Chapter 1: Prevention of Fraud.Sharing information with anti-fraud organisations
Section 68: Disclosure of information to prevent fraud
234.Subsection (1) confers power on a public authority (defined in subsection (8)) to disclose information as a member of a specified anti-fraud organisation or otherwise in accordance with arrangements made by such an organisation (also defined in subsection (8)) for the purposes of preventing fraud. Subsection (2) provides that the information that may be so disclosed can be of any kind (subsection 2(a)) and identifies the persons to whom it can be disclosed (subsection (2)(b)). Subsection (3) provides that such disclosure does not breach any obligation of confidence owed by the public authority, or any other restrictions on the disclosure of the information. Subsection (4) provides that the section does not authorise any disclosure in breach of the Data Protection Act 1998 or which is prohibited by Part 1 of the Regulation of Investigatory Powers Act 2000 (which regulates the interception of communications). Subsection (5) provides that nothing in the section authorises disclosure by a relevant public authority of information which relates to matters devolved to Scotland. Subsection (6) defines ‘relevant public authority’ for this purpose by reference to the Scotland Act 1998. Subsection (7) provides that the section does not limit the circumstances in which information may be disclosed apart from the power in the section (for example, disclosure by virtue of the common law). Subsection (8) defines ‘an anti-fraud organisation’ (that is, one which enables or facilitates sharing of information to prevent fraud); ‘information’; ‘public authority’ (which means any public authority under section 6 of the Human Rights Act 1998) and ‘specified’ (which means specified by an order by the Secretary of State: see section 85 for further provision about such orders).
Section 69: Offence for certain further disclosures of information
235.Subsection (1) makes it an offence to further disclose protected information in the circumstances set out in that subsection. Subsection (2) provides exemptions from the offence. Subsection (3) excludes from the offence cases where the information has been disclosed by a relevant public authority and the subject matter of it is within the legislative competence of the Scottish Parliament. Subsection (4) provides a defence to the offence if the person reasonably believed the disclosure was lawful or that the information had already and lawfully been made public. Subsection (5) defines ‘protected information’ as ‘revenue and customs information’ which reveals the identity of the person to whom it relates and any ‘specified information’ disclosed by a ‘specified public authority’ (these expressions are defined in subsection (7)). Subsection (6) defines revenue and customs information for the purpose of this section. Subsection (7) defines ‘Commissioners of Revenue and Customs’; ‘enactment’; ‘public authority’ (by reference to the definition in section 68); ‘Revenue and Customs’; ‘specified anti-fraud organisation’ (by reference to the definition in section 68); ‘specified information’ (that is, information specified or described in an order made by the Secretary of State) and ‘specified public authority’ (that is, a public authority specified in an order made by the Secretary of State. See section 89 for further provisions about such orders.)
Section 70: Penalty and prosecution for offence under section 69
236.Subsection (1) provides that the maximum penalty for a person found guilty of the offence under section 69 is (a) on conviction on indictment, two years’ imprisonment, a fine, or both; or (b) on summary conviction, 12 months, a fine not exceeding the statutory maximum, or both. Under the transitional provision in paragraph 7 of Schedule 13, the period of 12 months is reduced to 6 months pending commencement in England and Wales and Scotland of provisions referred to in that paragraph. Subsection (2) provides that in England and Wales prosecutions for such an offence may only be begun with the consent of the Director of Public Prosecutors or, in the case of revenue and customs information disclosed by Revenue and Customs, by the Director of Revenue and Customs Prosecutions (established by section 34 of the Commissioners for Revenue and Customs Act 2005). Subsection (3) makes provision for prosecutions in Northern Ireland which are similar to those in England and Wales. Subsection (4) extends liability to certain officers of a body corporate and partners and senior officers of a partnership where the offence in section 69 is committed by a body corporate or a partnership (as the case may be). Subsection (5) reduces the maximum penalty for summary conviction of the offence in Northern Ireland from 12 months to 6 months. Subsection (6) defines terms used in the section.
Section 71: Code of practice for disclosure of information to prevent fraud
237.Subsection (1) requires the Secretary of State to prepare and keep under review a code of practice with respect to the disclosure, for the purpose of preventing fraud, of information by public authorities as members of specified anti-fraud organisations or otherwise in accordance with any arrangements made by such organisations. Subsection (2) requires the Secretary of State to consult any specified anti-fraud organisation, the Information Commissioner and other such persons as the Secretary of State considers appropriate when preparing or altering the code. Subsection (3) requires public authorities disclosing information for the purposes of preventing fraud, or a particular kind of fraud, as a member of a specified anti-fraud organisation to have regard to the code. Subsection (4) provides that nothing in this section applies in relation to any disclosure by a relevant public authority of information whose subject matter is a matter about which provision would be within the legislative competence of the Scottish Parliament if it were included in an Act of the Scottish Parliament. Subsection (5) requires the Secretary of State to lay a copy of the code and any alterations to it before Parliament and publish it. Subsection (6) explains that the definitions of ‘information’, ‘public authority’, ‘relevant public authority’ and ‘specified anti-fraud organisation’ have the same meaning as in section 68.
