The Government propose to expand the data matching capability of the Cabinet Office as legitimised by the Local Audit and Accountability Act 2014. Data matching (and the associated data sharing) is to be extended from its current anti-fraud base to include any other criminal activity, debt recovery and data quality (e.g. improving accuracy of personal data).
The proposals are described in a document entitled “Consultation on the expansion of the National Fraud Initiative Data Matching Powers” which also includes a Draft “Code of Data Matching Practice”. From a data protection perspective, both these documents are deficient.
I suspect the current scale of data matching arrangements will surprise many readers. The consultation document explains that through the National Fraud Initiative (NFI), the Cabinet Office “has collected more than 20 data types, over 8000 datasets, which is over 300 million data records from 1300 participants” (para 7.2). Indeed, current data matching law permits (see references for examples):
- confidential personal data (e.g. from social work records or health records etc) to be used by the Cabinet Office for any mandatory data matching (if such matching is required).
- the processing of private personal details of employees (e.g. bank account, home details, passport details, mobile number etc) given to employers in the NHS or Local Government (this has been done).
- Electoral Roll, Housing Benefit, Council Tax, Payroll, Housing Tenancy and waiting lists, Right to Buy, and Licencing databases to be cross matched with Immigration records (this has been done).
Given the intended expansion into data quality issues and debt recover (in a post COVID era, millions of data subjects will be in some kind of debt), the number of data records involved is likely to increase exponentially. Bulk data matching, bulk data sharing and bulk data retention are all likely consequences of these proposals.
Surprisingly of these “bulky” aspects (or even estimates of the bulkiness involved) does not feature in the consultation documents.
Can I suggest you take a quick look at the current transparency notice for the National Fraud Initiative (NFI) as it gives a flavour of what this blog is about. Evidently, when you register to vote, you also register for the NFI – but I am sure you knew that. The Notice is on https://www.gov.uk/government/publications/fair-processing-national-fraud-initiative/fair-processing-level-3-full-text).
The extension to private sector data matching
The private sector can use the current data matching facility; for example it was used by the owners of DSG International (Dixons, Currys and PC World) to identify 16 staff who had no right to work in the UK (see references for examples of current data matching exercises).
Given the current “hostile environment”, with employers being fined for employing those who cannot work in the UK, I expect more similar data matching to occur. This is especially in the case of large employers who have a high turnover of staff (e.g. zero hours contractors). For a few thousand pounds, such employers can demonstrate to the immigration authorities that they have expended every effort not to employ persons who cannot work in the UK.
Further expansion into private sector affairs can be anticipated, especially as debt recovery and data quality issues become a key part of data matching. According to the Government’s consultation documentation, private sector involvement (e.g. by credit reference agencies) in the area of debt recover could well be unlimited. Such data matching “would involve NFI sharing the data with the 3rd parties for them to undertake data matching on behalf of the NFI ….and provide the results back to the NFI” (para 13.6).
As an aside, this sentence overlooks that “Third Party” is a defined term in the UK_GDPR; usually Third Parties are also controllers but processing on “behalf of” (as expressed in this sentence) is an attribute of a “processor”. This kind of sentence permeates the consultation document text and creates uncertainty as to what is meant (in this case, whether a credit reference agency is a controller or processor in the proposed data matching).
Finally, especially in circumstances of debt collection and data quality, these powers is likely to replace the voluntary data sharing arrangements of the Digital Economy Act (DEA) 2017 with mandatory data sharing arrangements. In summary, it appears that the voluntary approach towards debt collection and data quality in the DEA has been abandoned in favour of mandatory data sharing/matching.
Why data matching is controversial
Data matching is, in effect, a crude form of profiling. For example, a model for a “benefit cheat” could be someone who is working and is also claiming unemployment benefit for being out of work.
So if one has a list of people “in work” and correlate it with a list of people in receipt of “out of work benefits”, there should be, in theory, little or zero overlap between the lists. Those who appear in both lists could well be people in work and claiming benefit; data subjects whose circumstances are worthy of more scrutiny.
Note that before any data matching, there is no evidence against the particular individuals who appear in both lists; those who appear in both lists emerge because of the data matching exercise.
In other words, the emergence of data subjects in both lists is a long way from asserting that each data subject has actually committing an actual fraud. This is accepted by the Consultation Document which states: “No assumption can be made as to whether there is fraud, error or another explanation until the investigation process is completed”.(para 2.2)
Two types of data matching
The provisions that allow such wide data matching are buried in Schedule 9 of the Local Audit and Accountability (LAA) Act 2014; the short title for what, at first glance, appears to be a piece of “very boring” legislation.
Indeed, Parliament did not debate the effectiveness of these data matching powers in 2014 as they merely repeated the data matching powers of the Audit Commission Act 1998 (inserted via the Serious Crime Act 2007). In other words, it has been about 15 years since data matching powers have been reviewed or even debated in detail.
