Transparency data

Memorandum of understanding: local authorities, the Department for Work and Pensions and HMRC for Council Tax debt reduction

Published 19 October 2023

This memorandum of understanding between local authorities, the Department for Work and Pensions and HM Revenue and Customs to manage and reduce Council Tax debt was approved and put in place in 2021.

1.   Introduction

Memorandum of understanding (MoU) (process) between HMRC’s Risk and Intelligence Service Data Analytics Team (RIS DAT) and Cabinet Office, including processing of 41 local authorities (listed in Annex A ) and Department for Work and Pensions (DWP) data for the Debt Recovery and Vulnerability Digital Economy Act pilot.

The reference number of the related umbrella MoU is: MoU-U-83

This MoU sets out the data sharing arrangements between the data controllers (local authorities, DWP and HMRC) and the data processor (Cabinet Office) for DEA/D/31-72, in relation to the managing and reducing of Council Tax debt and the identifying of vulnerability among Council Tax debtors.

This MoU documents the lawful basis for this data sharing initiative, what information will be shared, and how. All parties should enter into this MoU to demonstrate that data protection and privacy requirements have been taken into account, to set out how use of information meets the data protection principles, and how the rights of data subjects are protected.

All parties agree to observe all the obligations set out in this MoU and have signed accordingly to confirm that the process is documented correctly and represents a true account of their own processing activities.

This MoU does not provide indemnity from action under any law. It does not remove or reduce the legal obligations or responsibility of any party.

This data sharing initiative is to assess whether matching data held by pilot local authorities (as listed in Annex A), DWP and HMRC can help local authorities to manage and reduce Council Tax debt and to identify vulnerability among Council Tax debtors. DWP and HMRC are the only organisations with the data available to match the required income-based benefits data and PAYE/Self Assessment data, respectively.

Local authorities have identified that customer income-based benefit information from the DWP and PAYE and Self Assessment customer information from HMRC is potentially useful and could support managing overall Council Tax arrears and further developing its recovery procedures, by analysing the data provided by HMRC and DWP to:

  • identify customers whose circumstances make them vulnerable and providing appropriate support and appropriate recovery action, where they engage with the local authority

  • for those in employment, recovering individual Council Tax debts by attachment to earnings orders, where appropriate

  • identify forwarding addresses for customers who have moved, leaving Council Tax arrears outstanding

  • for those receiving benefits, recovering individual Council Tax debts by attachment to benefits orders, where appropriate

  • for those not identified as vulnerable, undertaking other recovery action, including the use of enforcement agents and other legal avenues

  • overall reducing use of enforcement agents and associated costs to customer

This is a significant change from the current local authority process and will allow local authorities to take positive action to identify and support vulnerable customers and recover the debt from those customers who are not engaging in the process and have already been informed of the action the local authorities may take.

This work focuses on the Digital Economy Act (DEA) helping a cohort of local authorities obtain DWP data for better data matching with HMRC and benefit activity to give a richer picture of Council Tax customers’ circumstances. In particular, customers that have fallen behind on Council Tax repayments and have a Council Tax liability order, although the outcome of this action may have some cross departmental customer debtor benefits including DWP. This will allow the local authorities to take debtors down the most suitable debt collection route, this would certainly result in more supportive route for more vulnerable customers identified by DWP as being on benefits. Or if the Council Tax customer is shown as working according to HMRC data, the local authorities can focus on liability orders for those customers and potential recovery from earnings. This will result in a more efficient recovery process for Council Tax arrears for local authorities, resulting in the most suitable recovery action, better arrears recovery will reduce overall Council Tax debt burden which will in effect reduces burden on budgets for spending on public services for the community.

HMRC considers that the disclosure of information to the Cabinet Office is necessary and proportionate to support the local authorities in managing and reducing Council Tax debt and identify vulnerability among Council Tax debtors.

Data sharing for this initiative is provided for by part 5, chapter 3, section 48 of the Digital Economy Act 2017 which enables data sharing between specified parties ‘for the purposes of the taking of action in connection with debt owed to a public authority or to the crown’.

The lawful processing of personal data will be undertaken by the data processor in line with article 6:1(e) of the UK General Data Protection Regulation (GDPR) (performance of a task in the public interest or exercise of official authority) and section 8(d) Data Protection Act (DPA) 2018 (function of a government department(s)).

