton Road, Coventry CV1 2WT

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

2. Introduction

This MoU sets out the information sharing arrangement between the aforementioned participants. For the context of this MoU ‘information’ is defined as a collective set of data and/or facts that when shared between the participants through this MoU will support the participants in delivering the purpose of the data sharing activity described in section 3 below.

Information will only be exchanged where it is lawful to do so. The relevant legal bases are detailed within this agreement. It should be noted that ‘exchange’ covers all transfers of information between the participants, including where one participant has direct access to information or systems in the other.

This MoU is not intended to be legally binding. It documents the respective roles, processes, procedures, and agreements reached between HMRC and the participants. This MoU should not be interpreted as removing, or reducing, existing legal obligations or responsibilities of each participant, for example as controllers under the UK General Data Protection Regulations (GDPR).

A glossary of terms, definitions of abbreviations of this MoU are detailed in annex a of this MoU.

3. Purpose and benefits of the data sharing agreement

3.1 Describe the purpose of the MoU and HMRC’s view of why it is necessary and proportionate

Following two previous successful pilots, it has been found that HMRC data supports DfE in the detection of fraud and error and by moving to a ‘business as usual’ (BAU) share, the data will also contribute to the prevention of fraud. The main purpose is because the pilots were so successful in the detection it will further enable DfE to detect and prevent fraud and error within the apprenticeships programme, protecting public funds from being paid where the apprentice does not meet the eligibility criteria.

Using Digital Economy Act (DEA) 2017 legislation, DfE undertook a pilot which proved the value of a data share between HMRC and DfE. The successful pilot was presented to the Cabinet Office review board in October 2023 and received approval to move to BAU on 9 December 2023 from Baroness Neville - Rolfe.

DfE funds independent training providers to administer training to apprentices and are paid per apprentice registered.

The apprenticeships programme has an annual budget of around £2.7 billion. On average, there are approximately 30,000 apprentice starts per month. An apprenticeship is a paid job where the employee gains occupational competence and includes at least 20% off-the-job training.

To access DfE funding, training providers are required to submit apprentice monthly data via an Individual Learner Record (ILR) with payments made in arrears directly to the provider for each apprentice. Training providers complete initial eligibility checks to ensure the apprenticeship is in accordance with the apprenticeship funding rules.

DfE regularly performs checks on data submitted via the providers’ ILR, including checks to confirm the accreditation of the provider, employer details, data quality through automated validation and the identification of data patterns and anomalies for potential gaming.

However, it is recognised that existing checks may not detect fraud risks relating to training providers claiming funding for ineligible apprentices – to be eligible for funding, an apprentice must be employed for the duration of their apprenticeship by the named employer(s).

DfE already have in place an Application Programming Interface (API) with HMRC, however this would require an amendment to give DfE the apprentice employment information to check if fraud is present. Until the API has been amended this will be an interim data share, it is anticipated it will take approximately 18 to 24 months for this to happen.

A representative from HMRC attended the Cabinet Office review board and approved, along with all other members, that the disclosure of HMRC information to DfE is necessary and proportionate to support DfE in detecting and preventing fraud and error within the apprenticeship programme.

3.2 What are the specific aims of the data sharing agreement?

The main aim of the data sharing agreement is to facilitate the safe and lawful exchange of data between HMRC and DfE to protect public funds from being paid for ineligible learners.

DfE will provide HMRC details of the apprentices, including name, National Insurance number, date of birth, address and employer Pay As You Earn (PAYE) scheme number, which will then be matched against HMRC records to verify identity.

The data will be further matched by HMRC against their employment systems, PAYE and self-assessment records to provide the relevant employment data needed by DfE to confirm an individual’s continued status as an employee through the duration of their apprenticeship and verify that the apprentice is paid a wage in line with the apprenticeship funding rules.

3.3 How will the data being shared help achieve those aims?

HMRC is a non-ministerial department established by The Commissioners for Revenue and Customs Act 2005 (CRCA 2005). HMRC are the UK’s tax, payments and customs authority and through these functions HMRC collects the data that is necessary to support this data share with DfE.

HMRC are the only organisation with the data available to undertake verification of both National Insurance number and employment status.

