Data Usage Agreement: exploring potential fraud in the Help to Buy scheme
Published 19 October 2023
This Data Usage Agreement for exploring potential fraud in the Help to Buy scheme was agreed and put in place in 2018.
1. Conditions of disclosure of information by HMRC
Homes England (previously the Homes and Communities Agency) is a non-departmental government body reporting to the Ministry for Housing, Communities and Local Government under the provisions of sections 46 to 48 of the Housing and Regeneration Act 2008.
Homes England will provide a sample of 3,854 Help to Buy application records to HMRC as a one-off exercise. HMRC will disclose information on applicant economic circumstance to Homes England for investigation by virtue of section 56 of the Digital Economy Act 2017 - for the purposes of combatting fraud against the public sector - and to the Cabinet Office (anonymised) for analytical purposes by virtue of section 74 of the Digital Economy Act 2017.
The legal gateway was approved by HMRC on 5 July 2018.
1.1 Definitions
Agreed purposes: as set out in clause 2 of this agreement.
Controller, data controller, processor, data processor, data subject, personal data, processing and appropriate technical and organisational measures: as set out in the data protection legislation.
Data protection legislation: all legislation and regulatory requirements in force from time to time relating to the use of personal data and the privacy of electronic communications, including, without limitation the Data Protection Act 2018 and the General Data Protection Regulation ((EU) 2016/679).
Permitted recipients: the parties to this agreement, the employees of each party required to perform the agreed purposes, any third parties engaged to perform obligations in connection with this agreement as agreed by the parties.
Shared personal data: the personal data to be shared between the parties set out in clause 3 of this agreement.
1.2 Purpose
With a Help to Buy equity loan, Homes England lends a purchaser up to 20% (40% in London) of the cost of their prospective property. The help to buy loan is a second charge loan with a qualifying lender providing the main mortgage (75% outside of London, 55% in London) and the customer providing the deposit (minimum 5%).
Homes England wishes to conduct a pilot to explore the potential risk of fraud and error relating to the following eligibility criteria:
-
applicants must not borrow in excess of 4.5 times their household income (single or joint)
-
applicants must not own any other residential properties at the point of purchase
This pilot will therefore help to identify instances of fraud by mis-declaration (relating to the over-inflation of household income) and fraud by omission (relating to the failure to adequately declare the extent of existing property ownership).
In instances where an applicant has over-inflated their household income, Homes England would like to further explore economic circumstance. This will help them to understand the extent to which the applicant has placed themselves in a position of financial hardship by accruing additional debt from the government, and any risks that Homes England are subsequently exposed to (for example, in the event of debt recovery).
1.3 Data specification
Annex A contains the data specification for the Help to Buy scheme (provided by Homes England).
Annex B contains the HMRC data specification and matching methodology.
1.4 Data security
-
move, process and destroy data securely, in line with the principles set out in His Majesty’s Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
-
only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information will have access to it
-
only keep it for the time it is needed, and then destroy it securely
-
not onwardly disclose that information without the prior authorisation of HMRC other than provided for in section 57 of the Digital Economy Act
-
comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
-
mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, and in particular as set out in the Annex – Security Controls Framework to the GSC
-
comply with ICO standards relating to data security breaches and follow due procedure when reporting and investigating breaches of this nature
1.5 Data flow
An overview of the data flow is provided as per Annex C.
This content has been withheld because of exemptions in the Freedom of Information Act 2000
Ensure that the data match outputs for the Homes England file are sent by HMRC to Cabinet Office. The data must be anonymised.
1.6 Data protection
All parties agree that HMRC and Homes England are both separately data controller, as defined by the data protection legislation for the personal data they provide to meet the agreed purposes.
Each party shall comply with all obligations imposed on a controller under the data protection legislation.
Each party shall:
-
process the shared personal data only for the agreed purposes
-
not disclose or allow access to the shared personal data to anyone other than the permitted recipients
-
ensure that all permitted recipients are subject to written contractual obligations concerning the shared personal data (including obligations of confidentiality) which are no less onerous than those imposed by this agreement
-
not withstanding the measures at clause 4, ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- not transfer any personal data received from any party outside the EEA unless the transferor ensures that:
- the transfer is to a country approved by the European Commission as providing adequate protection pursuant to article 45 GDPR
- there are appropriate safeguards in place pursuant to article 46 GDPR
- one of the derogations for specific situation in article 49 GDPR applies to the transfer
Each party shall assist the other in complying with all applicable requirements of the data protection legislation. In particular, each party shall:
-
promptly inform the other party about the receipt of any data subject access request
-
provide the other party with reasonable assistance in complying with any data subject access request
-
not disclose or release any shared personal data in response to a data subject access request without first consulting the other party wherever possible
-
assist the other party, at the cost of the other party, in responding to any data request from a data subject and in ensuring compliance with its obligations under the data protection legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators
-
notify the other party without undue delay on becoming aware of any breach of the data protection legislation
-
delete or return shared personal data and copies thereof to the other party on in accordance with clause 5 or on termination of this agreement unless required by law to stare the personal data
1.7 Freedom of Information
All parties agree that if an Freedom of Information (FOI) request relating to this information is made to any party, their FOI team will engage with the other parties FOI team regarding the potential impact of disclosure.
All parties agree that the responsibility and final decision on responding under FOI lies with the party that received the request for information.
All parties agree that if an FOI request relating to this information is made to any party, their FOI team will engage with the other parties’ FOI team regarding the potential impact of disclosure.
All parties agree that the responsibility and final decision on responding under FOI lies with the party that received the request for information.
