Transparency data

Data Usage Agreement: HMRC use of Bounce Back Loan data to detect fraud

Published 19 October 2023

This Data Usage Agreement for HMRC use of Bounce Back Loan data for fraud detection was approved and put in place in 2022.

1. Conditions of disclosure of information by HMRC

British Business Financial Services Limited (BBFSL), a subsidiary of the British Business Bank plc (BBB) is appointed under a deed of authority and a services agreement as agent to the Secretary of State for the Department of Business, Energy and Industrial Strategy (BEIS) in relation to the administration of the Future Fund Scheme and various loan guarantee schemes created in response to the COVID-19 pandemic including the Bounce Back Loan Scheme.

HMRC disclose this information to the BBFSL, by virtue of the legal basis of section 56 of the Digital Economy Act (DEA) disclosure for the purpose of ‘taking of action in connection with fraud against a public authority’ on the condition that HMRC and BBFSL undertake the following:

  • complete a Data Protection Impact Assessment (DPIA)
  • adhere to the DEA Code of Practice and complete all relevant documentation and have ministerial approval
  • adhere to this Data Usage Agreement (DUA)

HMRC has completed a DPIA to go alongside this DUA. BBFSL has completed its own DPIA to consider the handling of HMRC information.

1.1 Purpose

The purpose of this data share pilot is to enable the sharing of information by HMRC to BBFSL, where HMRC has reasonable concerns of likely fraudulent activity by a number of entities and associates.

The aim of this pilot is to enable BBFSL to investigate potentially fraudulent activity within the Future Fund and the Bounce Back Loan Scheme and take appropriate action.

1.2 Data specification

The information shared by HMRC will include information about individuals, businesses, and their trading and financial affairs in bank statements, financial records, business records and communications. It follows that the information will contain personal data, including director names, business addresses and email addresses.

1.3 Lawful basis

Under section 18 (1) of the Commissioners for Revenue and Customs Act (CRCA) 2005, HMRC is bound by a strict duty of confidentiality meaning that HMRC officers may not disclose information HMRC holds for its functions. However, HMRC information may be disclosed where one of the statutory exceptions in section 18 (2) CRCA 2005 apply or where disclosure is permitted under any other enactment pursuant to section 18 (3) CRCA 2005.

Any person who discloses HMRC information which identifies a taxpayer without a lawful basis to do so under either sections 18 (2) or (3) of CRCA 2005 potentially commits a criminal offence of wrongful disclosure pursuant to section 19 CRCA 2005. A person found guilty of an offence may receive an unlimited fine, imprisonment of up to 2 years, or both.

In this particular case, disclosure is permitted by virtue of part 5, chapter 4 of the Digital Economy Act (DEA) 2017 and in particular section 56. This permits disclosure between specified persons for the purposes of taking action in connection with fraud against a public authority.

Specified persons for the purposes of section 56 powers are set out in schedule 8 of the DEA 2017 and include HMRC at paragraph 14, and also include a person providing services to a specified person under paragraph 41. In this case, BBB is a wholly government owned bank with oversight and direction provided by the Secretary of State for BEIS. Its subsidiary, BBFSL, is appointed as agent by BEIS to administer both the Bounce Back Loan Scheme and Future Fund Scheme on its behalf. BEIS is a specified person by virtue of paragraph 6 of schedule 8 DEA 2017.

1.4 Data security

BBFSL will undertake in relation to the information provided to BBFSL hereunder to:

  • move, process and destroy data securely i.e. in line with the principles set out in HM Government, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
  • only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information (linked to the purpose) will have access to it
  • store the data in a secure folder in a shared drive with restricted access to members of the team who are directly involved in the data share and only keep it for the time it is needed, and then destroy it securely on agreement of all parties
  • not onwardly disclose HMRC information without the prior authorisation of HMRC other than what is provided for in section 56 of the Digital Economy Act
  • restrict access to the information by applying additional access restrictions to the designated storage point
  • comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to the information provided to BBFSL hereunder
  • mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications (GCS), and in particular as set out in the Annex – Security Controls Framework to the GSC

1.5 Security incidents

In the event that BBFSL becomes aware of a suspected or actual incident affecting the confidentiality, integrity and availability of the HMRC information in its possession or control, BBFSL will report the incident through its incident procedure.

1.6 How data will be shared

HMRC will share the data using secure means, via the Secure Data Exchange Service (SDES).

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

The path of data transfer is described below:

  • HMRC compiles a data file containing documentation and communications relating to specific business and individuals
  • HMRC uploads this file to SDES, a secure transfer system for BBFSL to access

This is a one-off data share.

BBFSL will save the documents to a designated folder that will have additional access controls to restrict access to designated individuals from BBB and PriceWaterhouseCoopers (PwC). PwC is contracted as a data processor, to administer the Future Fund and Bounce Back Loan Scheme under BBFSL’s instruction.

Information will, where appropriate, be shared with BBFSL’s external legal advisers who are advising BBFSL on the investigation.

1.7 Data retention

HMRC data that has been shared as part of the pilot will be retained in accordance with BBB’s data retention policy or as specified in the Code of Practice. Shared data will be kept separate and recognisable to enable deletion at the end of the pilot.

If the HMRC information supports any fraud concerns, BBFSL will discuss with HMRC what data needs to be retained, for how long, and regularity of review periods to confirm if data is still required to be retained. BBFSL will delete the information 6 months after the last action and confirm its deletion in writing to HMRC.

If HMRC information does not help identify fraud concerns, BBFSL will delete the information within 6 months and confirm in writing to HMRC that this has taken place.

1.8 Data Usage Agreement review

This Data Usage Agreement is anticipated to last for 6 months, where it will be reviewed to determine if the pilot needs to continue for a further period of time.

1.9 Data controllers and data processors

HMRC and BBFSL act as separate data controllers. HMRC will be data controller whilst the data is on its estate. BBFSL will be data controller once the data is received on its estate. PwC are a data processor acting on the instructions of BBFSL.

1.10 Freedom of Information (FOI) and Subject Access Requests (SAR)

HMRC and BBB/BBFSL are subject to the Freedom of Information Act 2000, and will assist and cooperate with each other, to enable each to comply with its information disclosure obligations.

Where an FOI request is received by a party to this agreement, which relates to data that has been provided under this agreement, the party receiving the request will notify the other relevant party to allow them the opportunity to make representation on the potential impact of disclosure.

BBB FOI mailbox

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Data subjects are entitled to exercise their data subject rights when their personal data is processed. Where either party receives a data subject request, the party receiving the request will, where appropriate to do so, notify the other relevant party to allow them the opportunity to make representation on the potential impact disclosure.

BBB

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

1.11 Costs

If appropriate, HMRC will recharge BBFSL for the time taken to provide the data and the governance documents for Cabinet Office to have the relevant data to assist in this project.

1.12 Disputes

This content has been withheld because of exemptions in the Freedom of Information Act 2000.