The National Fraud Initiative

The UK government is proposing to expand the powers of the National Fraud Initiative, a data-matching exercise which allows both public and private entities to access data.

Explainer

Post date

15th March 2021

Key points

An ongoing consultation by the Cabinet Office is proposing to introduce sweeping changes to the National Fraud Initiative, vastly expanding its data-processing powers
The government intends to enact these powers by Summer 2021 through secondary legislation
The proposed changes raise several privacy concerns

Photo by Alex Jones on Unsplash

You can access PI’s response to the consultation here.

This explainer is based on PI’s analysis and understanding of:

The Consultation text
The Draft Code of Data Matching Practice
The Cabinet Office’s data specifications for the public and private sector
The Cabinet Office’s 2015 case-studies both for the public and private sector
The Data Protection Impact Assessment for the current iteration of the National Fraud Initiative
The National Fraud Initiative fees documents for the public and private sector

What is the National Fraud Initiative?

The National Fraud Initiative (NFI) is a data-matching exercise currently conducted for the sole purpose of detecting and preventing fraud at large. It is operated by the Cabinet Office under its statutory data matching powers set out in the Local Audit and Accountability Act 2014 (the 2014 Act).

There are two categories of entities able to use the NFI: mandatory and voluntary participants. Mandatory participants include all local authorities, NHS foundation trusts, police authorities and many others as outlined by the relevant legislation. Voluntary participants, by contrast, can only take part if the Cabinet Office considers that it is appropriate to use their data and where to do so would not breach data protection obligations. Voluntary participants include the Student Loans Company and NHS Business Services Authority, as well as other private sector organisations.

Both mandatory and voluntary participants have to pay a standard fee to use the NFI, as well as additional fees for each search run through the NFI.

What kind of data is used by the NFI?

The NFI currently collects more than 20 data types, which equates to over 8000 datasets, and includes over 300 million data records. The range of datasets include public sector payroll, housing benefit, social housing waiting lists, parking permits, council tax, local authority pension payments, electoral register, right to buy, and public sector housing.

Both mandatory and voluntary participants to the NFI feed data into the data-matching exercise. The categories of data provided are determined in advance by the Cabinet Office, which sets data specifications for each of the datasets. Some of these data specifications are made public, and different specifications exist for public and private sector bodies.

Examples of datasets matched by the NFI, as disclosed in the Appendix 1 of the Consultation document.

For example, when asking for payroll information, the Cabinet Office requires a public body to include the following data:

the employee’s reference number;
the department the employee works at;
their title;
their gender;
their full name and surname;
their full address;
their Unique Property Reference Number;
their date of birth;
their phone numbers;
their email;
their passport number;
their dates of employment (start and end);
their status (full-time, part-time or casual);
their National Insurance number;
their pay;
the hours they work per week;
the date they were last paid;
whether or not they’re a teacher;
their sort code;
their bank account number; and
their building society roll number.

The NFI requests participants to submit the relevant data specifications in accordance with a published timetable.

How does the NFI work?

As a data-matching exercise, the NFI works as an automated tool matching different datasets. The Cabinet Office decides which datasets to match based on its own assessment of whether the match is likely to disclose relevant information.

A few examples of datasets customarily matched in the context of fraud prevention and detection were provided in a Freedom of Information Act response disclosing the Data Protection Impact Assessment carried out for the current iteration of the NFI.

Non-exhaustive list of datasets matched for the power to detect and prevent fraud, extracted from a response to a FOIA request.

Based on the results yielded by the data matches, the organisation running the NFI may choose to take further action internally.

According to the Consultation, current NFI data-matching is delivered through a range of products that include the “national two yearly exercise in the main NFI web portal as well as products such as FraudHub, Recheck and Appcheck”. Each of these products can be used by participating organisations in order to access NFI data. While the functioning of each of these products is largely unclear, some of their characteristics are in the public domain. Based on these documents, PI understands that:

Fraudhub is only available to select public bodies, and charges its clients once a year for unlimited use.
ReCheck appears to work by matching an internal dataset to all available datasets concerning the same person, and seemingly charges once for that base dataset being run against the rest of available datasets.
Appcheck is available on a subscription or pay-as-you-go basis. If the latter, it seemingly charges per “search”. It is unclear how much information can be accessed from a single “search”.

How much personal data can be accessed through the NFI?

Access to the NFI as a service is one thing. Access to the data contained by the NFI is another.

Once an entity has paid-for access to the NFI, it is unclear whether any limits exist as to the amount and granularity of personal data that it can access. For example, it is unknown whether participants can access full datasets as provided by other participants, or whether they can only access limited categories of data.

It is also unclear whether the data that can be accessed through the NFI is strictly limited to the individual in relation to whom a search or request is made. In one reported instance (see below), use of the NFI in relation to a person yielded information relating to their partner.

However, based on our understanding of the products outlined above, it would appear that participants have full access to the data obtained by the NFI whether by way of mandatory or voluntary submissions.

What are the consequences of data-matching?

The Cabinet Office have published a series of examples of the consequences of data-matching under the current application of the NFI, in the form of promotional “case-studies”.

The examples referred to by the Cabinet Office show, among the range of potential consequences, show the following:

internal investigations
police investigations
arrests
evictions
employment dismissals
prosecutions
suspension of pension payments
fines

A number of the examples referred to instances where employees had been found out not to have leave to remain, and subsequently dismissed. In one example, the use of the NFI led one employer - the Yorkshire Ambulance Service NHS Trust - to find out that the wife of their employee had no right to reside or work in the UK.

The screenshot below shows an example from the private sector.

Screenshot taken from Cabinet Office’s private sector case-studies.

What is the role of the consultation?

For now, the Cabinet Office can only carry out data-matching for the exclusive purpose to prevent and detect fraud. The proposed expansion under the consultation would cover four additional purposes not currently covered by the NFI, namely:

Data-matching to assist in the prevention and detection of crime (other than fraud);
Data-matching in the apprehension and prosecution of offenders;
Data-matching to assist in the prevention and detection of errors and inaccuracies; and
Data-matching to assist in the recover of debt owing to public bodies.

What is the timeline?

The new legislation flowing from the consultation would be laid before Parliament in Spring/Summer 2021. Subject to new provisions being enacted, the first pilots would take place in December 2021.

Our campaign

When Big Brother Pays Your Benefits

Learn more

Mass Surveillance

Social protection programmes

The World Bank & social protection during crises: a privacy trade-off?

Privacy International ("PI") researched a number of social safety-net projects financed by the World Bank during the COVID-19 pandemic. To inform the World Bank's future implementation of these kinds of projects, this article reflects on how certain aspects of social protection projects can inadvertently lead to excessive surveillance of marginalised communities, impact equal access to urgent social protection disbursements, and interfere with people's dignity and right to privacy.

Long Read

Emergency Social Protection responses to Covid-19 around the world

Privacy International has been researching how emergency welfare responses have been handled in different countries in light of the Covid-19 pandemic. Despite the variety of socio-economic and political contexts of the countries researched, PI has found that a lot of them share common concerning elements along the benefit disbursement process, namely the automation of eligibility processes, lack of transparency, excessive data collection, security issues in disbursement methods and more.

News & Analysis

Amazon Alexa/NHS contract: ICO allows partial disclosure

The Information Commissioner's Office issued a decision on our complaint relating to the failure by the UK Department of Health and Social Care to disclose the full, unredacted contract with Amazon.