Data Usage Agreement: Welsh Government and HMRC Economic Resilience Fund
Published 19 October 2023
This Data Usage Agreement for the Welsh Government and HMRC Economic Resilience Fund pilot was approved and put in place in 2021.
1. Conditions of disclosure of information by Welsh Government
Welsh Government disclose this information to HMRC by virtue of the legal basis of the Digital Economy Act (DEA) 2017 for the purposes of detection and prevention of fraud on the condition that HMRC undertake to act as data controller and complete a Data Protection Impact Assessment (DPIA) prior to the exchange proceeding: HMRC DPIA reference number - 8269 Data of DPIA - 18 June 2021
1.1 Introduction
HMRC is undertaking a wider project to gather data from all grant awarding bodies in England, Scotland, Wales and Northern Ireland responsible for supporting businesses through the COVID-19 pandemic.
The grant payments are confirmed by statute to fall within the scope of income and corporation tax and should be reported as income within the relevant accounting period, failure to do so may constitute fraud.
In total there are 373 data holders across the UK and Northern Ireland; local authorities in England, Scotland and Wales, plus two Northern Ireland offices and the Welsh government which administers the Economic Resilience Fund (ERF) and Creative Recovery Fund (CRF).
In total, central government funding made available through the devolved nations/regions exceeds £21 billion and support schemes continue in the current financial year.
The Welsh Government launched additional funding schemes for businesses in Wales through a combination of grants and loans. By April 2021 the total funding made available by the Welsh Government was approx. £700 million to more than 60,000 businesses. HMRC will seek data relating to Economic Resilience Fund and Creative Recovery Fund grants of approx. £300 million to more than 30,000 Welsh businesses. The balance of payments are loans by Welsh Government which aren’t being shared.
With access to entity level data from all central and regional COVID-19 support grants, HMRC can identify fraud and error in the business population and ensure equity of treatment for all business across the UK.
1.2 Legal basis
HMRC and the Welsh Government will agree, by means of this data usage agreement, the detail for the exchange of relevant data using the 2017 Digital Economy Act. All parties being listed under schedule 8 for the purposes of the fraud provisions.
Both parties have documented the exchange using the government data protection impact assessment (DPIA) which will include reference to secure storage, retention and usage. Each department has prepared a separate DPIA.
1.3 Procedure
In order to assure its compliance functions and strategy, HMRC needs access to all this data at an entity level to have a complete picture of the level of financial support provided by HMRC (job retention scheme/self employment income support scheme) plus those grant schemes administered regionally.
Fraudulent attacks on HMRC schemes are well publicised and the regions have identified numerous abusive claims so it’s essential government takes a holistic view of central funding to identify and mitigate fraud.
With access to all the relevant data from central grant schemes HMRC will be in position to assure the integrity of tax returns filed, prevent online fraudulent return submissions, identify tax returns with understated income and initiate appropriate investigations.
Without access to ERF/CRF grant data HMRC would have an incomplete picture of the grants received by businesses in Wales and wouldn’t be in position to identify and correct fraudulent declarations by Welsh businesses.
HMRC will have complete data for the rest of the UK, to ensure equity of treatment for all businesses through a level playing field is essential.
HMRC will align the ERF/CRF data with all other government funding by networking the data into ‘connect’, to develop an integrated compliance response to address fraud within the UK/Northern Ireland business populations and to promote future compliance. The total value of grants paid to each UK business will be aggregated and compared to the turnover reported on the matched business tax returns submitted to HMRC. Cases of under-reported income will be investigated and additional tax liabilities assessed.
The data share will be undertaken via secure transfer mechanism, being Welsh Governments ‘ishare connect’ platform.
The ERF/CRF data to be shared by the Welsh Government will include details of individual payments to businesses:
- business name, address and postcode
- VAT number
- Companies House number
- business telephone
- business email
- bank account sort code
- bank account number
- amount of payment
- Welsh Government internal reference (for verification purposes)
The fields such as tax identifications, bank details and contact details are to ensure HMRC matches the grant recipient to the correct entity in HMRC systems.
The data sharing agreement will be signed by both parties before data exchange takes place during August 2021.
This is a one-off file transfer in 2021. Subject to evaluation a further data share may be repeated in 2022 or as long as the Welsh Government continues to provide financial support to businesses. Any subsequent data share will not be covered by this DUA, it will require completion of a separate process Memorandum of Understanding (MOU).
HMRC will provide a report to the Welsh Government detailing the findings from the analysis of the data matched into HMRC systems including the match rate, indicative risks identified and level of compliance within the population in receipt of ERF/CRF grants.
The Welsh Government have expressed a preference for using an aligned version of this DUA known as a data disclosure agreement (DDA). The DUA is has been presented to and approved by the Cabinet Office review board. Cabinet Office secretariat are aware of the parallel document held by Welsh Government, the two are aligned so it hasn’t been necessary to submit separate documents.
1.4 Security and assurance
HMRC and Welsh Government agree to:
- move, process and destroy data securely i.e. in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
- only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information will have access to it
- only keep it for the time it is needed, and then destroy it securely
- not onwardly disclose that information without the prior authorisation of Welsh Government
- comply with the requirements in the Security Policy Framework, and be prepared for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
- mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, and in particular as set out in the annex – Security Controls Framework to the Government Security Classifications
- use the Welsh Government gateway for data sharing ‘objective connect’ secure file transfer platform to provide the data to HMRC’s data acquisition and exchange team
- as defined by the data protection legislation the Welsh Government is acting as the data controller, HMRC is also acting as the data controller for data received from Welsh Government, with responsibilities reported on DPIA’s prepared by each department
- if a Freedom of Information (FOI) request relating to this information is made to HMRC their FOI team will engage with the Welsh Government FOI team regarding the potential impact of disclosure
There will be no charge by Welsh Government to HMRC for the data.
This content has been withheld because of exemptions in the Freedom of Information Act 2000.