DWP, HMRC and local authorities are data controllers for the preparation and transfer of the data while held in their own estate. Cabinet Office will act as a data processor for local authorities, as they are collating and processing the data on their behalf. All parties agree that the local authorities, DWP and HMRC are separately data controllers, as defined by the data protection legislation for the personal data they provide to meet the agreed purposes. Each party shall comply with all obligations imposed on a controller under the data protection legislation

3. Purpose of the agreement

The purpose of this pilot is to measure the potential yield of Council Tax recovery for the involved local authorities (as listed in Annex A) if they were to use DWP data relating to income-based benefits data and HMRC employment/Self Assessment data.

This is the second pilot following a successful pilot delivered in 2019 involving only HMRC and local authorities. This second pilot has 2 main aims:

  1. Increase identifications of vulnerable individuals with the addition of DWP income-based benefit data being supplied back to local authorities, these individuals will be segmented and offered other support, where appropriate. This pilot is supporting the government’s response to the National Audit Office’s ‘Tackling Problem Debt’, in particular, the request to ‘continue to explore how to improve data-sharing within government, to help tailor debt management approaches to debtors’ circumstances’.

  2. Increase match rate from HMRC – the first pilot’s matching rate was 54%, this was better than expected as this was based on an exact name match; by increasing the amount of individual identifications data, such as date of birth, phone and e-mail from local authorities, supported by National Insurance number and other data from DWP to allow an increase match rate and confidence level back from HMRC, with corresponding increases in returned data and therefore debt recovery.

If the request is not delivered the 2 aims will not be achieved.

The first pilot has proved the worth of HMRC data achieving a recovery rate of approximately 20%. By increasing the number of local authorities involved and the introduction of DWP included as an additional data source, the results are expected to be significantly higher.

Access to this data allows local authorities a more segmented approach to the recovery of Council Tax. The data received will, where possible, form part of an assessment to differentiate between:

  • those who cannot pay their debts because of vulnerable circumstances or financial hardship

  • those who may be able to pay their debt with additional support

  • those with the means to pay but have not paid

The pilot aims to reduce the use of more intrusive local authority methods of recovery, which should only be considered as a last resort, for example, the use of enforcement agents, bankruptcy and committal to prison. All pilot local authorities have and apply a policy which takes into account resident vulnerability and financial hardship. The policy includes taking reasonable steps to obtain a resident affordability assessment based on the standard financial statement (SFS), the industry recognised standard. Those identified as being in vulnerable circumstances or facing hardship will be treated fairly and where appropriate will be referred to internal and/or external sources of support.

The use of DWP data to increase the identification of individuals and increase the match confidence of individuals, by adding extra information, such as date of birth, phone number, email and National Insurance number, will significantly increase the match rate and confidence levels at HMRC and increasing the debt recovery for councils.

The local authorities, DWP and HMRC shall each share different data items within this pilot. These data items are detailed in section 4, with the breakdown provided in Annex C showing data item flow.

Local authorities will share respective samples of data with Cabinet Office showing individuals with Council Tax debts where liability orders have been obtained. Cabinet Office will act as a data processor for local authorities and collate the samples into a single spreadsheet to send to DWP to add their data.

DWP will firstly match against their benefit records, and for those matched customers will add income-based benefit data and corroborative customer information, such as National Insurance number or date of birth, and return to Cabinet Office.

Cabinet Office will then produce a minimised data set with the removal of benefit data and send to HMRC to further match against their records and add earnings/Self Assessment information. HMRC will then return the matched data set to Cabinet Office for them to produce a final collated spreadsheet containing all local authority, DWP and HMRC matched data.

Cabinet Office will then split the data and send this to the relevant local authority.

A snapshot of data will be taken before being issued to DWP/HMRC for evaluation during and post-action.

There is no HMRC function in this data share, HMRC are supplying data to Cabinet Office to support local authorities in their function.

4. Procedure

4.1 Background

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

The total sample of debtors will be approximately 300,000. The sample will exclude debtors who are:

  • in receipt of debt support - full or partial

  • deceased

  • subject to committal and bankruptcy cases

  • companies

  • subject to a current attachment of earnings.