The LAA Act sets out two types of data matching: there is mandatory data matching (which applies to NHS Trusts and Local Government functions including “best value” functions such as a Transport Authority) and voluntary data matching (which applies to everybody else, including the private sector). The draft Code conflates these two situations and this is another cause of confusion.
Mandatory data sharing powers are vested in the Cabinet Office, and clearly it is the ONLY relevant controller by virtue of Section 6(2) of the DPA2018. I say this because the draft Code is not clear on this score; one has to get to page 13 of the Code before the Cabinet Office eventually admits that it is a possible controller when it comes to data matching!
For instance, the draft Code states that the disclosing controller has to demonstrate “compliance with data protection legislation”. This suggests that the disclosing controller has some of the responsibility as a data matching controller when this is not the case for mandatory data matching; the Cabinet Office is the relevant controller.
For instance, I cannot see why the disclosing controller must consider undertaking a Data Protection Impact Assessment (para 2.10.1 of the Code) when mandatory data matching demands disclosure to the Cabinet Office. In this case, the disclosing controller has no choice in the matter but to disclose; a DPIA makes little difference to the risks to data subjects.
Another likely error is that with mandatory data matching (i.e. where there is no choice but to disclose what is being demanded) is the designation of legal basis in Article 6. It is Article 6(1)(c) of the UK_GDPR (legal obligation) and NOT (Article 6 (1)(e) – public task) as stipulated in the draft Code. The latter is correct for voluntary data matching (but we are not dealing with this voluntary aspect here). This “nerdy point” has an impact on the right to object to the processing (which is discussed later in the context of voluntary data matching).
Additionally, because a controller is obliged to disclose to the Cabinet Office, then various protections in the UK_GDPR are greatly diminished. For example, suppose the law requires 20 items of personal data to be disclosed for a data matching purpose and retained for a year. It is going to be difficult to argue that the Cabinet Office is in breach of the data minimisation, purpose limitation and data retention Principles as the law specifically demands such processing to occur.
Illusory protection
In summary, the draft Code in several places purports to reassure the reader by using sentences such as: “In most cases, data matching will take place in accordance with the data protection principles”, when in practice (as explained above), half the Principles identified in Article 5 are much diminished in these mandatory circumstances.
In addition, the exemption associated with statutory disclosure (Schedule 2, para 5(2) of the DPA2018) could be engaged, and this also can negate most of the data subject rights as well as well as the first two Principles in Article 5.
In summary with mandatory data matching, compliance with the UK’s data protection regime is touted in the consultation documents as a safeguard, when it is not.
Enter Article 8: Human Rights Act
Data subjects could argue on Article 8 ECHR grounds that the processing is not “necessary” for a legal obligation (or necessary for a public task in the case of voluntary data matching). However, this appears to be a remote prospect given that the current Commissioner has never shown any appetite for this line of argument (and she is to be replaced by October).
In other words, the main safeguard is Article 8 of the Human Rights Act, yet any analysis of Article 8 is absent from the Government’s consultation text or Draft Code. I hope the Commissioner asks the right questions in this regard when approached by the Cabinet Office to discuss the enhanced data matching arrangements, as it impacts on the Article 6 lawful basis through the word “necessary”.
I admit that I am struggling with the concept that extensive data matching/data sharing to improve data quality (or indeed chase debt) is consistent with Article 8.
Voluntary data matching
With respect to voluntary data matching, the draft Code is slightly better. For instance it explains that “Patient data may not be shared voluntarily, and so may only be used in data matching if the Cabinet Office requires it from a mandatory participant” (para 2.4.2). This confirms that the NHS could be obliged to disclose patient data by law for mandatory data matching exercises (and share the data matching results with perhaps with HMRC and immigration - to improve data quality of course).
The draft Code fails to mention of the right to object to the processing, which applies to voluntary data matching, as the processing is subject to Article 6(1)(e); I suspect this right would be exercised if data subjects knew it applied. In fact, mention of the right to object does not even appear in the National Fraud Initiative Privacy Notice that covers current data matching by the Cabinet Office (see references); a significant omission.
Finally, the draft Code explains that “Any other body or person may provide data (not including patient data) voluntarily for data matching exercises if the Cabinet Office decides that it is appropriate to use their data….” (para 2.4.2). This suggests that the Cabinet Office decides what it wants, and then approaches the “other body” for disclosure. Of course, the body can resist disclosure but in practice, the disclosing body which is approached is likely to disclose.
In a mafioso sense, the Cabinet Office will approach its chosen controller “with a disclosure offer that it can’t refuse”.
Data retention
The current National Fraud Initiative Data Deletion Schedule (see references) shows that all personal data is retained for 6 months (or 12 months). By contrast, the draft Code reduces this to “within three months of the conclusion of the exercise” (para 2.20.4)
This does not mean that the personal data will be deleted within 3 months. For instance, if a data matching exercise commences in January and takes five months until July to complete; this means the retention time for all the personal data is eight months (in October). That is why the proposals infer a bulk data retention functionality.
