In August 2010, the Audit Commission was targeted for abolition. At that time, I asked “who would get the Commission’s data matching powers?”. Two years later we have part of the answer: the Secretary of State (SoS) responsible for Local Government.
In a draft Audit Bill published last week, Eric Pickles (the current SoS) is suggesting he is given wide ranging data matching powers that covers all local government functions (and all public bodies that deliver local government functions – this could include some contractors but not all). These data matching powers could wildly exceed what the Audit Commission have at the moment.
Although the main purpose of data matching is limited to any type of fraud, in the proposed clause 91, there are powers to add further data matching purposes and Local Government public bodies subject to data matching arrangements. It is this open ended provision that does not place any limit on the data matching arrangements for Local Government.
My reading of the draft legislation is that the Audit Commission’s data matching powers that relate to benefit fraud committed by employees working for the NHS or Police still need to find a home. One can now presume that the Secretary of State for Health and the Home Secretary could get them and that new legislation is needed.
So if the Home Secretary drafts data matching legislation to transfer the Audit Commission’s current powers, do you think that legislation will be limited to benefit fraud and police payrolls? Very unlikely in my view so I am throwing down a marker for a possible future privacy battle over data matching and the replacement for Schedule 7 of the Serious Crime Act 2007.
The Secretary of State is going to produce a Code of Practice that governs data matching in Local Government. In other words, the data controller doing the data matching is going to identify the procedures and rules that meet the requirements of the Data Protection Act that protect individuals. The Code is not a statutory one and there is no penalty for non-compliance with the Code’s provisions.
Quite frankly, this is unacceptable. Although there is “consultation” about the content of the Code (e.g. with the Commissioner), I don’t think this works.
Firstly, the fact that one “consults” with someone does not mean that one follows the advice given. So if the Information Commissioner were to come up with a serious objection, what the Commissioner says could, in theory, be ignored.
The second objection is more fundamental. What you have in data matching is a balance. On one side there is the invasion of privacy for whatever reason (e.g. anti-benefit fraud has substantial public support), and on the other, the protection of the privacy of the individual whose personal data are matched.
I contend that a Code of Practice produced by the organisation that actually does the privacy invading cannot deliver the correct balance because instinctively, the organisation producing the Code is on the side of privacy invasion.
To achieve a sustainable balance, what should happen is that the Code of Practice has to be produced independently (e.g. by the Commissioner) and that this Code has to be a statutory one so that the Courts take it into account if there is any failure to meet the expected standards.
Let me provide an example. The notes to the draft Audit Bill, stated that “The National Fraud Initiative has been very successful, enabling participants to detect £919m in fraud, errors and overpayments since 1996”. Take a note of that number – it is about £61 million per year and not the billions often quoted by Ministers in relation to benefit fraud.
The reason for this discrepancy is that the Department of Work and Pensions assume that any detected fraud has been going on for 32 weeks, so it multiplies the weekly fraud by that number. In this way £61 million per year transmutes into £1.8 billion!
As an aside, the 27th Report of the Public Accounts Committee in 1997/98 noted that “The 32-week multiplier at the heart of the weekly benefit savings calculations may distort reported levels of fraud, detected, and it does not reflect the actual savings to the public purse achieved by fraud detection”. All I would add is that the Audit Commission figure measures actual savings.
Why am I raising this? Well suppose it costs the Mr Pickles £65 million to do all the data matching, and suppose you are a civil servant doing a cost-benefit report to justify your Department’s data matching operations.
Which headline would you choose for the report: “Data matching saves £1.8 billion” or “Data matching looses £4 million”? I bet it is the former. And that why this Code of Practice has to be independently drafted by someone who is not the Secretary of State.
Who gets the Audit Commission’s privacy invasive powers? http://amberhawk.typepad.com/amberhawk/2010/08/data-protection-who-gets-the-audit-commissions-privacy-invasive-powers.html
Public accounts committee on benefit fraud: http://www.publications.parliament.uk/pa/cm199798/cmselect/cmpubacc/366xxvii/pa2705.htm
If readers are looking for detail of the types of “public bodies” that could be involved, see a House of Lords judgment http://www.publications.parliament.uk/pa/ld200607/ldjudgmt/jd070620/birm-1.htm (where a contracted out care home was not a public body).