In August 2010, the Audit Commission was targeted for abolition. At that time, I asked “who would get the Commission’s data matching powers?”. Two years later we have part of the answer: the Secretary of State (SoS) responsible for Local Government.
In a draft Audit Bill published last week, Eric Pickles (the current SoS) is suggesting he is given wide ranging data matching powers that covers all local government functions (and all public bodies that deliver local government functions – this could include some contractors but not all). These data matching powers could wildly exceed what the Audit Commission have at the moment.
Although the main purpose of data matching is limited to any type of fraud, in the proposed clause 91, there are powers to add further data matching purposes and Local Government public bodies subject to data matching arrangements. It is this open ended provision that does not place any limit on the data matching arrangements for Local Government.
My reading of the draft legislation is that the Audit Commission’s data matching powers that relate to benefit fraud committed by employees working for the NHS or Police still need to find a home. One can now presume that the Secretary of State for Health and the Home Secretary could get them and that new legislation is needed.
So if the Home Secretary drafts data matching legislation to transfer the Audit Commission’s current powers, do you think that legislation will be limited to benefit fraud and police payrolls? Very unlikely in my view so I am throwing down a marker for a possible future privacy battle over data matching and the replacement for Schedule 7 of the Serious Crime Act 2007.
The Secretary of State is going to produce a Code of Practice that governs data matching in Local Government. In other words, the data controller doing the data matching is going to identify the procedures and rules that meet the requirements of the Data Protection Act that protect individuals. The Code is not a statutory one and there is no penalty for non-compliance with the Code’s provisions.
Quite frankly, this is unacceptable. Although there is “consultation” about the content of the Code (e.g. with the Commissioner), I don’t think this works.
Firstly, the fact that one “consults” with someone does not mean that one follows the advice given. So if the Information Commissioner were to come up with a serious objection, what the Commissioner says could, in theory, be ignored.
The second objection is more fundamental. What you have in data matching is a balance. On one side there is the invasion of privacy for whatever reason (e.g. anti-benefit fraud has substantial public support), and on the other, the protection of the privacy of the individual whose personal data are matched.
I contend that a Code of Practice produced by the organisation that actually does the privacy invading cannot deliver the correct balance because instinctively, the organisation producing the Code is on the side of privacy invasion.
To achieve a sustainable balance, what should happen is that the Code of Practice has to be produced independently (e.g. by the Commissioner) and that this Code has to be a statutory one so that the Courts take it into account if there is any failure to meet the expected standards.
Let me provide an example. The notes to the draft Audit Bill, stated that “The National Fraud Initiative has been very successful, enabling participants to detect £919m in fraud, errors and overpayments since 1996”. Take a note of that number – it is about £61 million per year and not the billions often quoted by Ministers in relation to benefit fraud.
The reason for this discrepancy is that the Department of Work and Pensions assume that any detected fraud has been going on for 32 weeks, so it multiplies the weekly fraud by that number. In this way £61 million per year transmutes into £1.8 billion!
As an aside, the 27th Report of the Public Accounts Committee in 1997/98 noted that “The 32-week multiplier at the heart of the weekly benefit savings calculations may distort reported levels of fraud, detected, and it does not reflect the actual savings to the public purse achieved by fraud detection”. All I would add is that the Audit Commission figure measures actual savings.
Why am I raising this? Well suppose it costs the Mr Pickles £65 million to do all the data matching, and suppose you are a civil servant doing a cost-benefit report to justify your Department’s data matching operations.
Which headline would you choose for the report: “Data matching saves £1.8 billion” or “Data matching looses £4 million”? I bet it is the former. And that why this Code of Practice has to be independently drafted by someone who is not the Secretary of State.
References
Who gets the Audit Commission’s privacy invasive powers? http://amberhawk.typepad.com/amberhawk/2010/08/data-protection-who-gets-the-audit-commissions-privacy-invasive-powers.html
Draft Audit Bill
http://www.communities.gov.uk/documents/localgovernment/pdf/2174738.pdf
Public accounts committee on benefit fraud: http://www.publications.parliament.uk/pa/cm199798/cmselect/cmpubacc/366xxvii/pa2705.htm
If readers are looking for detail of the types of “public bodies” that could be involved, see a House of Lords judgment http://www.publications.parliament.uk/pa/ld200607/ldjudgmt/jd070620/birm-1.htm (where a contracted out care home was not a public body).
Hello
When you get close up to the figures they are even more misleading.
