Data Usage Agreement: pilot to prevent and investigate fraud for the Department for Education
Published 30 April 2024
This Data Usage Agreement between HMRC and the Department for Education (DfE) was agreed and put in place in 2022.
1. Conditions of disclosure of information by HMRC
HM Revenue and Customs (HMRC) disclose this information to the DfE by virtue of the legal basis of section 56 of the Digital Economy Act (DEA) disclosure taking of action in connection with fraud against a public authority on the condition that HMRC is permitted to undertake to:
-
complete a Data Protection Impact Assessment (DPIA)
-
adhere to the DEA Code of Practice and complete all relevant documentation and have ministerial approval
-
adhere to this Data Usage Agreement (DUA)
A DPIA has been completed by the DfE. A DPIA has been completed by HMRC to go alongside this DUA.
A DPIA is required prior to the exchange proceeding.
DPIA reference number is 8828.
Date of the DPIA is 1 November 2021.
HMRC Records of Processing Activity (ROPA) is an inventory of all HMRC’s major processing activities involving personal data and is to be created or revised if setting up or reviewing an exchange.
1.1 Purpose
This is a pilot project building on the 2019 Transaction Protection discovery. The discovery identified the potential to reduce cross-government fraud and data theft by enabling the sharing of access to and data resulting from the use of attribute validation and risk scoring services.
Transaction analysis is a capability that has many potential applications. The financial sector has invested significantly in transaction analysis to counter fraud and other financial crime. Large UK government departments like HMRC, DfE, Department for Work and Pensions (DWP), Driver and Vehicle Licensing Agency (DVLA), National Health Service (NHS) and Ministry of Justice (MOJ) are investigating and applying transaction analysis to their online services to:
- more effectively detect and prevent fraud and other crime
- encourage digital adoption of services
- deliver a better more consistent end user experience
- build confidence that the user is who they say they are
- build confidence that the user is who we think they are
- gain economy of scale through third party relationships
The DfE have agreed to take part in a proof of concept in order to determine whether the sharing of data and insights leads to an improved ability to detect and prevent fraud.
1.2 Data specification
Validation services
Address lookup provides the ability to search for and filter address data with a postcode and door number.
Bank account reputation allows the calling service to check the validity of a sort code, whether the account number maps back to it, if the name provided matches the name on the account and the types of transactions accepted by the account. This is done via a third party provider (SurePay on behalf of NatWest) of a Confirmation of Payee (CoP) service and another third party provider (Vocalink) who provide the Extended Industry Sort Code Directory (EISCD).
Risking services
Risking Application Programming Interface (API) is an API that will generate a risk score for an attribute (address or bank account) based on the associated data that we hold. We’ll then provide the score alongside an explanation of how it was generated without revealing the actual data used.
Outcome API will be for users of the risking API to provide the outcome of any investigations where a risk score was provided, as well as providing an explanation of how they reached that outcome. This should help us to establish how they are investigating fraud, whether there are hints and tips we can gain, understand alternative methods of investigation and understand the weight carried by our risk score.
1.3 Data security
The Department for Education will undertake to:
- move, process and destroy data securely in line with the principles set out in Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
- only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need (linked to purpose) to access, handle, transfer, use or see the information will have access to it
- not onwardly disclose the information without the prior authorisation of HMRC other than what is provided for in section 48 of the DEA
- comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information as soon as possible and always within 48 hours of discovery of the incident
- mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications and in particular as set out in the Annex – Security Controls Framework to the Government Security Classifications
1.4 Data processer and data owner
HMRC is the data controller when the data is within its estate. HMRC will act as a data processor on behalf of the DfE. The DfE will act as data controller when the data is within its estate. This is using definitions as set out in the Data Protection Act (DPA) 2018.
1.5 Freedom of Information
If a Freedom of information (FOI) request relating to this information is made to the DfE, their FOI team will engage with HMRC’s FOI team regarding the potential impact of disclosure.
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
1.6 Costs
HMRC will cover its own costs in relation to supporting the integration with its APIs and the DfE will cover its own costs.
There are no third party costs involved in the use of:
- address lookup
- risking API
- outcomes API
Because of this, no further costs will be incurred on a per request basis.
The Bank Account Verification API calls out to a third-party service in order to validate the account details, and therefore there is a per request charge incurred of 6 pence per transaction.
HMRC will pass through the third party Bank Account Reputation Service (BARS) transaction charges of 6 pence per transaction to the DfE and the DfE have agreed to reimburse these charges.
Based on expected volumes of 45,000 checks per year, transaction costs for the pilot will be £1350. More checks may be conducted as required.
1.7 Disputes
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
1.8 Signatures
This content has been withheld because of exemptions in the Freedom of Information Act 2000.