Transparency data

Data Usage Agreement: A pilot to analyse vulnerable and overlapping debtors across a range of government departments and local authorities

Published 19 October 2023

This Data Usage Agreement to analyse vulnerable and overlapping debtors across a range of government departments and local authorities was approved and put in place in 2020.

1. Conditions of disclosure of information by HMRC

HMRC disclose this information to the following public authorities: Department for Work and Pensions (DWP), HM Courts and Tribunals Service (HMCTS), Legal Aid Agency (LAA), the Office of the Public Guardian (OPG), Student Loans Company (SLC); the following local authorities: Birmingham, Bolton, Bradford, Brighton and Hove, Cornwall, Ealing, Enfield, Islington, Lewisham, Liverpool, Manchester, Rotherham and Southwark, by virtue of the legal basis section 48 of the Digital Economy Act (DEA) for the purposes ‘to reduce debt owed to the public sector’ on the condition that the authorities listed above undertake to:

  • complete a Data Protection Impact Assessment (DPIA) which is required prior to the exchange proceeding - a DPIA has been completed by HMRC to go alongside this Data Usage Agreement (DUA; reference number 4382)
  • move, process and destroy data securely, in line with the principles set out in HM government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
  • only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information will have access to it
  • only keep it for the time it is needed, and then destroy it securely
  • not onwardly disclose that information without the prior authorisation of HMRC
  • comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
  • mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications
  • adhere to the DEA code of practice and complete all relevant documentation and have ministerial approval
  • adhere to this DUA
  • comply with procedures as set out below

1.1 Purpose

This DUA relates to a pilot sponsored by the Cabinet Office’s debt team and led by HMRC, using the data sharing powers within the DEA 2017, part 5, chapter 4 and conducted by HMRC and a number of other public authorities, listed in Annex A.

The aims of the pilot are to:

  • achieve a better, more holistic understanding of the debt owed to government from vulnerable customers
  • an understanding on the crossover of vulnerable individuals and their debt across the participating authorities
  • inform a recommendation for additional pilots and next steps

The pilot will achieve this by analysing individual data from the public authorities listed below, in order to identify:

  • if HMRC debtors, and specifically vulnerable debtors, have debts with multiple public bodies
  • if debtors are recorded as vulnerable with other public bodies (using their own vulnerability definitions)

HMRC will compile and analyse the results and, in conjunction with the Cabinet Office, will write a report to be forwarded to the pilot authorities, the Cabinet Office and the Cabinet Office’s Fairness Group, who will lead in determining next steps.

1.2 Data specification

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

The data listed below will be shared with the authorities listed in Annex A using a password protected spreadsheet via secure email. Each email address will be checked by HMRC to ensure it is secure.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

The data supplied by HMRC to DWP will be:

  • HMRC unique identifier
  • National Insurance number

The data supplied by HMRC to HMCTS will be:

  • HMRC unique identifier
  • full name
  • title
  • first name
  • middle name or initials
  • surname
  • current address and postcode
  • National Insurance number
  • date of birth

The data supplied by HMRC to OPG will be:

  • HMRC unique identifier
  • full name
  • title
  • first name
  • middle name or initials
  • surname
  • current address and postcode
  • date of birth

The data supplied by HMRC to SLC will be:

  • HMRC unique identifier
  • full name
  • title
  • first name
  • middle name or initials
  • surname
  • current address and postcode
  • National Insurance number
  • date of birth
  • other address

The data supplied by HMRC to the local authorities will be:

  • HMRC unique identifier
  • full name
  • title
  • first name
  • middle name or initials
  • surname
  • current address and postcode
  • other address

Each local authority will match against their records and, for those matched customers, will add the information to the HMRC spreadsheet as follows:

  • match successful – yes or no (if match unsuccessful note reason, for example, no record held)
  • is the individual marked as vulnerable - yes/no
  • date vulnerable marker applied
  • has the customer a debt recorded - yes/no, if yes:
    • date of earliest debt
    • number of debts with your authority
    • amount
    • debt status, for example, ‘contacted’, ‘collected’, ‘broken plan’

Each authority will return the findings to HMRC, whose Knowledge, Intelligence and Analysis (KAI) team will collate all the data and produce an anonymised analysis report under the main headings as noted above.

Before returning the spreadsheet to HMRC, the authority will delete all individual identification data, for example, name, address, and so on, leaving only the unique and non-identifiable reference number, for example, HMRC 3261, to reduce the exposure of identifiable data.

All data will be securely transferred by email from a secure email address (each email address will be checked by HMRC to ensure it is secure).

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Local authorities will destroy the original HMRC file and any other files used in the matching process once the HMRC spreadsheet has been returned to HMRC and HMRC have confirmed its receipt. Local authorities will then confirm via email this has been done to the Cabinet Office.

HMRC will destroy the files used in matching and analysis once the analysis has been completed and the results have been checked for accuracy. HMRC will confirm the deletion with Cabinet Office. It is anticipated the pilot will last three months.

