The press coverage of last Friday’s unexpected announcement that the Audit Commission is to be abolished failed to mention a key data protection issue: who is going to inherit its data matching mantle? The answer is important because the Commission’s extensive, privacy-invasive, data matching powers were enacted by the last surveillance-addicted Government and extend well beyond a narrow benefit fraud remit.
Data matching involves comparing sets of personal data, such as the payroll or benefits records of a body, against other personal data held by the same or another public body to see how far they match. Bodies covered by these mandatory data matching arrangements (in Part 2A of the Audit Commission Act 1998) are local authorities, police authorities, probation authorities, fire and rescue authorities, pension authorities, NHS Trusts and strategic health authorities, primary care trusts, passenger transport authorities, national park authorities, and waste authorities.
Schedule 7 of the Serious Crime Act 2007 extended the range of organisations that could chose to be involved in data matching to any government department, housing association or private organisation. Additionally, that Act extended data matching from benefit fraud to include any of the Commission’s audit functions (e.g. efficiency of service delivery) and to debt recovery.
You can see now that these powers can cover most UK organisations and extend well beyond the purpose of benefit fraud - the purpose that gets all the publicity. No wonder the Coalition Government’s favoured partner in anti-benefit fraud, the Credit Reference Agencies, are licking their lips – especially if the purpose of data matching can also include debt recovery!
Who replaces the Audit Commission is important for another reason. The Commission is subject to a statutory data protection code of practice - which is not perfect, but will be abolished with the Commission. The Department for Work and Pensions (DWP) has its own Data Matching Service, but that is limited to benefit fraud so it is unlikely that the DWP will want to get involved in data matching that does not relate to benefits.
The National Audit Office (NAO) could do the job but it does no data matching currently. So to merely transfer the Audit Commission’s data matching functions to the NAO will not save a penny and undermines the justification for the Commission’s abolition.
In other words, the absence of a credible replacement data controller is a concern and such powers should not be transferred for use by another organisation (e.g. a Credit Reference Agency) without proper debate or scrutiny.
Even with benefit fraud, all is not what it appears. David Cameron has been widely reported of stating that there is £5.2 billion of fraud, error and overpayment in the system (fraud being £1.2 billion). Not reported is the fact that these vast sums are inflated by a multiplier which is best explained by the Government’s own official research:
Even the Audit Commission scales up its fraud-recovery effectiveness. The latest Annual Report of its anti-fraud activities states that the identified "£24 million" of detected benefit fraud is a number that has been “multiplied by 13”. Its pension fraud figure of £28 million saved from Local Authority Pension Schemes uses a multiplier arrived at by a “Cabinet Office formula”. This formula scales up the actual detected fraud by “the number of years the pensioner would have reached 90” (which is surprising given life expectancy in the UK is currently about 80 years).
The use of multipliers could very well be legitimate – I don’t know. But to quote figures in press releases and public statements without any indication that a multiplier has been used (or its value) is in my view, wholly misleading. For instance, it simply beggars belief that the Cabinet Office multiplier is reliable in connection with the true rate of pension fraud.
Also, the National Audit Office in 2008 estimated that benefit fraud represents 0.6% of the cost of the total benefit system (£0.8 billion) and this figure was falling year on year because of anti-fraud data matching activities. By contrast, more than twice the amount lost (about £1.9 billion) related to inaccurate personal data. This 2:5 ratio is also in the Prime Minister's numbers (see above) and suggests that resolving the data inaccuracies in the system is more than twice as important than those headline-catching benefit fraud initiatives.
No one is saying that data matching should not occur to counter fraud in the benefit system. However, there needs to be prior justification for the use wide ranging invasive powers, especially if they are to involve Credit Reference Agencies. There needs to be thorough examination and analysis with the measurement of outcomes to ensure the powers are needed and work effectively. There also needs appropriate checks and balances to ensure that when things go wrong, there is proper redress.
Additionally benefit fraud savings, when announced, have to be credible – I fear the numbers being bandied about at the moment are inflated for political purposes.
Finally, the data matching powers granted to the Audit Commission were enacted by the last Government who raised two fingers to anybody who expressed issues like those mentioned in the paragraphs above. It would be disappointing if the Coalition Government were to traverse the same path.