The data items sent from local authorities to Cabinet Office are as follows:

  • local authority identification number (housing benefit number)

  • local authority name

  • party pin (unique refence number)

  • account number (Council Tax account number)

  • title

  • first name

  • middle name or initials

  • surname

  • date of birth

  • National Insurance number (if available)

  • property address and postcode

  • mailing address and postcode (if applicable)

  • mailing address start date (if applicable)

  • telephone numbers (where available)

  • email addresses (where available)

  • date of commencement of liability order (if applicable)

Cabinet Office will store this data securely, in accordance with DPA 2018. The data will be extracted, combined and then broken down into a single excel spreadsheets, not exceeding 10 megabytes, by Cabinet Office.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Prior to the transfer of data to DWP, CO will liaise with the DWP Data Sharing Team (DST) contacts to confirm which nominated individual is to receive the data on that day.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

DWP will match against their benefits records and, for those matched customers, will add additional corroborative data and income-based benefits information as follows:

  • match successful – yes or no

  • customer name as recorded on DWP records

  • National Insurance number as recorded by DWP (where available)

  • date of birth as recorded by DWP (where available)

  • telephone numbers (where available)

  • email addresses (where available)

  • income-based benefit in payment – yes or no

  • payment frequency – weekly or monthly

  • benefit amount

The DWP Tech Change Team will notify the DWP DST when the matching is complete.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

4.2 HMRC and Cabinet Office process

The area within HMRC who will be carrying out the matching will be Risk and Intelligence Services (RIS).

This content has been withheld because of exemptions in the Freedom of Information Act 2000 .

If the address provided does not match the current address held by HMRC, then previous addresses will be used as a match. If the customer information produces a successful match, RIS will return the following data items:

  • match successful - yes or no

  • full name as recorded by HMRC

  • address as recorded by HMRC

  • previous address as recorded by HMRC (if applicable)

If person is in current employment, RIS will check Real Time Information (RTI) systems based on the matched data to provide the following PAYE information:

  • PAYE reference number

  • employer name

  • employer address and postcode

  • employer contact details (such as email, phone number)

  • payroll identification in this employment

  • employment start date

  • employment end date (if applicable)

  • employment pay frequency

  • tax year

  • taxable pay in period

  • taxable pay year to date

If there is a live Self Assessment account for the individual, then RIS will match and return the following:

  • tax year

  • Self Assessment total income of last tax year

  • Self Assessment correspondence address and postcode

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

The password will be emailed from HMRC RIS DAT to Cabinet Office on confirmation of receipt of files(s).

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

On receipt of the final data product from HMRC RIS DAT, Cabinet Office will merge the data with the additional DWP benefits data and then disaggregate the final data set and create separate spreadsheets of the data relevant to each local authority.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

All local authorities shall receive their password from Cabinet Office via either phone call or text.

Each local authority will extract the data from the spreadsheet they receive from Cabinet Office. The data will be used solely for the purpose of this project and will not be retained for the purpose of any other use.

Local authorities will delete the data on completion of the pilot and its analysis, and this will be confirmed via email to Cabinet Office, DWP and HMRC contacts.

Local authorities will analyse the results from DWP and HMRC and for those in receipt of DWP income-based benefits:

  • pass to debt support team for action, communicate with the debtor

  • if debtor contacted and vulnerability discussed, support offered (where appropriate) and/or payment plan agreed

  • if no contact, local authority shall continue recovery action

For those in receipt of PAYE:

  • 14-day letter (as per the first pilot) to be issued to the debtor - if debtor contacted, payment plan or vulnerability discussed

  • if no contact, local authority shall progress attachment of earnings action

For those in receipt of Self Assessment:

  • communicate with the customer noting they are in receipt of Self Assessment

  • if debtor contacted, payment plan or vulnerability discussed

  • if no contact, local authority shall continue recovery action

This data sharing between HMRC and Cabinet Office does not require the sharing of special category data as defined by UK GDPR.

The data sharing does not require the sharing of data relating to criminal convictions or other security matters.

Neither HMRC or DWP is to retain the data beyond its matching operations. HMRC and DWP should confirm to Cabinet Office that the data has been deleted once the data has been confirmed as received and successfully downloaded by Cabinet Office.

The initial collated spreadsheet of local authority data (as collated by Cabinet Office) shall be deleted by Cabinet Office once it has been passed to DWP and DWP have confirmed receipt. Cabinet Office should confirm this to the local authorities via email.

The spreadsheet of matched records from HMRC RIS DAT (as sent to Cabinet Office) will be deleted by Cabinet Office once this data has been disaggregated and disseminated to the respective local authorities and they have confirmed receipt. Cabinet Office should confirm this to HMRC via email.

Local authorities will destroy all data after 12 months of the final data product being shared by Cabinet Office, which is the agreed pilot end date. This will be confirmed to Cabinet Office from local authorities.

Data is only being processed and collected in ways that individuals would reasonably expect.

Authorities are open and honest with data subjects and comply with the transparency obligations of the right to be informed.

All colleagues employed by the relevant local authorities will have a business need to access the information. They will be limited to data analysts and debt recovery officers. All users within the local authorities have signed data disclosure agreements and have received UK GDPR training.