All colleagues employed by each local authority will have a business need to access the information. They will be limited to data analysts and debt recovery officers. All users within each local authority have signed data disclosure agreements and have, more recently, completed General Data Protection Regulation (GDPR) training.

Annex A – contains a list of all the authorities who will be taking part in this data share, the secure email address the data will be sent to and their signature.

Annex B – shows the individual data items that the authorities hold.

2. Annex A

2.1 Data file transfer with Department for Work and Pensions (DWP)

HMRC and DWP agreement

Ensure that the data match input file (data sent by HMRC) is sent to the inbox at DWP. Each email address will be checked by HMRC to ensure it is secure.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

HMRC is acting as the data controller (role under the data protection legislation, for example, data processor or data controller) until the data input file is received by DWP into their estate. DWP acts as the data controller (role under data protection legislation) while DWP information is being linked to that input file within DWP’s estate and when generating the output file. When the final output file sent by DWP is received on HMRC’s estate, HMRC becomes the data controller.

If a Freedom of Information (FOI) request relating to this information is made to DWP, their FOI team will engage with HMRC’s FOI team regarding the potential impact of disclosure.

There are no costs involved in this pilot.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

2.2 Data file transfer with HM Courts and Tribunal Service (HMCTS)

HMRC and HMCTS agreement

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

HMRC is acting as the data controller (role under the data protection legislation, for example, data processor or data controller) until the data input file is received by HMCTS into their estate. HMCTS acts as the data controller (role under the data protection legislation) while HMCTS information is being linked to that input file within HMCTS’s estate and when generating the output file. When the final output file sent by HMCTS is received on HMRC’s estate, HMRC becomes the data controller.

If an FOI request relating to this information is made to HMCTS, their FOI team will engage with HMRC’s FOI team regarding the potential impact of disclosure.

There are no costs involved in this pilot.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

HMRC and LAA agreement

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

HMRC is acting as the data controller (role under the data protection legislation, for example, data processor or data controller) until the data input file is received by LAA into their estate. LAA acts as the data controller (role under the data protection legislation) while LAA information is being linked to that input file within LAA’s estate and when generating the output file. When the final output file sent by LAA is received on HMRC’s estate, HMRC becomes the data controller.

If an FOI request relating to this information is made to LAA, their FOI team will engage with HMRC’s FOI team regarding the potential impact of disclosure.

There are no costs involved in this pilot.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

2.4 Data file transfer with Office of the Public Guardian (OPG)

HMRC and OPG agreement

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

HMRC is acting as the data controller (role under the data protection legislation, for example, data processor or data controller) until the data input file is received by OPG into their estate. OPG acts as the data controller (role under the data protection legislation) while OPG information is being linked to that input file within OPG’s estate and when generating the output file. When the final output file sent by OPG is received on HMRC’s estate, HMRC becomes the data controller.

If an FOI request relating to this information is made to OPG, their FOI team will engage with HMRC’s FOI team regarding the potential impact of disclosure.

There are no costs involved in this pilot.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

2.5 Data file transfer with Student Loans Company (SLC)

HMRC and SLC agreement

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

HMRC is acting as the data controller (role under the data protection legislation, for example, data processor or data controller) until the data input file is received by DWP into their estate. SLC acts as the data controller (role under the data protection legislation) while SLC information is being linked to that input file within SLC’s estate and when generating the output file. When the final output file sent by SLC is received on HMRC’s estate, HMRC becomes the data controller.

If an FOI request relating to this information is made to SLC, their FOI team will engage with HMRC’s FOI team regarding the potential impact of disclosure.

There are no costs involved in this pilot.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

2.6 Data file transfer with local authorities

HMRC and local authorities’ agreement

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

Email addresses for the below local authorities have been withheld because of exemptions in the Freedom of Information Act 2000.

Birmingham

Bolton

Bradford

Brighton and Hove

Cornwall

Ealing

Enfield

Islington

Lewisham

Liverpool

Manchester

Rotherham

Southwark

HMRC is acting as the data controller (role under the data protection legislation, for example, data processor or data controller) until the data input file is received by the local authorities into their estate. The local authorities act as the data controller (role under the data protection legislation) while the local authorities’ information is being linked to that input file within the local authorities’ estate and when generating the output file. When the final output file sent by the local authorities is received on HMRC’s estate, HMRC becomes the data controller.

If an FOI request relating to this information is made to local authorities, their FOI team will engage with HMRC’s FOI team regarding the potential impact of disclosure.

There are no costs involved in this pilot.

This content has been withheld because of exemptions in the Freedom of Information Act 2000.

3. Annex B

This table shows which data each authority will use for matching purposes, a separate data spreadsheet will be required for organisation depending on what data they require to ensure the minimum amount of data is shared with each. For local authorities, only data relating to their local authority will be sent.

Data item/authority Full name Address Other address National Insurance number Date of birth
DWP N N N Y N
HMCTS Y Y N Y Y
LAA Y Y Y Y Y
OPG Y Y N N Y
Student Loans Company Y Y Y Y Y
Local authorities Y Y Y N N