Section 72: Data protection rules
238.This section inserts a new paragraph in Schedule 3 to the Data Protection Act 1998 to allow processing of sensitive personal data through an anti-fraud organisation. The processing must be necessary for the purposes of preventing fraud. Schedule 3 to that Act sets out additional conditions, one of which must be satisfied where the personal data that is being processed is sensitive personal data (as defined by section 2 of that Act). That expression includes information as to the commission or alleged commission of an offence by the data subject. Sub-paragraph (2) defines “anti-fraud organisation” for the purposes of this paragraph. The new paragraph is not limited to sensitive personal data that is processed pursuant to section 68 and includes disclosure of information under common law or other powers. The anti-fraud organisation does not need to be specified under that section.
Section 73: Data matching and Schedule 7
239.This section gives effect to Schedule 7. Schedule 7 is divided into three Parts dealing with England, Wales and Northern Ireland. Paragraph 2 of Part 1 inserts a new Part 2A into the Audit Commission Act 1998.
240.Subsection (1) of new section 32A (as so inserted) provides for the Audit Commission to carry out data matching exercises or to arrange for another organisation to do this on its behalf. Subsection (2) defines what a data matching exercise is. It involves the comparison of sets of data. For example, taking two local authority payroll databases and matching them. Matches should not occur but if they do, fraudulent activity may be highlighted. Subsection (3) defines the purposes for which the powers in subsection (1) can be exercised. These purposes are assisting in the prevention and detection of fraud. Subsection (4) provides that such assistance may, but need not, form part of an audit. Subsection (5) provides that data matching may not be used to identify patterns and trends in an individual’s characteristics or behaviour which suggest nothing more than his potential to commit fraud in future. This is designed to prevent the Audit Commission from creating individual “profiles” of future fraudsters. Subsection (6) provides that in succeeding provisions of Part 2A, reference to a data matching exercise is to an exercise conducted or arranged to be conducted under section 32A.
241.Subsection (1) of new section 32B enables the Audit Commission to require the provision of information to conduct a data matching exercise. Paragraph (a) provides for any body as mentioned in subsection (2). Paragraph (b) provides for any officer or member of that body. Subsection (2) sets out which bodies may be required to provide data under subsection (1)(a). They are (a) those bodies subject to audit, (b) English best value authorities (not subject to audit). Subsection (3) creates an offence and accompanying penalty for non-compliance with subsection (1)(b). Subsection (4) provides for the Audit Commission to recover any expenses they incur in connection with proceedings for an offence under subsection (3) from the body concerned. Subsection (5) explains which bodies are covered by the term ‘English best value authority’.
242.Subsection (1) of new section 32C provides that where the Audit Commission think it appropriate, they may conduct a data matching exercise using data held by or on behalf of bodies not subject to new section 32B. It also provides that such a body may disclose data to the Audit Commission for those purposes. This could include central government departments and some private sector bodies such as mortgage providers. There is no compulsion on any of these bodies to take part in a data matching exercise. Subsection (2) provides that the disclosure of information does not breach (a) any obligation of confidence owed by a person making the disclosure or (b) any other restriction on the disclosure of information however imposed. Subsection (3) provides that nothing relating to voluntary provision of data authorises any disclosure which (a) contravenes the Data Protection Act 1998 or (b) is prohibited by Part 1 of RIPA 2000. Subsection (4) restricts disclosure under subsection (1) if the data comprise or include patient data. Subsection (5) provides a definition of patient data. Subsection (6) provides that this section does not limit the circumstances in which data may be disclosed apart from this section. Subsection (7) provides that data matching exercises may include data provided by a body or person outside England and Wales.
243.Subsection (1) of new section 32D explains which information this section applies to. That is, information obtained for a data matching exercise and the result of any such exercise. Subsections (2)-(4) provide the circumstances in which information may be disclosed by or on behalf of the Commission. Subsection (5) imposes restrictions on the disclosure of information if it includes patient data (as defined in subsection (6)). Subsection (7) places restrictions on the further disclosure of information disclosed under subsection (2). Subsection (8) creates an offence of disclosing information to which this section applies except as authorised by subsections (2) and (7) and sets out the penalty. Subsection (9) disapplies section 49 from information to which this section applies. Subsection (10) makes it clear that “body” will include office-holders for the purposes of section 32D.
