Data Usage Agreement: Bounce Back Loan fraud analytics pilot between BEIS, the Cabinet Office and HMRC
Published 19 October 2023
This Data Usage Agreement for the Bounce Back Loan fraud analytics pilot between the Department for Business, Enterprise and Industrial Strategy, the Cabinet Office and HMRC was approved and put in place in 2021.
1. Conditions of disclosure of information by HMRC
HMRC disclose this information to the Cabinet Office, the Department for Business, Energy and Industrial Strategy (BEIS)[footnote 1], British Business Financial Services Limited (BBB) and accredited lenders by virtue of the legal basis of section 56 of the Digital Economy Act (DEA) Disclosure for the purpose of ‘taking of action in connection with fraud against a public authority’ on the condition that Cabinet Office and BEIS undertake the following:
- complete a Data Protection Impact Assessment (DPIA)
- adhere to the DEA code of practice and complete all relevant documentation and have ministerial approval
- adhere to this Data Usage Agreement (DUA)
A joint DPIA has been completed by BEIS, Cabinet Office and HMRC to go alongside this DUA.
1.1 Purpose
The purpose of the Bounce Back Loan (BBL) fraud analytics programme is to prevent and detect suspected fraud committed within the BBL scheme.
Cabinet Office and HMRC intend to complete a pilot that will match BBL data relating to ‘limited liability’ companies against data sets held by HMRC to detect suspected fraud in the BBL scheme. This part of the programme aims to identify BBLs that are linked to companies that have:
-
claimed for workers under the Coronavirus Job Retention Scheme (CJRS)
-
are operating as Mini Umbrella Companies (MUCs)
The wider programme scope includes the use of public, private, government and law enforcement data sets. But these will not be linked with data disclosed by HMRC.
Information disclosed to BEIS by HMRC may be used by BEIS investigators (including officers seconded to BEIS from the National Investigation Service (NATIS) acting as BEIS’ agents) for the purposes of investigation and prosecution of BBL-related fraud.
Cabinet Office (acting as data processor for BEIS) will use outputs disclosed by HMRC from the pilot to formulate a risk flag for onward sharing with BBB and accredited lenders. The risk flag will not indicate that it is based on any HMRC data or source material or that it originates from a MUC referral. Furthermore it will not infer or imply that a BBL borrower is a MUC.
1.2 Data Specification
BEIS will provide Cabinet Office with the following data via upload to a container in Cloud Based Analytics Service (CBAS), accessible only by BEIS and Cabinet Office:
-
successful BBL application data for all borrowers on secured loans, including limited liability companies and sole traders
- facility reference; purpose of loan; loan amount; facility type; loan term; business name; lender code; lender name; loan state; annual turnover; standard industry classification code; postcode; guarantee percentage; created date; scheme facility letter date; initial draw date; repaid date; maturity date; lender demand date; demand to direct trader input date; cumulative amount drawn; standard industry classification group; region; region order; constituency; district; LEP1; LEP2; NUTS2 code; NUTS2; NUTS3 code; NUTS3; region NUTS1 code; region NUTS1; trading date; scheme; legal form; company registration; trading name; EFG interest rate; loan purpose; lender type; fees
- this dataset may contain personal information, for example in the business or trading name fields
- for more information on these fields, please see the attached web portal data fields justification document
Cabinet Office will enrich this with publicly available data from Companies House, namely:
- date of creation
- SPA (Specified Public Authority) personal data from Companies House (residential addresses and dates of birth) (this is covered by a separate legal gateway)
Cabinet Office will make a subset of the data available in the secure file transfer platform Egress. The subset of the data will only relate to limited liability companies and contain only the following fields:
- facility reference, loan amount, business name, company registration, annual turnover, and initial draw date
The reduced number of fields is restricted only to what HMRC require to carry out the data matching exercises and limits unnecessary data sharing. The Cabinet Office will inform HMRC that the dataset is available in Egress. HMRC will access Egress to extract the file onto their system and perform matching. The returned file will be uploaded to Egress with the following data points for each limited liability company successful BBL applicant, where available:
-
MUC flag, HMRC will add a flag where they think a limited company may be a MUC but this does not mean
- that it definitely is a MUC as this may include false positives
- that the list is complete – there may be many more that HMRC has not managed to trace yet
- the MUC flag would not directly indicate that the MUC would not be entitled to apply for a BBL and so this flag cannot be used in isolation to make a fraud determination
-
at this time, HMRC are unable to provide a risk classification and context around MUC flags
- job retention scheme application flag, risk classification and risk classification context
Cabinet Office will extract the data from Egress, then analyse the data in a Cabinet Office-only container alongside various other datasets (supplied via additional MOUs) and provide BEIS with information on BBL applications that are flagged as a result of Cabinet Office analysis as higher risk. This data will be shared within CBAS containers (accessible via BEIS and CO only).
