Data Usage Agreement: Future Fund pilot
Published 19 October 2023
This Data Usage Agreement for the Future Fund pilot between British Business Financial Limited and HMRC to identify potential fraud was approved and put in place in 2022.
1. Conditions of disclosure of information by HMRC
British Business Financial Services Limited (BBFSL), a subsidiary of the British Business Bank plc (BBB), is appointed under a deed of authority and a services agreement as agent to the Secretary of State for the Department of Business, Energy and Industrial Strategy (BEIS) in relation to the administration of the Future Fund Scheme and various loan guarantee schemes created in response to the COVID-19 pandemic including the Bounce Back Loan Scheme.
HMRC disclose this information to the BBFSL, by virtue of the legal basis of section 56 of the Digital Economy Act (DEA) disclosure for the purpose of ‘taking of action in connection with fraud against a public authority’ on the condition that HMRC and BBFSL undertake the following:
- complete a data protection impact assessment (DPIA)
- adhere to the DEA code of practice and complete all relevant documentation and have ministerial approval
- adhere to this Data Usage Agreement (DUA)
HMRC has completed a DPIA to go alongside this DUA. BBFSL has completed its own DPIA to consider the handling of HMRC information.
1.1 Purpose
The purpose of this data share pilot is to enable the sharing of information by HMRC to BBFSL, where HMRC has reasonable concerns of likely fraudulent activity by a number of entities and associates.
The aim of the pilot is to enable BBFSL to investigate potentially fraudulent activity within the Future Fund and the Bounce Back Loan Scheme and take appropriate action.
1.2 Data specification
The information shared by HMRC will include information about individuals, businesses, and their trading and financial affairs in bank statements, financial records, business records and communications. It follows that the information will contain personal data, including director names, business addresses and email addresses.
1.3 Lawful basis
The lawful basis is UK GDPR article 6(1)(e) processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller namely the exercise of a function of the Crown, a Minister of the Crown or a government department (Data Protection Act 2018, section 8(d)).
1.4 Legal basis
Under section 18 (1) of the Commissioners for Revenue and Customs Act (CRCA) 2005, HMRC is bound by a strict duty of confidentiality meaning that HMRC officers may not disclose information HMRC holds for its functions. However, HMRC information may be disclosed where one of the statutory exceptions in section 18 (2) CRCA 2005 apply or where disclosure is permitted under any other enactment pursuant to section 18 (3) CRCA 2005.
Any person who discloses HMRC information which identifies a taxpayer without a lawful basis to do so under either section 18 (2) or (3) of CRCA 2005 potentially commits a criminal offence of wrongful disclosure pursuant to section 19 CRCA 2005. A person found guilty of an offence may receive an unlimited fine, imprisonment of up to 2 years or both.
In this particular case, disclosure is permitted by virtue of part 5, chapter 4 of the DEA 2017 and in particular section 56. This permits disclosure between specified persons for the purposes of taking action in connection with fraud against a public authority.
Specified persons for the purposes of section 56 powers are set out in schedule 8 of DEA 2017 and include HMRC at paragraph 14 and also include a person providing services to a specified person under paragraph 41. In this case, BBB is a wholly government owned bank with oversight and direction provided by the Secretary of State for BEIS. Its subsidiary, BBFSL, is appointed as agent by BEIS to administer both the Bounce Back Loan Scheme and the Future Fund Scheme on its behalf. BEIS is a specified person by virtue of paragraph 6 of schedule 8 DEA 2017.
1.5 Data security
BBFSL will undertake in relation to the information provided to BBFSL hereunder to:
-
move, process and destroy data securely i.e. in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
-
only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information (linked to the purpose) will have access to it
-
store the data in a secure folder in a shared drive with restricted access to members of the team who are directly involved in the data share and only keep it for the time it is needed, and then destroy it securely on agreement of all parties
-
not onwardly disclose HMRC information without the prior authorisation of HMRC other than what is provided for in section 56 of the DEA 2017
-
restrict access to the information by applying additional access restrictions to the designated storage point
-
comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to the information provided to BBFSL hereunder
-
mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, and in particular as set out in the Annex – Security Controls Framework to the GSC
1.6 Security incidents
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
1.7 How data will be shared
HMRC will share the data using secure means, via the Secure Data Exchange Service (SDES). The file documentation will be labelled or referenced as Project Sunshine.
The path of data transfer is described below:
-
HMRC compiles a data file containing documentation and communications relating to specific businesses and individuals
-
HMRC uploads this file to SDES, a secure transfer system for BBFSL to access - this is a one-off data share
-
BBFSL will save the documents to a designated folder that will have additional access controls to restrict access to designated individuals from BBB and Price Waterhouse Coopers (PwC) - PwC is contracted as a data processor, to administer the Future Fund and Bounce Back Loan Scheme under BBFSL’s instruction
-
information will, where appropriate, be shared with BBFSL’s external legal advisers who are advising BBFSL on the investigation
1.8 Data Usage Agreement
This Data Usage Agreement is anticipated to last for 6 months where it will be reviewed to determine if the Pilot needs to continue for a further period of time.
1.9 Data controllers and data processors
HMRC and BBFSL act as separate data controllers. HMRC will be data controller whilst the data is on its estate. BBFSL will be data controller once the data is received on its estate. PwC are a data processor acting on the instructions of BBFSL.
1.10 Freedom of Information and Subject Access Requests
HMRC and BBB/BBFSL are subject to the Freedom of Information Act 2000, and will assist and cooperate with each other, to enable each to comply with its information disclosure obligations.
Where a Freedom of Information request is received by a party to this agreement, which relates to data that has been provided under this agreement, the party receiving the request will notify the other relevant party to allow them the opportunity to make representation on the potential impact of disclosure:
Data subjects are entitled to exercise their data subject rights when their personal data is processed. Where either party receives a data subject request, the party receiving the request will, where appropriate to do so, notify the other relevant party to allow them the opportunity to make representation on the potential impact of disclosure:
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
1.11 Costs
If appropriate, HMRC will recharge BBFSL for the time taken to provide the data and the governance documents for Cabinet Office to have the relevant data to assist in this project.
1.12 Disputes
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
Whilst BEIS [footnote 1] are signatory to the Data Usage Agreement, no HMRC data will be shared, directly or indirectly with BEIS and as such BEIS are not responsible as data controllers or have any obligations concerning the data being shared. BEIS are only party to the Data Usage Agreement given that BBFSL are providing services to BEIS under schedule 8 of Digital Economy Act 2017.
-
BEIS existed until 2023 when it was split to form the Department for Business and Trade (DBT), the Department for Energy Security and Net Zero (DESNZ) and the Department for Science, Innovation and Technology. ↩