Access to HMRC data will allow DfE to confirm that the apprentice is employed at the start of their apprenticeship and continues to be employed for the duration of their apprenticeship. It will also confirm the apprentice is paid at least the National Minimum Wage for apprentices. Where these eligibility criteria cannot be established, DfE aim to prevent payments from being made.

3.4 Describe the benefits that the participants hope to bring to individuals or society or the wider impact

Department for Education

Detection and prevention of this type of fraud and error will ensure that apprenticeship funds are only used for their intended purpose to support eligible apprentices. Additional funds will therefore be available to fund eligible starts, helping to address England’s skills gap by providing more apprenticeships.

Improving approaches to fraud and irregularity represents part of the DfE’s policy objective to use data to ‘improve departmental outcomes, value for users and value for money’ and to ‘invest in the tools, processes, standards and frameworks needed to enable safe, secure data sharing across departments to support decision making and improve services’ (DfE outcome delivery plan 2021 to 2022).

Prevention of funding for ineligible apprenticeships will increase the quality of apprenticeships overall and improve apprentice retention.

Conforming with Treasury’s Managing Public Money

Parliament looks to the HM Treasury to make sure that departments use their powers only as it has intended, and revenue is raised, and the resources so raised spent, only within the agreed limits. Hence it falls to HM Treasury to set the ground rules for the administration of public money and account to parliament for doing so. The key requirements are regularity, propriety, value for money and feasibility

Points on regularity and propriety are listed below:

  • regularity: compliant with the relevant legislation and wider legal principles such as subsidy control and procurement law, delegated authorities and following the guidance in this document
  • propriety: meeting high standards of public conduct, including robust governance and the relevant parliamentary expectations, especially transparency

HMRC

While there are no direct benefits to HMRC, the sharing of HMRC data encompasses these fundamental requirements for management of public money by ensuring they meet the policies they are intended for.

4. Type of data being shared under this agreement

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

4.1 Does this MoU agreement involve the exchange of personal data?

Yes

4.2 Data Protection Impact Assessment (DPIA)

HMRC - have you completed a DPIA?

Yes

DPIA reference number: 1024

Date DPIA was registered: 24 March 2023

Date DPIA was last reviewed: 24 March 2023

Participant 2 - have you completed a DPIA?

Yes

DPIA reference Number: DSR00282

Date DPIA was registered: 23 November 2022

Date DPIA was last reviewed: 23 November 2022

4.3 Relationships under UK GDPR in respect of any personal data being exchanged under this agreement

Status of HMRC under UK GDPR

HMRC will be disclosing and receiving personal data under this agreement.

Where personal data is being disclosed under this agreement, HMRC’s status will be a controller because HMRC separately determines the purpose and means of the processing of the personal data.

Where personal data is being received under this agreement, HMRC’s status will be a controller because HMRC separately determines the purpose and means of the processing of the personal data after transfer.

Status of DfE under UK GDPR

DfE will be disclosing and receiving personal data under this agreement.

Where personal data is being received under this agreement, DfE status will be a controller because they separately determine the purpose and means of the processing of the personal data after transfer.

Where personal data is being disclosed under this agreement, DfE status will be a controller because they separately determine the purpose and means of the processing of the personal data.

4.4 Handling of personal data and security

Where participants bear the responsibility of a data controller, they must ensure that any personal data received pursuant to this MoU is handled and processed in accordance with the current seven UK GDPR principles.

Additionally, as part of the government, HMRC and participant 2 must process personal data in compliance with the mandatory requirements set out in HM Government Security Policy Framework guidance issued by the Cabinet Office when handling, transferring, storing, accessing or destroying information assets.

Participants must ensure effective measures are in place to protect personal data in their care and manage potential or actual incidents of loss of the personal data. Such measures will include, but are not limited to:

  • personal data should not be transferred or stored on any type of portable device unless absolutely necessary, and if so, it must be encrypted, and password protected to an agreed standard
  • participants will take steps to ensure that all staff involved in the data sharing activities are adequately trained and are aware of their responsibilities under the Data Protection Act (DPA), UK GDPR and this MoU
  • access to personal data received by participants pursuant to this MoU must be restricted to personnel on a legitimate need-to-know basis, and with security clearance at the appropriate level
  • participants will comply with the Government Security Classifications Policy (GSCP) where applicable

5. Duration, frequency and volume of the data sharing

Date MoU comes into effect: 4 April 2023

Date by which MoU needs to be formally reviewed: 3 April 2023

Date MoU will cease to be valid: 3 April 2024

5.1 Frequency and volume of data being shared:

For the short-term tactical data cuts, the frequency will be between every 2 months. It is anticipated both the first and subsequent data sets will involve approximately 500,000 learners (with around 1.4 million records). For an automated API solution, data requests will be on a monthly basis to align with training provider data collection and payments.