In respect of the council tax - electoral register comparison the Audit Commission counts large numbers of cases where after investigations there was still entitlement as 'error'.
To give an example, in 2010 the NFI sent to Arun Council a list of 1058 people it wanted them to investigate in search of actual inconsistencies that might indicate fraud. At least another 1058 people were linked by name with these cases, the names being taken from the electoral register complied part way through the tax year. The aim appears to be to discover cases where the new voter does not fall to be disregarded and where the taxpayer has dishonestly failed to notify the council tax department that the single person discount no longer applies. If the person is disregarded there is no obligation to inform the council and the discount still applies.
Of these cases, Arun found that over 700 were still entitled.
However, because the NFI argues, in the face of legal advice from Bob Neill, Undersecretary of State that in these 700 cases there was some 'error', they get counted in the figures.
The argument for there being an 'error' appears to go as follows: you can use the electoral register in any way so long as in some sense this 'prevents fraud'. By compiling statistically based hit lists for investigation you are preventing fraud. The fact that the council had not carried out investigations the minute these electors appeared on the register shows that they have failed to apply a fraud prevention measure which we thing the courts would find to be legal (because we asked a barrister about it) and on that basis we may report the councils as not taking proper care of public money and being 'at risk' of fraud.
One cannot assume that NFI figure for fraud and error refer to cases of under or over payment, though my view is that they would be only too delighted if they were taken this way because they do not feel obliged to provide objective information in an impartial way.
Of course, one can assess the measures used by a council to prevent fraud, including, if this were found legal by a court, the use of the electoral register, without providing hit lists of people who might, statistically, turn out to be thieves and insisting that these are investigated. It is not, therefore, necessary to issue hit lists to achieve this purpose. I think this affects the legality of the hit lists theoretically.
Proposals to alter the present English Code of Data Matching Practice are already on the table, having been drafted in response to a complaint about the data matching reports provided after the full electoral register is compared with lists of residents held by the council tax departments of local councils.
The history of this is in itself a story of misunderstanding and of the taking of provisions out of their contexts.
The present code states both that where a match is found it indicates that there is an inconsistency requiring investigation and that where a match is found it indicates that there may be an inconsistency requiring investigation.
The Audit Commission's independent complaints reviewer decided that this meant that the code was 'ambiguous'. I do not agree: the code states at one point that 'coincidental' matches should be eliminated, which appears to relate to the case discussed by Parliament where for example two people with similar names are confused within the computing processes so that a 'false' or 'coincidental' match is produced.
However, the Audit Commission simply accepted what its Independent Complaints Reviewer said, and brought forward proposals to resolve the alleged ambiguity by removing the provision that data matching indicated that a match should not occur. It claims that the criterion by which the processing becomes judged legal is not based on the nature of the processing or reasoning underpinning the uses of data but on the outcomes. If what it calls 'the exercise as a whole' including the investigations into the case highlighted do detect some fraud then that exercise is legal because it meets the purposive statements in the law.
This proposal was put foward in a somewhat tentative way, without explicitly admitting that there was any problem with the code. However, the Commission did modify its third layer fair processing notice to comply with its new view on what made the obtaining and processing of data legal. It also asked participants to modify their own. Some refused on the basis that the code was 'statutory' and that model FPN's appeared in the Code and that they could not lawfully change the wording and content of these. Underpinning this appeared to be a view that data matching was in fact only legal when used to identify anomalies and discrepancies. The same logic underpins insistence that if the NFI obtains and matches data then 'by definition' the people on NFI hit lists must be investigated as there was an inconsistency in their case
The Audit Commission now talks of 'potential inconsistencies', and it is quite open about using data matching to prevent fraud before it happens, as when it requires families with seventeen year old children at the time data is uploaded to be 'investigated' on the basis that some families receiving discounts fail to tell the CT department when a child who is not disregarded turns 18.
Once again the Act contains no definition of data matching, though it purports to do so. Only the explanatory notes, which have no legal force, hint that the idea is that 'matches should not occur'.
The Audit Commission has poo pooed any idea that there is a requirement that all matches should indicate that something improper has occurred. It now speaks of 'potential' and 'actual inconsistencies' and argues, along the lines of what I have said, that it is legal to produce hit list of 'potential inconsistencies' because some of the people will turn out to be fraud.
To give one numerical example.
In 2010 the NFI sent out three quarters of a million 'hits' relating to council tax discounts.
Posted by: Karen Heath | 22/07/2012 at 08:51 AM