Marketing: We have a set of Data Protection courses (Edinburgh commencing in next week and in Manchester late September). Our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). Update sessions (at £95+VAT is a snip). We also have onsite courses on RIPA and CCTV. Details on www.amberhawk.com.
Data matching involves comparing sets of personal data, such as the payroll or benefits records of a body, against other personal data held by the same or another public body to see how far they match. Bodies covered by these mandatory data matching arrangements (in Part 2A of the Audit Commission Act 1998) are local authorities, police authorities, probation authorities, fire and rescue authorities, pension authorities, NHS Trusts and strategic health authorities, primary care trusts, passenger transport authorities, national park authorities, and waste authorities.
Schedule 7 of the Serious Crime Act 2007 extended the range of organisations that could chose to be involved in data matching to any government department, housing association or private organisation. Additionally, that Act extended data matching from benefit fraud to include any of the Commission’s audit functions (e.g. efficiency of service delivery) and to debt recovery.
You can see now that these powers can cover most UK organisations and extend well beyond the purpose of benefit fraud - the purpose that gets all the publicity. No wonder the Coalition Government’s favoured partner in anti-benefit fraud, the Credit Reference Agencies, are licking their lips – especially if the purpose of data matching can also include debt recovery!
Who replaces the Audit Commission is important for another reason. The Commission is subject to a statutory data protection code of practice - which is not perfect, but will be abolished with the Commission. The Department for Work and Pensions (DWP) has its own Data Matching Service, but that is limited to benefit fraud so it is unlikely that the DWP will want to get involved in data matching that does not relate to benefits.
The National Audit Office (NAO) could do the job but it does no data matching currently. So to merely transfer the Audit Commission’s data matching functions to the NAO will not save a penny and undermines the justification for the Commission’s abolition.
In other words, the absence of a credible replacement data controller is a concern and such powers should not be transferred for use by another organisation (e.g. a Credit Reference Agency) without proper debate or scrutiny.
Even with benefit fraud, all is not what it appears. David Cameron has been widely reported of stating that there is £5.2 billion of fraud, error and overpayment in the system (fraud being £1.2 billion). Not reported is the fact that these vast sums are inflated by a multiplier which is best explained by the Government’s own official research:
“These savings (from fraud) represent notional rather than actual amounts of money saved since the weekly benefit of someone who is caught committing fraud is multiplied by 32. The multiplier reflects the time that the Benefits Agency assumes that someone would have carried on defrauding them if they had not been caught” (see references)
Even the Audit Commission scales up its fraud-recovery effectiveness. The latest Annual Report of its anti-fraud activities states that the identified "£24 million" of detected benefit fraud is a number that has been “multiplied by 13”. Its pension fraud figure of £28 million saved from Local Authority Pension Schemes uses a multiplier arrived at by a “Cabinet Office formula”. This formula scales up the actual detected fraud by “the number of years the pensioner would have reached 90” (which is surprising given life expectancy in the UK is currently about 80 years).
The use of multipliers could very well be legitimate – I don’t know. But to quote figures in press releases and public statements without any indication that a multiplier has been used (or its value) is in my view, wholly misleading. For instance, it simply beggars belief that the Cabinet Office multiplier is reliable in connection with the true rate of pension fraud.
Also, the National Audit Office in 2008 estimated that benefit fraud represents 0.6% of the cost of the total benefit system (£0.8 billion) and this figure was falling year on year because of anti-fraud data matching activities. By contrast, more than twice the amount lost (about £1.9 billion) related to inaccurate personal data. This 2:5 ratio is also in the Prime Minister's numbers (see above) and suggests that resolving the data inaccuracies in the system is more than twice as important than those headline-catching benefit fraud initiatives.
No one is saying that data matching should not occur to counter fraud in the benefit system. However, there needs to be prior justification for the use wide ranging invasive powers, especially if they are to involve Credit Reference Agencies. There needs to be thorough examination and analysis with the measurement of outcomes to ensure the powers are needed and work effectively. There also needs appropriate checks and balances to ensure that when things go wrong, there is proper redress.