HMRC has specific legislation within the Commissioners for Revenue and Customs Act (2005) which covers the confidentiality of information held by the department, when it is lawful to disclose that information and legal sanctions for wrongful disclosure. For HMRC, disclosure of information is precluded except in certain limited circumstances (broadly, for the purposes of its functions, where there is a legislative gateway or with customer consent). Unlawful disclosure relating to an identifiable person constitutes a criminal offence. The criminal sanction for unlawful disclosure is detailed at section 19 of the Commissioners for Revenue and Customs Act 2005.

Data can only be shared where there is a legal basis for the exchange and for the purposes described in this MoU as specified at section 10 below. No data should be exchanged without a legal basis and all exchanges must comply with our legal obligations under both the Data Protection Act 2018 and Human Rights Act (HRA) 1998.

Section 56 of the Digital Economy Act 2017 (DEA) permits HMRC to disclose any information including identifying information held in connection with our functions to a specified person in schedule 8 of the DEA for the purposes of taking action in connection with fraud against a public authority.

Under the Digital Economy Act 2017 (DEA), chapter 4 provides statutory powers that let data to be shared for the purposes of taking of action in connection with fraud.

Section 56 of DEA 2017 creates a gateway enabling ‘specified persons’ namely the Secretary of State and HMRC to take action in connection with fraud against a public authority, that includes preventing fraud, detecting fraud, investigating fraud, prosecuting fraud, bringing civil proceedings as a result of fraud and taking administrative action as a result of fraud, and therefore the legal gateway can be through section 56 DEA 2017 for sharing data with HMRC.

Improving approaches to fraud and irregularity represents part of the DfE’s policy objective to use data to “improve departmental outcomes, value for users and value for money” and to “invest in the tools, processes, standards and frameworks needed to enable safe, secure data sharing across departments to support decision making and improve services” (DfE outcome delivery plan 2021 to 2022).

6.1 Lawful basis under UK GDPR to process personal data

Personal data can only be processed (transferred, disclosed) where there is a valid lawful basis/bases as set out in article 6 of UK GDPR

Provide the relevant lawful basis for HMRC to process (share) personal data

The lawful basis for processing is article 6(1)(e) of the GDPR, performance of a public task. The mechanism relied on under law is the Digital Economy Act 2017, chapter 4, section 56 (disclosure of information to combat fraud against the public sector):

  • a specified person may disclose information held by the person in connection with any of the person’s functions to another specified person for the purposes of the taking of action in connection with fraud against a public authority
  • in this section and in schedule 8 ‘fraud against a public authority’ means a fraud offence which involves loss to a public authority, or the exposure of a public authority to a risk of loss

In subsection (2) — ‘fraud offence’ means an offence under section 1 of the Fraud Act 2006 or, in relation to Scotland, an offence of fraud, and ‘loss’, as it applies in relation to an offence under section 1 of the Fraud Act 2006, has the meaning given by section 5 of that act.

For the purposes of this section and schedule 8, taking action in connection with fraud against a public authority includes any of the following: preventing fraud of that kind; detecting fraud of that kind; investigating fraud of that kind; prosecuting fraud of that kind; bringing civil proceedings as a result of fraud of that kind; taking administrative action as a result of fraud of that kind.

7. Data to be shared and systems it will be derived from

7.1 Describe the types of data / data fields being shared and their source systems

The data will be shared every 2 months for the short-term tactical solution.

The data provided by DfE to HMRC will be:

  • apprentice ID
  • apprentice first name
  • apprentice surname
  • apprentice date of birth
  • apprentice postcode
  • apprentice national insurance number
  • employer PAYE scheme

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Only positive matches will be returned and HMRC Risk and Intelligence Service (RIS) Government Data Exchange Team will not return the National Insurance number or the postcode.