244.Subsection (1) of new section 32E makes clear that the Audit Commission will be able to publish a report on its data matching exercises, notwithstanding the limits on disclosure under section 32D. Subsection (2) provides that a report that is published under section 32E may not include information relating to a particular body or person if (a) the body or person is the subject of any data included in the data matching exercise; and (b) the body or person can be identified from the information; and (c) the information is not otherwise in the public domain. Subsection (3) provides that the Audit Commission may publish a report in such a manner as the Audit Commission considers appropriate for bringing it to the attention of those members of the public who may be interested. Subsection (4) disapplies section 51 of the Audit Commission Act 1998 (which contains general powers for the Audit Commission to publish information). Subsection (5) preserves the existing powers of the appointed auditor to publish information under Part 2.
245.Subsection (1) of new section 32F sets out the duty on the Audit Commission to prescribe a scale (or scales) of fees in respect of the data matching exercises it conducts. Subsection (2) provides that bodies referred to in new section 32B(1) must pay the Audit Commission according to the scales in subsection (1). Subsection (3) provides for circumstances where the work involved in a data matching exercise is substantially more or less than the Audit Commission originally envisaged. The Audit Commission can charge the body a fee which can be larger or smaller than that referred to in subsection (2). Subsection (4) sets out requirements on the Audit Commission before they prescribe a scale of fees. This includes the Audit Commission consulting bodies mentioned in new section 32B(2). It also includes the Audit Commission consulting other bodies or persons as they think appropriate. Subsections (5) and (6) set out powers of the Secretary of State in relation to fee scales. Subsection (7) provides that the Audit Commission may charge a fee to other bodies providing information or receiving results for data matching (in addition to the power under subsection (2)) and the terms under which such a fee are payable. The Audit Commission will collect these fees to recover the costs of carrying out data matching exercises.
246.Subsection (1) of new section 32G provides that the Audit Commission must prepare and keep under review a code of data matching practice. Subsection (2) sets out that all those bodies and other persons involved in this process must have regard to the code of data matching practice. Subsection (3) requires the Audit Commission to consult all bodies identified in new section 32B(2), the Information Commissioner, and such other bodies as the Audit Commission thinks appropriate before preparing or altering the code of data matching. Subsection (4) places a duty on the Audit Commission: (a) to send a copy of the code (and any alterations made to it) to the Secretary of State, who must lay it before Parliament; and (b) to publish the code from time to time.
247.Subsection (1) of new section 32H provides for the Secretary of State to extend by order the purposes of data matching exercises (as set out in new section 32A(3)) beyond fraud and to modify the application of this Part accordingly. Subsection (2) defines those purposes. Subsection (3) provides for the Secretary of State to add public bodies to those listed in new section 32B(2) by order. The Secretary of State may also modify the application of Part 2A to any body so added, and may remove bodies from section 32B(2). Subsection (4) provides that any order made under section 32H can include any incidental, consequential, supplemental or transitional provision the Secretary of State may see fit. Subsection (5) defines the meaning of public body.
248.Paragraph 3 of Schedule 7 inserts new subsection (1A) into section 52 of the Audit Commission Act 1998. This provides that any orders made under section 32H must be approved by affirmative resolution of both Houses of Parliament.
249.Paragraph 4 of Schedule 7 inserts a new Part 3A into the Public Audit (Wales) Act 2004. This gives the Auditor General for Wales data matching functions corresponding to the functions given to the Audit Commission under new Part 2A of the Audit Commission Act 1998. The data matching functions of the Auditor General for Wales will apply in or with respect to Wales. The Secretary of State will have similar order-making powers to extend the purposes for which data matching may be carried out in Wales, and to add to the list of bodies which may be required to participate in data matching in Wales, subject to prior consultation with the Auditor General for Wales.
250.Paragraph 5 of Schedule 7 amends paragraph 9 of Schedule 8 to the Government of Wales Act 2006 to allow the Auditor General for Wales to retain income from data matching fees, rather than paying it into the Welsh Consolidated Fund. The income covered by the amendment is confined to fees charged to local government bodies in Wales.
251.Paragraph 6 of Schedule 7 inserts new articles into the Audit and Accountability (Northern Ireland) Order 2003. The new articles give the Comptroller and Auditor General for Northern Ireland data matching functions corresponding to the data matching functions of the Audit Commission and the Auditor General for Wales. The functions may be used, among other things, to assist the Comptroller and Auditor General for Northern Ireland and local government auditors in the exercise of their respective audit functions. The power to extend the purposes for which data matching may be carried out in Northern Ireland, and to add to the list of bodies which may be required to participate, will rest with the Department of Finance and Personnel in Northern Ireland.
252.Paragraph 7 of Schedule 7 inserts a reference to data matching in Article 6(5) of the Audit (Northern Ireland) Order 1987. This will ensure that any liability incurred by the Comptroller and Auditor General for Northern Ireland in relation to his data matching functions is charged on the Consolidated Fund of Northern Ireland.