No umbrella memorandum of understanding applies to this data usage agreement as this is a one off proof of concept.
Any disputes and/or breaches relating to this information transfer should be reported to Homes England and HMRC.
This content has been withheld because of exemptions in the Freedom of Information Act 2000
2. Annex A
2.1 Applicant data
Attribute | Key or filter |
---|---|
unique reference | key |
current application stage | filter |
date of application | key |
applicant status | filter |
forename(s) | key |
surname | key |
date of birth | key |
applicant address line 1 | key |
applicant address line 2 | key |
applicant address line 3 | key |
applicant address line 4 | key |
application postcode | key |
lead applicant owns a residential property? | filter |
lead applicant basic employment income | filter |
lead applicant total overtime, bonuses and commission | filter |
lead applicant student loan payment | filter |
lead applicant other gross salary deductions | filter |
lead applicant working tax credits monthly amount | filter |
lead applicant child tax credits monthly amount | filter |
lead applicant child benefit monthly amount | filter |
lead applicant disability allowance monthly amount | filter |
lead applicant guaranteed maintenance income monthly amount | filter |
lead applicant other income monthly amount | filter |
lead applicant monthly loan/hire purchase payments | filter |
lead applicant outstanding credit card balances | filter |
lead applicant monthly service charge | filter |
joint applicant owns a residential property? | filter |
joint applicant basic employment income | filter |
joint applicant total overtime, bonuses and commission | filter |
joint applicant student loan payment | filter |
joint applicant other gross salary deductions | filter |
joint applicant working tax credits monthly amount | filter |
joint applicant child tax credits monthly amount | filter |
joint applicant child benefit monthly amount | filter |
joint applicant disability allowance monthly amount | filter |
joint applicant guaranteed maintenance income monthly amount | filter |
joint applicant other income monthly amount | filter |
joint applicant monthly loan / hire purchase payments | filter |
joint applicant outstanding credit card balances | filter |
joint applicant monthly service charge | filter |
2.2 Purchased property data
Attribute | Key or filter |
---|---|
purchase property address line 1 | key |
purchase property address line 2 | key |
purchase property address line 3 | key |
purchase property address line 4 | key |
purchase property postcode | key |
purchased property price | filter |
house type | filter |
number of beds | filter |
purchase property provider | filter |
help to buy loan issued amount | filter |
date issued of help to buy loan | filter |
qualifying mortgage lender | filter |
application conveyancer name | filter |
application conveyancer address line 1 | key |
application conveyancer address line 2 | key |
application conveyancer address line 3 | key |
application conveyancer address line 4 | key |
application conveyancer postcode | key |
3. Annex B
3.1 HMRC matching methodology and data output specification
Applicant link verification/fraud risk
Match the applicant (1 and 2) declared on the application to HMRC Risk and Intelligence Service (RIS) data at the point of application using name, address at point of application, and date of birth.
If the applicant (1 and 2) cannot be linked to the HMRC address at point of application (fraud risk indicator), then the matching process will seek to link them to purchased property address held in the HMRC data (HMRC may hold an updated address of the applicant since the application).
If the applicant (1 and 2) cannot be associated with a current/previous address.
3.2 Household composition
Where a link is identified, HMRC will provide details of applicant earnings at the point of application. This is proposed to include:
-
tax year
-
PAYE scheme reference
-
starting declaration
-
employer name
-
start date
-
leaving date
-
latest payment date
-
pay frequency
-
pay in latest period
-
taxable pay in period
-
taxable pay in year to date
-
pay after state deductions
-
occupational pension
Where a link is identified, HMRC will provide details of applicant self-assessment. This is proposed to include:
-
total income in current year
-
Self Assessment employment flag
-
whether self-employed (Y/N)
-
self-employed income
-
whether in employment (Y/N)
-
SA100 - field 2 - self-employment (Y/N)
-
SA100 - field 3 - self-employed partnership (Y/N)
-
SA100 - field 4 - income from UK property (Y/N)
-
SA100 - field 5 - foreign income (Y/N)
-
SA100 - field 6 - trusts (Y/N)
-
SA100 - field 7 - Capital Gains (Y/N)
-
taxed UK interest
-
untaxed UK interest
-
untaxed foreign interest
-
dividends from UK companies
-
other dividends
-
foreign dividends
Where a link is identified, HMRC will provide details of applicant benefits and credit. This is proposed to include:
-
whether in receipt of tax credits (Y/N)
-
whether in receipt of Working Tax Credit (Y/N)
-
Working Tax Credit start date
-
joint/single award
-
total annual award amount
-
status of the award
Where a link is identified, HMRC will also provide evidence of property ownership at the point of application and at present dat. This is proposed to include:
-
number of properties rented out
-
total rents and other income from property
-
the number of properties in the land registry data held by the individual (current)
-
whether the individual has paid Stamp Duty Land Tax (Y/N)
-
date of transaction
-
value of the property
-
address of the property that stamp duty was paid
-
current – whether the individual has paid Stamp Duty Land Tax (Y/N)
-
date of transaction
-
value of the property
-
address of the property that stamp duty was paid
4. Annex C
4.1 Data flow
This content has been withheld because of exemptions in the Freedom of Information Act 2000
-
HMRC RIS team undertake data matching (annex B).
-
HMRS RIS team send the data matching output (annex B) to Homes England (as data owners) and to Cabinet Office (anonymised).
-
Homes England review and investigate matches where the data indicates a risk of fraud by omission or by misdeclaration. The Cabinet Office undertakes analytics to quantify the fraud and error rate.
This content has been withheld because of exemptions in the Freedom of Information Act 2000