Where a match is found using these data fields, HMRC to supply DfE the following information:

  • name
  • address
  • date of birth
  • confirmation of employer PAYE scheme
  • tax year
  • start date
  • leaving date
  • latest payment date
  • pay frequency
  • pay in latest period
  • taxable pay in period
  • taxable pay year to date
  • Self Assessment employment flag
  • Self Assessment self-employment flag - if yes when where they registered from

It is intended that this manual data share is replaced by an API in due course.

7.2 What is the Government Security Classification for the data being shared?

Official-sensitive

7.3 Is there any special category data, sensitive data or criminal offence data being shared?

No

8. How the data will be shared

8.1 Describe the method by which data will be transferred under this agreement

DfE will populate an Excel document with customer details.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

HMRC/DfE will send/receive the data via Secure Data Exchange Service (SDES) for which both DfE and HMRC are authorised users.

A Data Exchange Request (DER) will be in place for both the inbound and outbound data share and will be approved prior to any data being exchanged.

8.2 Will direct (or browser) access to HMRC systems be granted?

No

9. Accuracy of the data being shared

Before sharing data, both participants must take all reasonable steps to ensure that the data being shared is both accurate and up to date.

The exporting department will ensure that data integrity meets their own department’s standards, unless more rigorous or higher standards are set out and agreed at the requirements stage.

Participants will notify each other of any inaccuracies of the data as they are identified.

10. Retention and destruction of data

10.1 State how long the data will be retained for by each participant and what their arrangements are for secure storage, and disposal / destruction of data.

HMRC

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

The inbound dataset is received every 2 months.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Auto reminders in outlook are set by the government Data Exchange Team (DET) analyst to delete the data as required after delivery.

As an added level of assurance, the data deletion is also recorded on a RIS government DET General Data Protection Regulation (GDPR) tracker document, which is an Excel tool outlining all data sharing and what date the data is deleted. This is reviewed on a monthly basis by the grade 7 RIS government DET lead and checks are undertaken that data is deleted on time. In the event of an analyst being absent, the grade 7 will arrange for the deletion of the data

Department for Education

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Data will be processed at DfE by the designated team working on this project.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Records are retained in this location for 6 plus 1 years for audit purposes in line with DfE standard practice.

10.2 State what access controls each participant will have in place to ensure access to the data will only be provided to authorised personnel with the appropriate security clearance.

HMRC

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

All of the RIS government DET team have the relevant security clearance which is reviewed every 10 years.

Department for Education

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

All DfE data analysts with access have the relevant security clearance (enhanced DBS) which is reviewed every 10 years.

11. Onward disclosure to third parties

Participant 2 agrees to seek permission from HMRC before any onward disclosure of information to a third party and will only disclose any information if permission is granted.

HMRC information would only be disclosable to law enforcement, if regulatory action was taken in respect of the fraud investigation being undertaken by DfE.

DfE will need HMRC’s consent before they can onwardly disclose any HMRC data shared with them under section 56 of the DEA.

12. Role of each participant to the MoU

Role of HMRC:

  • identify the appropriate data required from HMRC IT systems / records
  • provide the data to participant 2 in Microsoft Excel transferred by secure Secure Data Exchange Service (SDES) from and to agreed contact points
  • only allow access to that data by the team requiring it
  • ensure that staff handle this data in line with the approved secure transfer method agreed by both departments and within HM Revenue & Customs data security instructions
  • only store the data for as long as there is a business need to do so
  • move, process and destroy data securely, in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
  • comply with the requirements in the Security Policy Framework, and in particular prepare for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information

Role of participant 2:

  • identify the appropriate data required from HM Revenue & Customs
  • only use the information for purposes that are in accordance with the legal basis under which it was received
  • only hold the data for as long as there is a business need to do so .
  • ensure that only people who have a genuine business need to see the data will have access to it
  • on receipt, store data received securely and in accordance with the prevailing central government standards, for example in secure premises and on secure IT systems
  • move, process and destroy data securely in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
  • comply with the requirements in the Security Policy Framework, and in particular prepare for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
  • if participant 2 adheres to a different set of security standards they must inform HMRC what these standards are at 16.3 below and comply with any additional security requirements specified by HMRC
  • seek permission from HMRC before onward disclosing information to a third party
  • seek permission from HMRC if you are considering offshoring any of the personal data shared under this agreement
  • mark information assets with the appropriate government security classification and apply the baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications (GSC), issued by the Cabinet Office, and as a minimum the top level controls framework provided in the Annexe – Security Controls Framework to the GSC.