Outputs from the pilot will be used by Cabinet Office (as data processor on behalf of BEIS) to formulate a risk flag to share with BBB and accredited lenders for the purposes of investigation of BBL related fraud, which includes facilitating a determination of whether any such investigation should be initiated. The risk flag will not attribute HMRC as a source and will not infer or imply that the flag is based on a MUC referral or that a BBL borrower is a MUC.
Data will be shared with BEIS, which may include BEIS investigators (including seconded NATIS officers) for the purposes of investigation of BBL related fraud, which includes facilitating a determination of whether any such investigation should be initiated.
1.3 Data security
BEIS, BBB, HMRC and CO will undertake to:
- move, process and destroy data securely i.e. in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
- only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information (linked to the purpose) will have access to it
- HMRC will store all data supplied by the BEIS, in a secure CAF with restricted access to members of RIS who are directly involved in the data share and only keep it for the time it is needed, and then destroy it securely on agreement of all parties
- not onwardly disclose the information without the prior authorisation of HMRC other than what is provided for in S56 of the Digital Economy Act
- comply with the requirements in the Security Policy Framework, and be prepared for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
- mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, and in particular as set out in the Annex – Security Controls Framework to the GSC
1.4 How data will be shared
The path of data transfer is described below;
-
BEIS compiles a data file containing successful BBL applications for which a guarantee has been made.
-
BEIS uploads this file to a container within the Cloud Based Analytics Service (CBAS) accessible by both Cabinet Office and BEIS. This will be done on a weekly basis.
-
Cabinet Office will enrich this file with publicly available information from Companies House and SPA data (this is covered under a separate non-DEA legal gateway).
-
Cabinet Office will upload ‘limited liability companies’ data only to a secure file sharing platform (Egress) owned by BEIS which will be accessible by both Cabinet Office and HMRC. Cabinet Office will then inform HMRC when and where the data is available. This data sharing will be carried out only once.
-
HMRC will access Egress to extract the BBL data to the HMRC estate.
-
HMRC will match ‘limited liability company’ BBL data against HMRC records, append the relevant columns and review the file.
-
HMRC will upload the resulting file to Egress and make Cabinet Office aware where the data is available. This activity will be carried out only once.
-
Cabinet Office will access Egress, move the file into a Cabinet Office-only permissioned area and conduct analysis alongside other data sets, obtained via other legal gateways or via MOU’s to identify suspected fraud networks
-
Results of this analysis (which still constitute HMRC data) will be shared with the BBL counter fraud analytics programme working group and oversight board for decisions on next steps. HMRC will be closely involved in the drafting of the outputs.
Please note the following steps are the additional steps as a result of this variation.
-
Cabinet Office will pass information on suspected fraud applications to BEIS, which may include BEIS investigators as outlined in para 6 and 14 above.
-
Cabinet Office will prepare risk flags as outlined in para 7 and 13 for sharing with BBB, who will onward share the data with accredited lenders. HMRC data will not be available for onward sharing for purposes other than those for which it was disclosed unless with the consent of HMRC and appropriate legal gateways being in place.
-
Cabinet Office will produce interim reports based on those initial findings and suspected fraud to the DEA review board.
1.5 Data Retention
It is anticipated the data sharing agreement with BEIS, Cabinet Office and HMRC will last a period of no more than 24 months (subject to confirmation) from the date the data is sent from HMRC to Cabinet Office.
HMRC will destroy BEIS BBL data and their own data files used to conduct the matching once:
● HMRC has conducted the matching
● results have been returned to Cabinet Office
● Cabinet Office can confirm receipt of the data
● anomalies in the data have been resolved
Cabinet Office will destroy BEIS and HMRC data and their own files used to conduct the matching at the end of the 24-month period.
1.6 Data processor and data owner
HMRC is the data controller when the data is within its estate. Cabinet Office will act as a data processor on behalf of BEIS and HMRC. BEIS will act as data controller when the data is within its estate. This is using definitions as set out in the Data Protection Act 2018. BBB and accredited lenders are independent data controllers.
1.7 Freedom of information and subject access requests
All parties, who are deemed to be public authorities, are subject to the requirements of the Freedom of Information Act 2000, and will assist and cooperate with each other, to enable each to comply with its information disclosure obligations.
Where a freedom of information request is received by either party to this agreement, which relates to data that has been provided by other parties, the party receiving the request will notify the other relevant parties to allow them the opportunity to make representation on the potential impact of disclosure.
BEIS’ FOI team mailbox is: [email protected]
HMRC’s FOI team mailbox is: [email protected]
Additionally individuals can request access to their data, the following are the email contacts for individual to contact the relevant organisation
BEIS [email protected]
1.8 Costs
HMRC will recharge BEIS for the time taken to provide the data and the governance documents for Cabinet Office to have the relevant data to assist in this project.
BEIS has confirmed that it has funds available for costs incurred by HMRC for this data share.
1.9 Disputes
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
-
BEIS existed until 2023 when it was split to form the Department for Business and Trade (DBT), the Department for Energy Security and Net Zero (DESNZ) and the Department for Science, Innovation and Technology (DSIT). ↩