Data Usage Agreement: pilot to investigate fraud for UK Research and Innovation
Published 20 March 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/pilot-to-investigate-fraud-for-uk-research-and-innovation-2021/data-usage-agreement-pilot-to-investigate-fraud-for-uk-research-and-innovation
This Data Usage Agreement between HMRC and UK Research and Innovation was agreed and put in place in 2021.
Conditions of disclosure of information by UK Research and Innovation
UK Research and Innovation (UKRI) disclose this information to HMRC by virtue of the legal basis of section 56 of the Digital Economy Act (DEA) – disclosure for the purpose of ‘taking of action in connection with fraud against a public authority’ on the condition that HMRC undertake to:
- complete a Data Protection Impact Assessment (DPIA)
- adhere to the DEA Code of Practice and complete all relevant documentation and have ministerial approval
- adhere to this Data Usage Agreement
A DPIA has been completed by UK Research and Innovation to go alongside this DUA.
Purpose
The purpose of this pilot is to detect suspected fraud committed in relation to the CJRS furlough funding available to eligible companies and/or government grant recipients. As the potential crossover of government grant recipients wrongfully also applying for furlough funding relief should be relatively straightforward to identify, UK Research and Innovation seeks to detect overlap of CJRS funding – covering periods wherein the grant recipients were claiming grant awards for carrying out specific activities that either were not performed (as staff were correctly furloughed) or where activities were carried out by staff who should not have been working.
Data specification
The information sent to HMRC by UK Research and Innovation will be circa 1500 companies, comprising:
- company name
- company registration number
These data items are as provided by the applicant company in their claim for a UK Research and Innovation grant award. These data items have also been cross-referenced with publicly available Companies House data.
The pilot will commence following approval by the DEA Board and any subsequent approval, during the month of August 2021.
The pilot will end once all HMRC data matching activity, provided to UKRI, and any clarification of data is completed. Given that the scope of companies exceeds 1,400 this is envisaged that this may require up to 6 months, February 2022, depending on the complexities of requirements and data cleansing.
HMRC will then match against the relevant PAYE criteria and return matches on those companies. HMRC will take appropriate steps to address false positives and negatives.
Rationale, such as necessity, and data minimisation are considered here to support data protection principles. If a match is identified, HMRC will check against the following data points and provide the following returns.
| Data item | Reason | Return |
|---|---|---|
| Has the entity received CJRS payment? | To aid detection of whether an entity is mistakenly or fraudulently claiming for both CJRS funding as well as government grant when they should not claim for both, either wrongfully claiming for CJRS funding for staff that are still working, or claiming for grant funding to fund activities that cannot be | A simple confirmation that the entity did receive CJRS funding. ‘N’ to denote that they were not in receipt |
| Do the companies have more than one PAYE scheme? | To ensure all CJRS funding is captured | Results to be supplied separately, for example, one for directors and one for other staff |
| Over what period was CJRS funding claimed? | To check if the entity was claiming for CJRS funding at the time it was supposed to be carrying out grant funded activities | Start and end dates that CJRS was paid to the entity in ‘dd/mm/yyyy’ format. This should include each of the extensions of the CJRS – from November 2020 and May 2021 |
| What amount of money was paid to the entity as CJRS funding? | To help ascertain if this was for a significant proportion of staff usually employed by the entity or merely a smaller number (as an indicator of how likely this is to be wrongful). Also to provide some data on how much money was wrongfully paid should fraud be proven in any subsequent investigation | The amount paid in pounds sterling (£) |
Data security
UK Research and Innovation will undertake to:
- move, process and destroy data securely, in line with the principles set out in HM Government Security Policy Framework issued by the Cabinet Office when handling, transferring, storing, accessing or destroying information
- only use the data for the purposes that it has been disclosed for and ensure that only those with a genuine business need linked to purpose to see the information will have access to it
- HMRC will store all data supplied by UK Research and Innovation in a secure folder within the HMRC Knowledge, Analysis and Intelligence and limit access to those involved in the pilot, including the investigation teams, and only keep it for a period of no more than 6 months from the date the data is sent from UK Research and Innovation to HMRC, after which it will be destroyed, except where the data is required to continue and conclude ongoing investigation and criminal cases
- UKRI will store all data supplied by HMRC in a secure folder within the UKRI SharePoint and limit access to UKRI Counter Fraud staff and only keep it for a period of no more than 6 months from the date the data is sent from HMRC UKRI after which it will be destroyed, except where the data is required to continue and conclude ongoing investigation and criminal cases
- not onwardly disclose the information without the prior authorisation of HMRC other than what is provided for in section 56 of the Digital Economy Act
- UKRI will not onwardly disclose the information without the prior authorisation of HMRC other than what is provided for in section 56 of the Digital Economy Act
- comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
- mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, and in particular as set out in the Annex – Security Controls Framework to the Government Security Classifications
Data file transfer
UK Research and Innovation and HMRC agree to:
- ensure that the data match input file is sent to HMRC by UKRI – the data must be sent by government secure email, password protected, with the password sent independently of the data
- ensure that the data match output file is sent by HMRC to UKRI – the data must be sent by government secure email, password protected, with the password sent independently of the data
Data processer and data owner
UKRI is the data controller when the data is within its estate. HMRC will act as data controller when the data is within its estate. This is using definitions as set out in the Data Protection Act (DPA) 2018.
Freedom of Information
All parties are subject to the requirements of the Freedom of Information (FOI) Act 2000, and will assist and cooperate with each other, to enable each to comply with its information disclosure obligations.
Where a Freedom of Information request is received by either party to this agreement, which relates to data that has been provided by other party, the party receiving the request will notify the other party to allow them the opportunity to make representation on the potential impact of disclosure.
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
Costs
HMRC will recharge UKRI for the time taken to provide the data and the governance documents for UKRI to have the relevant data to assist in this project.
UKRI have confirmed that they have funds available for costs incurred by HMRC for this data share.
Disputes
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
Signatures
This content has been withheld because of exemptions in the Freedom of Information Act 2000.