Additionally benefit fraud savings, when announced, have to be credible – I fear the numbers being bandied about at the moment are inflated for political purposes.
Finally, the data matching powers granted to the Audit Commission were enacted by the last Government who raised two fingers to anybody who expressed issues like those mentioned in the paragraphs above. It would be disappointing if the Coalition Government were to traverse the same path.
References: Page 21 of the DWP Benefit Fraud Research: http://research.dwp.gov.uk/asd/asd5/rrep064_first-half.pdf (This is old research but it is the only reference to the current estimated multiplier I could find).
Audit Commission National Fraud Initiative Annual Report: http://www.audit-commission.gov.uk/nfi/reports/pages/default.aspx (this reports the multipliers it uses in an Appendix).
The National Audit Office report on Benefit Fraud: http://www.nao.org.uk/publications/0708/progress_in_tackling_benefit_f.aspx (shows that data inaccuracy outweighs fraud)
Marketing: We have a set of Data Protection courses (Edinburgh commencing in next week and in Manchester late September). Our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). Update sessions (at £95+VAT is a snip). We also have onsite courses on RIPA and CCTV. Details on www.amberhawk.com.
Interesting article Chris.
A couple of extensions to this. I've been discussing, today, the PSN - a vision to connect local and central government networks to allow data sharing and assist with mobility. It would, given the above analysis, stand to reason that access should also be given to credit reference agencies to ensure data matching can occur within a secure environment, though there's been no attempt to include them in scope.
The other regret with the passing of the AC was the time and effort spent last year compiling responses to a survey they conducted about how aware staff were of general information security issues. They helpfully didn't provide us with the raw data which we could have used to target individual training needs, merely reporting with general percentages etc... I guess in hindsight, it was an attempt to try and gain relevance in that area... maybe that aspect would be better dealt with by the ICO?
Posted by: Tim Rodgers | 16/08/2010 at 05:31 PM
The Audit Commission's Code of Data Matching Practice has been described as 'ambiguous' because it says both 'where a match is found it indicates that there is an inconsistency' and 'where a match is found it indicates that there might be an inconsistency'. To judge from the recent alterations made to the AC's own 'fair processing notice' and a legal report it had into the council tax = electoral register data match, the AC now takes a view that it can use data processing and comparisons to highlight situations which 'might' be inconsistent, and that so long as the purpose is to prevent or detect fraud this is all right.
Given that almost any conceivable situation involving benefits and tax relief 'might' be inconsistent, the protection supposedly provided for those who are entitled to whatever good they are receiving vanishes.
The new Scottish Code (Audit Scotland appears to take advice from the Audit Commission) doesn't even pretent that data processing is used to identify inconsistencies.
Posted by: Karen | 20/09/2010 at 11:01 PM
If the code is abolished, then how can they say that the activity is in accordance with the law?
CP responds: I expect the data matching activities will continue with another authority (e.g. DWP) and a new Code produced. If not, the Audit Commission will be abolished, as will be the Code but there will be no data matching
Posted by: Karen | 15/02/2011 at 01:14 AM
I have just obtained an edited copy of the 'Audit Guide' which sets out the 'interpretation' of one set of data matching exercises, the ones linked with the 25% discount arising under Section 11 of the Local Government Finance Act. These involve the full electoral register.
The interpretations provided are legally inaccurate.
They assert, falsely, that this is unambiguous matching since there is no doubt about the reason for entitlement. This is nonsense: entitlement arises on any day when the criteria set out in Section 11 are met. This is not decided in advance of the tax year, and, obviously cannot be. This is why the law tells councils to issue the bills on the basis of statutory assumptions.
So personal information is being given a clear, legally inaccurate and prejudicial interpretation by an incompetent quango.
Worse, the very data sets demanded have inaccurate information built into them. The data sets are in the public domain. The Commission insists that certain 'codes' are uploaded along with the data. These 'codes' are not just not consistent with the law, they are at odds with it.
You can complain to the Audit Commission about this and you will get nothing but evasiveness, responses that give an impression of duplicity and remarks verging on the plain insulting.
