Section 97 - Data matching for detection of fraud etc.
473.Section 73 of, and Schedule 7 to, the Serious Crime Act 2007 provided the national audit agencies in England, Wales and Northern Ireland with the power to match data, and provides statutory provision for an existing data-matching scheme known as the National Fraud Initiative. The National Fraud Initiative is a UK-wide data matching scheme conducted for the purpose of assisting in the prevention and detection of fraud.
474.Section 97 of this Act amends the Public Finance and Accountability (Scotland) Act 2000 (“the 2000 Act”) to provide equivalent provisions enabling the National Fraud Initiative to be carried out in Scotland on a statutory basis. The main amendment consists of the insertion by section 97(3) of this Act of a new Part 2A (Data Matching) into the 2000 Act consisting of sections 26A to 26G.
475.Section 26A(1) provides for Audit Scotland to carry out data matching exercises or to arrange for another organisation to do this on its behalf. Subsection (2) defines what a data matching exercise is. It involves the comparison of sets of data, for example, the taking of two local authority payroll databases and matching them. Matching exercises may identify fraudulent activity as having taken place. Subsection (3) defines the purposes for which a data matching exercise can be exercised. These purposes are assisting in the prevention and detection of fraud, assisting in the prevention and detection of crime other than fraud, and assisting in the apprehension and prosecution of offenders. Subsection (4) provides that data matching may not be used to identify patterns and trends in an individual’s characteristics or behaviour which suggest nothing more than his potential to commit fraud in future. This is designed to prevent the Audit Scotland from creating individual "profiles" of future fraudsters.
476.Section 26B(1) provides that a person may disclose data to Audit Scotland for the purposes of a data matching exercise. This could include private sector bodies such as mortgage providers who wish to be part of the exercise. There is no compulsion on any of these bodies to take part in a data matching exercise. Subsection (2) provides that the disclosure of information does not breach (a) any duty of confidentiality owed by a person making the disclosure or (b) any other restriction on the disclosure of information, however imposed. Subsection (3) provides that nothing relating to voluntary provision of data authorises any disclosure which (a) contravenes the Data Protection Act 1998, or (b) is prohibited by Part 1 of the Regulation of Investigatory Powers Act 2000, or (c) allows the disclosure of data comprising or including patient data. Subsection (4) defines patient data as meaning data relating to an individual which is held for medical purposes and from which the individual can be identified. Subsection (5) defines medical purposes. Subsection (6) provides that this section does not limit the circumstances in which data may be disclosed apart from this section. Subsection (7) provides that data matching exercises may include data disclosed by a person outside Scotland.
477.Section 26C(1) enables Audit Scotland to require the disclosure of information to conduct a data matching exercise. Subsection (2) sets out which persons may be required to disclose data under subsection (1). They are those bodies whose accounts are subject to audit by the Auditor General, or are sent to him for auditing, local authorities, Licensing Boards and their officers, office-holders or members. Subsection (5) creates an offence and accompanying penalty for non-compliance with this requirement.
478.Section 26D sets out the circumstances in which information relating to a data matching exercise, including the results of such an exercise, may be disclosed by or on behalf of Audit Scotland, and the persons and bodies to whom the data may be disclosed. Subsection (6) imposes special restrictions on the disclosure of information if it includes patient data (as defined in subsection (7). Subsection (8) places restrictions on the further disclosure of information disclosed under subsection (2) and allows the further disclosure in certain specified circumstances. Subsection (9) creates an offence of disclosing information where the disclosure is made other than as authorised by subsections (2) and (8), and sets out the penalty.
479.Section 26E(1) makes clear that Audit Scotland will be able to publish a report on its data matching exercises notwithstanding the limitation on disclosure as is provided under section 26D. Subsection (2) provides that a report that is published under section 26E may not include information relating to a particular person if (a) the person is the subject of any data included in the data matching exercise; (b) the person can be identified from the information; and (c) the data is not otherwise in the public domain. Subsection (3) provides that Audit Scotland may publish a report in such a manner as it considers appropriate for bringing it to the attention of those members of the public who may be interested. Subsection (5) preserves the existing powers of an auditor to publish information under Part 2 of the 2000 Act or Part 7 of the Local Government (Scotland) Act 1973.
480.Section 26F(1) provides that Audit Scotland must prepare and keep under review a code of data matching practice. Subsection (2) sets out that all those involved in this process must have regard to the code of data matching practice. Subsection (3) requires Audit Scotland to consult all those bodies or office holders who must provide data, the Information Commissioner, and such other bodies as Audit Scotland thinks appropriate before preparing or altering the code of data matching. Subsection (4) places a duty on Audit Scotland to publish the code from time to time.
481.Section 26G(1) provides a power for the Scottish Ministers to add public bodies to those listed in new section 26C(2) by order. The Scottish Ministers may also, by that subsection, modify the application of Part 2A to any body so added, and may remove bodies from section 26C(2). Subsection (2) provides that any order made under section 26G can include any incidental, consequential, supplemental or transitional provision the Scottish Ministers think fit. Subsection (3) defines the meaning of public body. Subsection (4) provides that a public body, whose functions are both public and private in nature, is a public body only to the extent of its functions which are public in nature.
482.Section 97(2) amends section 11 of the 2000 Act to allow Audit Scotland to impose, by Statute, reasonable charges in respect of the exercise of its functions in connection with a data matching exercise, and for these charges to be imposed on those who supply data for a data matching exercise and/or those who receive the results of such an exercise.