This approach is wholly contrary to any basic data protection analysis. Suppose one is matching two lists (e.g. the unemployment benefit claim versus employment lists). I can see one retaining personal data about data subjects on both lists. However, if a data subject appears only in one list (i.e. the data subject is employed but not claiming benefit or is claiming benefit but not employed), I cannot see why the personal data should be retained at all – but clearly it is (for months on end).
Intelligence database
The prime objective also appears to use these data matching powers to create an intelligence functionality for public authority use in general. This is explained in the draft Code as follows:
“However, it is important to recognise that matches are not necessarily evidence of fraud, an indicator of crime, the identification of an offender, error or inaccuracy, or identification of a person owing debt to a public body. The match will provide intelligence for organisations to act on appropriately…..” (my emphasis of para 2.16.1).
In this regard, the consultation document brazenly calls for the undermining of fundamental protections for data subjects. For instance, with respect to policing it states:
“Currently, individual requests are made to separate local authorities/government departments using written data protection exemption requests. Both the crime and offenders powers would give a clear legal gateway that would allow the police access to more data about a person in a much more efficient way that still meets the required data protection requirements…..”. (para 2.1; Appendix 3)
This is a reference to the circumstances when the police ask a controller for the disclosure of personal data: “can you tell us what Fred Bloggs earns because we suspect a fraudulent benefit claim has been submitted by Bloggs?”. As informing Fred Bloggs about the disclosure of his personal data to the police could well prejudice a criminal inquiry, the exemption with respect to disclosure to law enforcement is engaged (Schedule 2, Para 2(1) of the DPA2018).
Note the data subject has the protection of a test of prejudice being applied to the disclosure of his personal data for a crime related purpose, but the police get the requested personal data without the data subject being tipped off. That is how this exemption balances the conflict of interests.
The statement in Appendix 3 is a rejection of this balance; it states that the law enforcement agencies prefer a “clear legal gateway” that is more “efficient”. To be helpful (and clarify the point being made) I have drafted an alternative request to be used by such law enforcement bodies when approaching the Cabinet Office:
“Dear Cabinet Office.
We are looking for details on Fred Bloggs and we don’t want to navigate this “prejudice test” nonsense in the Data Protection Act 2018. Please exercise your powers efficiently and demand personal data from organisation X and then give us any results on Mr Bloggs.
Lots of love
Your friendly investigating officer.
Shocking really.
Concluding comments
If data matching is proposed on such an expansive scale, then primary legislation should be introduced so that the profiling issues can be debated properly. This is especially the case as existing data matching legislation has not been debated:
- in detail for more than 15 years since the Serious Crime Act 2007;
- in the context of the use of modern software and technology;
- in the context of data matching purposes which raise important questions of necessity and proportionality (e.g. data quality; debt recovery).
To pretend that the proposed changes are trivial and merely require the use secondary legislation is a misuse of power.
Finally, the errors in the data protection analysis presented in the public consultation documents and draft Code of Practice do not create a platform where public trust in the Government’s data matching proposals can be sustained.
Note added Feb 22: I should have mentioned that the data matching legislation only applies to England and Wales, but the authorities in Scotland and Northern Ireland are looking at this measure
Upcoming Data Protection Courses
All courses lead to the relevant BCS qualification:
- Data Protection Practitioner: ON-LINE, Starts March 15 (5 days)
- Data Protection Upgrade Practitioner: London, April 20-21 (2 days)<LAST ONE
- Data Protection Foundation: London, Starts April 27-29 (3 days)
- Data Protection Practitioner: London, Starts May 11 (6 days)
Full details on www.amberhawk.com of by emailing [email protected]
References
The consultation documents and proposed Code of Practice are on: https://www.gov.uk/government/consultations/consultation-on-the-expansion-of-the-national-fraud-initiative-nfi-data-matching-powers-and-the-new-code-of-data-matching-practice
Current data matching Code of Practice, data retention times and details of current data matching exercises: https://www.gov.uk/government/publications/code-of-data-matching-practice-for-national-fraud-initiative
The current transparency notice (well worth a glance) is on https://www.gov.uk/government/publications/fair-processing-national-fraud-initiative/fair-processing-level-3-full-text
Current private sector data matching case examples: https://www.gov.uk/government/publications/national-fraud-initiative-case-studies/nfi-private-sector-case-studies
Current public sector data matching case examples: https://www.gov.uk/government/publications/national-fraud-initiative-case-studies/nfi-public-sector-case-studies
Data sets currently used: https://www.gov.uk/guidance/national-fraud-initiative-public-sector-data-specifications (have a look at the payroll one!)
Parliamentary scrutiny of Schedule 9 was limited (mainly because it was seen as a continuation of the Audit Commission Act 1998 but it isn’t): see https://publications.parliament.uk/pa/cm201314/cmpublic/localaudit/131119/am/131119s01.htm and https://publications.parliament.uk/pa/ld201314/ldhansrd/text/130626-gc0001.htm#13062667000086