For example, regional advisors have asserted that by law there is a duty to report any changes in circumstances that might affect entitlement. The law is clear: there is no duty to report any changes in 'circumstances', only a duty in effect to report if one is not paying enough tax. You can complain about the incorrect assertions being made: your complaint will not be upheld.
Recently somebody seems to have been feeding CIPFA legally incorrect nonsense. It has published a guide to housing and single person discount fraud which asserts outrageously that experience has shown that the register is a reliable guide to entitlement to a Section 11 discount. This is junk! The law shows that the register is no such thing and 'experience' shows that attempts to use this document result in very many abortive investigations and large numbers of complaints. The NFI pilots showed that it was necessary to undertake over three thousand investigations before one case likely to go to court was found. Some councils have had to issue public apologies after similar exercises. The law forbids councils from using the full ER except for a statutory purpose relating to law enforcement and crime prevention. Following legally wrong and probably defamatory advice provided by an incompetent quango is not a 'statutory purpose' of this sort, surely. The duty of the council would appear to be to point out the boo boo to the Audit Body issuing such nonsense.
Within my own council, since obtaining this appallingly incompetent secret guidance (which is on a password protected site of the NFI) I have found acceptance that the guidance is wrong and a general denial that anybody had actually seen it.
It beggars belief that for years the NFI has been issuing legal junk as a result of which people have been subjected to fraud investigations and that nobody blew the whistle. It appears that the secrecy surrounding the document protected the NFI. I only got it by asking and asking and not taking no for an answer and going to a F of I tribunal where in the course of the case management the NFI suddenly changed its mind and coughed up the info.
So in data sharing the big question is since they keep the 'meta data' and so on secret, and in the case of the NFI repeatedly misrepresent it, and the information is wrong in terms of law and its 'meaning' mis stated what can one do about it?
I spoke to a National Fraud Authority top person on public sector fraud who was 'supporting' some London Boroughs whose practices were blatantly at odds with council tax discount law, including Ealing, which gets it utterly and totally wrong.
I showed her section 11 and also the relevant part of the 92 Regs, which are the bits that apply and she could only say that she did not know whether these laws were where the so=called 'single person discount' was set out, and accepted that her knowledge of council tax discount law was very limited. Yet this person, albeit very nice, is apparently misguided and is working with a council which almost routinely acts in breach of its duties generally and specifically under council tax discount law:
Section 11 92 Act Discounts.
(1)The amount of council tax payable in respect of any chargeable dwelling and any day shall be subject to a discount equal to the appropriate percentage of that amount if on that day—
(a)there is only one resident of the dwelling and he does not fall to be disregarded for the purposes of discount; or
(b)there are two or more residents of the dwelling and each of them except one falls to be disregarded for those purposes.
Part four of 92 regs
Assumptions as to discount
15.—(1) Where, having taken such steps as are referred to in regulation 14, a billing authority has no reason to believe that the chargeable amount for the financial year concerned is subject to a discount, it shall assume, in making any calculation of the chargeable amount for the purposes of Part V of these Regulations, that the chargeable amount is not subject to any discount.
(2) Where, having taken such steps as are referred to in regulation 14, a billing authority has reason to believe that the chargeable amount for the financial year concerned is subject to a discount of a particular amount, it shall assume, in making any such calculation as is mentioned in paragraph (1) above, that the chargeable amount is subject to a discount of that amount.
Correction of discount assumptions
16.—(1) Subject to paragraph (2), where a person—
(a)has been informed in accordance with any provision of demand notice regulations of an assumption as to discount made in his case; and
(b)at any time before the end of the financial year following the financial year in respect of which the assumption is made has reason to believe that the chargeable amount is not in fact subject to any discount, or is subject to a discount of a smaller amount,
he shall, within the period of 21 days beginning on the day on which he first has reason so to believe, notify the authority in writing of his belief.
And oh dear oh dear the National Fraud Authority has been suggested as a possible take over body for the NFI and its lead person does not appear to have done the homework and so this mess will go on for ever.
What I say here is true to the best of my knowledge and does not imply any disrespect for people who rely on others who should be reliable but clearly are not.
But when you look, somebody from the Audit Commission is usually involved when mistakes arise, and if not them then a credit reference agency.
Posted by: Karen | 01/08/2011 at 01:56 PM