  • where applicable, send the data in Microsoft Excel format via Secure Data Exchange Service (SDES) agreed by both departments under the protective marking ‘Official Marked/Official-Sensitive’

13. Monitoring and reviewing and arrangements

This MoU relates to a regular exchange that must be reviewed annually to assess whether the MoU is still accurate and fit for purpose.

Reviews outside of the proposed review period can be called by representatives of either participant. Any changes needed as a result of that review may be agreed in writing and appended to this document for inclusion at the formal review date.

Technical changes necessary to improve the efficiency of the exchange that do not change the overarching purpose can be made without the requirement to review formerly the MoU during its life cycle but must be incorporated at the formal review stage.

A record of all reviews will be created and retained by each participant.

Appendix 2 outlines the contacts for amendments to the MoU. Appendix 1 sets out the document control, and the version history of the MoU.

14. Assurance arrangements

HMRC has a duty of care to assure any data that is passed on to others. Processes covered by this MoU will be subject to annual reviews, from the date of sign off (to be inserted). HMRC may also choose to introduce ad hoc reviews.

Assurance will be provided by the annual completion of a certificate of review & assurance. The assurance processes should include checking that any information sharing is achieving its objectives (in line with this MoU) and that the security arrangements are appropriate given the risks.

Participant 2 agrees to provide HMRC with a signed Certificate of Review and Assurance (CoRA) within the time limits specified upon request.

HMRC reserves the right to review the agreed risk management, controls, and governance in respect of this specific agreement.

15. Security breaches, security incidents or loss or unauthorised disclosure of data

The designated points of contact (provided at appendix 2 of this MoU) are responsible for notifying the other participant in writing in the event of loss or unauthorised disclosures of information within 24 hours of the event.

The designated points of contact will discuss and agree the next steps relating to the incident, taking specialist advice where appropriate. Such arrangements will include (but will not be limited to) containment of the incident and mitigation of any ongoing risk, recovery of the information, and notifying the information commissioner and the data subjects. The arrangements may vary in each case, depending on the sensitivity of the information and the nature of the loss or unauthorised disclosure.

16. Subject Access Requests

In the event that a Subject Access Request (SAR) is received by either participant, they will issue a formal response on the information that they hold following their internal procedures for responding to the request within the statutory timescales. There is no statutory requirement to redirect SARs or provide details of the other participant in the response. However, each participant will notify the other if a SAR is received in respect of any personal data shared under this agreement. Contact details are at appendix 2

Full details of data subject’s rights in relation to processing of personal information can be found in each participant’s privacy notice – links below. Also, see ICO guidance.

HMRC privacy notice

Apprenticeship service privacy notice: Apprenticeship Service Privacy Notice

ILR Privacy Notice

ICO Data Sharing Code of Practice – The rights of individuals

17. Freedom of Information Act (FOI) 2000

Both participants are subject to the requirements of the Freedom of Information Act (FoIA) 2000 and shall assist and co-operate with each other to enable each organisation to comply with their information disclosure obligations.

In the event of one participant receiving a Freedom of Information request that involves disclosing information that has been provided by the other participant, the organisation in question will notify the other to allow it the opportunity to make representations on the potential impact of disclosure.

All HMRC FoI requests must be notified to the central HMRC FOI team inbox

18. Issues, disputes and resolution

Any issues or disputes that arise as a result of exchange covered by this MoU must be directed to the relevant contact points listed in appendix 2. Each participant will be responsible for escalating the issue as necessary within their given management structure.

Where a problem arises it should be reported as soon as possible. Should the problem be of an urgent nature, it must be reported by phone immediately to the designated ‘business as usual’ contact (listed in appendix 2) and followed up in writing the same day. If the problem is not of an urgent nature it can be reported in writing within 24 hours of the problem occurring.

19. Costs

19.1 Will there be a charge for this service?

Any time incurred by HMRC for the delivery of this data and information will be recovered and paid for by DfE .

The HMRC RIS analyst will submit the recharging control sheet to the RIS finance team, each time data is shared, to ensure an invoice will be raised to DfE.

20. Termination

This MoU may be terminated by giving three months’ notice by either participant.