5. Security and assurance

Cabinet Office, DWP and local authorities agree to:

  • only use the information for purposes that are in accordance with the legal basis under which they received it

  • only hold the data while there is a business need to keep it

  • ensure that only people who have a genuine business need to see the data will have access to it

  • store data received securely and in accordance with the prevailing central government standards, for example in secure premises and on secure IT systems

  • move, process and destroy data securely i.e. in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information

  • comply with the requirements in the Security Policy Framework, and in particular prepare for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information

  • report any data losses, wrongful disclosures or breaches of security relating to information originating in HMRC to the designated contacts immediately (within 24 hours of becoming aware) and agree to both advise, and consult with, HMRC on the appropriate steps to take, for example notification of the Information Commissioner’s Office or dissemination of any information to the data subjects

  • mark information assets with the appropriate security classification and apply the baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, issued by the Cabinet Office, and as a minimum the top level controls framework provided in the Annex – Security Controls Framework to the GSC

  • allow HMRC Internal Audit to carry out an audit to help in deciding whether HMRC should continue to provide the data, upon request

  • provide written, signed assurance that they have complied with these undertakings regularly upon request

6. Data protection legislation and Human Rights Act 1998

All parties will undertake their own Data Protection Impact Assessment for this data share. The below is in reference to the HMRC RIS DAT DPIA.

DPIA reference number: 8361 Date of DPIA: 4 July 2021

Nothing in this memorandum of understanding will limit the receiving department’s legal obligations under the data protection legislation – see section 17 below, glossary of terms and abbreviations.

All the information transferred by HMRC should be relevant, necessary and proportionate to enable Cabinet Office and local authorities’ ability to carry out their task or process.

HM Revenue and Customs, Cabinet Office, DWP and local authorities will become the data controller (as defined in the glossary of terms) of any personal data whilst on their estate under the terms of this MOU.

HM Revenue and Customs, Cabinet Office, DWP and local authorities are public authorities for the purposes of section 6 Human Rights Act. It would be unlawful for HMRC, Cabinet Office, DWP and local authorities to act in a way that is incompatible with European Convention on Human Rights.

7. Freedom of Information Act 2000

HMRC and public sector bodies are subject to the requirements of the Freedom of Information Act 2000 (FOI) and shall assist and co-operate with each other to enable each department to comply with their information disclosure obligations.

In the event of one department receiving an FOI request that involves disclosing information that has been provided by the other department, the department in question will notify the other to allow it the opportunity to make representations on the potential impact of disclosure.

All HMRC FOI requests must be notified to HMRC FOI team who will engage with the central FOI team in the supplying organisation.

HMRC’s FOI Team mailbox is: foi.team@hmrc.gov.uk

8. Direct, (or browser) access specific expectations

Not applicable

9. Costs/charges

HMRC will recharge the 41 local authorities for the time taken to provide the data and the governance documents for the local authorities to have the relevant data to assist in this project.

The local authorities listed in Annex A have confirmed that they have funds available for costs incurred by HMRC and DWP for this data share.

10. Contact details

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

All local authorities’ contacts involved in this data share are listed in Annex A.

11. Reporting and review arrangements

This is a one-off data sharing pilot to enable the participating local authorities to assess whether sharing data held by DWP and HMRC relating to income-based benefits data and PAYE/Self Assessment data, respectively, is useful for the local authorities in managing Council Tax debt via attachment of earning orders and when seeking to identify vulnerability among debtors.

As this is building on a previous pilot ran in 2018 which was documented under a Data Usage Agreement, the HMRC Chief Data and Acquisition Office (CDIO) advised that an MoU would be appropriate to document this share rather than a DUA.

This pilot is due to commence for 12 months upon the sharing of the final data product from Cabinet Office to relevant local authorities and action will be taken to cease this MoU on confirmation of the pilot end date, as to be confirmed by Cabinet Office when the final data set is sent to participating local authorities.

12. Resolving issues

Any complaints, problems and issues that are specific to the information exchanges covered by this MoU should immediately be referred to the contacts named in section 10. If these cannot be resolved they should be reported, in writing to:

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

13. Signatories

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

14. Document control personnel

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

15. Version history

Version Date Summary of changes Changes marked
0.1 12 May 2021 Initial draft No
0.2 21 May 2021 Email contacts updated No
0.3 7 June 2021 Amended as per Chief Data Office comments Yes
0.4 22 June 2021 Amended as per comments from Cabinet Office and DWP No
1.0 14 June 2021 Final draft for registration and signature No

16. Glossary of terms and abbreviations

*Advice from HMRC Office of the Data Protection Officer (June 2018)

Definition Interpretation
Ad hoc transfer is defined as being bulk data with a protective marking of sensitive or above and the transfer is part of a pilot or project with a definitive end date
Data controller has the meaning set out in article 4 UK GDPR or, in respect of processing of personal data for a law enforcement purpose to which part 3 of the Data Protection Act 2018 applies, the meaning in that part if different*
Data processor has the meaning set out in article 4 UK GDPR or, in respect of processing of personal data for a law enforcement purpose to which part 3 of the Data Protection Act 2018 applies, the meaning in that part if different*
Data Protection Legislation  means the General Data Protection Regulation ((EU) 2016/679), the Data Protection Act 2018 and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner*
Direct access covers an information sharing instance where the receiving department accesses the Information via direct, or browser, access to the source system rather than as an extracted information transfer - this agreement will require specific terms and conditions ensuring that access is appropriate and correctly applied, managed and recorded
FoIA means the Freedom of Information Act 2000 and any subordinate legislation made under this act together with any guidance and/or codes of practice issued by the Information Commissioner or Ministry of Justice in relation to such legislation
Granting access the governance and authority surrounding the authorisation of a person to have access to a system
Human Rights Act 1998 an act to give further effect to rights and freedoms guaranteed under the European Convention on Human Rights - public authorities like HMRC must follow the act
Information Asset Owner (IAO) means the individual within a directorate, normally the director, responsible for ensuring that information is handled and managed appropriately
Law means any applicable law, statute, bye-law, regulation, order, regulatory policy, guidance or industry code, rule of court or directives or requirements of any regulatory body, delegated or subordinate legislation or notice of any regulatory body
Provisioning access the technical channels through which access is made possible, including the request tools associated with this
Public sector body this will generally be another government department (OGD) but could be another public sector body (such as a local authority) - information sharing with a private sector body with which HMRC has a commercial relationship needs to be covered by a commercial contract, not an MoU.
Regulatory bodies means those government departments and regulatory statutory and other entities, committees and bodies which, whether under statute, rules, regulations, codes of practice or otherwise, are entitled to regulate, investigate, or influence matters dealt within this agreement and ‘regulatory body’ shall be construed accordingly
ROPA Records of Processing Activity - a mandatory inventory of a departments major processing activities involving personal data which is to be created or revised on setting up an exchange and amended if an exchange is substantially amended
Senior Information Risk Owner (SIRO) provides high level assurance of compliance with HMRC’s Information Asset data protection obligations
Abbreviation Description
CRCA The Commissioners for Revenue and Customs Act
MoU memorandum of understanding
FOIA Freedom of Information Act
FOI Freedom of Information
HMRC HM Revenue and Customs
PSB Public Sector Body
SPF Security Policy Framework
UK GDPR United Kingdom General Data Protection Regulation
LAs local authorities
DWP Department for Work and Pensions
CO Cabinet Office

17. Annex A - involved local authorities and sign off

The names of the local authority Senior Responsible Officer (SRO) have been withheld from the below table because of exemptions in the Freedom of Information Act 2000.

Local authority Date of signing
Bath & North East Somerset 27 July 2021
Birmingham 19 July 2021
Brighton & Hove 20 July 2021
Blackpool 20 July 2021
Breckland 29 July 2021
Central Bedfordshire 20 July 2021
Cheshire East 22 July 2021
Cornwall 21 July 2021
Croydon 5 August 2021
Dacorum 29 July 2021
Denbighshire 19 July 2021
Ealing 28 July 2021
East Cambridgeshire 29 July 2021
East Riding of Yorkshire 28 July 2021
East Suffolk 21 July 2021
Fenland 28 July 2021
Fylde 19 July 2021
Gateshead 22 July 2021
Gloucester City 22 July 2021
Islington 29 July 2021
Lancaster 30 July 2021
Lewisham 2 August 2021
Liverpool 9 August 2021
Malvern Hills District 19 July 2021
Manchester 4 August 2021
Newcastle City Council 4 August 2021
Newport 25 July 2021
North Tyneside Council 27 July 2021
Northumberland County Council 3 August 2021
Preston City Council 30 July 2021
Redbridge 27 July 2021
Rotherham 20 July 2021
Salford City Council 19 July 2021
Southampton 19 July 2021
Southwark 20 July 2021
Sunderland 2 August 2021
Vale of Glamorgan Council 28 July 2021
Watford 20 July 2021
West Suffolk 28 July 2021
Worcester City 27 July 2021
Wychavon District 21 July 2021