Data Usage Agreement: Student Awards Agency Scotland fraud pilot with HMRC
Published 30 April 2024
This Data Usage Agreement (DUA) between HMRC and Student Awards Agency Scotland (SAAS) was agreed and put in place in 2022.
1. Disclosure of information by HMRC to SAAS to combat fraud against the public sector
DUA reference: RIS_DUA_2022_004
1.1 Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) is required prior to the exchange proceeding.
HMRC DPIA reference number: 9882
Date of DPIA: 2 November 2022
1.2 Legal basis
HMRC disclose this information to the SAAS under section 56 of the Digital Economy Act (DEA) 2017, disclosure of information to combat fraud against the public sector.
Also relevant are The Digital Government (Scottish Bodies) Regulations 2022. These regulations relate to the disclosure of information in relation to fraud against the public sector, pursuant to sections 56 of the DEA.
The lawful basis for processing is article 6(1)(e) of General Data Protection Regulation (GDPR), as the processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority.
1.3 Purpose
This is a pilot to detect the level of fraud in income assessed funding applications in order to try and prevent fraud.
This pilot will run for 6 months from November 2022 to detect the level of fraud in income assessed funding applications. This will allow SAAS to verify a students’ entitlement to funding and to confirm that students have been awarded the correct amount of funding for this session.
SAAS is an executive agency of the Scottish Government and therefore exercises the functions of the Scottish Ministers. It has responsibility for administering higher education student funding under the Student Support (Scotland) Regulations 2022.
SAAS assess and provide financial support to students applying for an eligible higher education course, who meet residency and household income eligibility criteria. At the point of application, all students are required to provide information relating to themselves and any declared relevant sponsors including their full name, date of birth, address, postcode, and National Insurance number. The annual relevant income received by the applicant and any declared sponsors is also captured:
- where a student applies for an independent bursary, they will also provide personal and income details for their partner
- where a student applies for a young person’s bursary, they will also provide personal and income details of their sponsor (parent or guardian)
Student and sponsor data would be matched to HMRC data to:
- confirm the associated address of the applicant and declared partner, parents or guardians (sponsors) in the data and confirm income (Pay As You Earn (PAYE) and Self Assessment)
- for certain applications indicate by a yes or no flag if there are additional occupants within the address at the point of application and whether those persons have an income
SAAS will use this data to validate the information submitted by the applicant and identify potential instances of fraud. If suspected fraud is identified, SAAS will complete internal checks prior to contacting any student or sponsors for clarification. If there is no co-operation, SAAS may proceed to re-assess the student’s eligibility or conduct a fraud investigation, this will be on a case-by-case basis dependent on available evidence.
1.4 Benefits of the exchange
HMRC considers that the disclosure of information to SAAS is necessary and proportionate to assist SAAS in their role of processing funding applications and identifying any potential fraud.
The potential SAAS benefits for this exchange are as follows:
- early identification and prevention of fraud
- minimising financial loss and reduced pressure on budgets
- reduced fraud rate and improved protection of public funds
- fairer process for students using early intervention to prevent future overpayments
- efficiency - reduced and less intrusive fraud investigations
- transparency - information relating to SAAS Counter Fraud team, their responsibilities and who they share data with can be found on the SAAS website within the Fraud Protection section, students are also informed of this by letter; students knowing SAAS have access to HMRC data will hopefully encourage fraud deterrence
There are no direct benefits to HMRC for this data share other than to assist SAAS with this pilot.
1.5 Data security
HMRC and SAAS agree to:
- move, process and destroy data securely, in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information
- to store the data in a secure location where only the teams handling the data can access it
- only use it for the purposes that it has been disclosed for and ensure that only those with a genuine business need to see the information will have access to it
- only keep it for the time it is needed, and then destroy it securely
- not onwardly disclose that information without the prior authorisation of HMRC
- comply with the requirements in the Security Policy Framework, and be prepared for and respond to security incidents and to report any data losses, wrongful disclosures or breaches of security relating to information - for SAAS: [email protected]
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
- mark information assets with the appropriate security classification and apply the appropriate baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, and in particular as set out in the Annex – Security Controls Framework to the GSC
1.6 Data processor and data controller
HMRC is the data controller and when the data has left HMRC and is received by SAAS, SAAS will be the data controller, using definitions as set out in the Data Protection Act 2018.
1.7 Freedom of Information requests
If a Freedom of Information (FOI) request relating to this information is made to SAAS, their FOI team will engage with HMRC’s FOI team regarding the potential impact of disclosure however any final decision on disclosure of SAAS data will remain with SAAS.
1.8 Records of Processing Activity
HMRC Records of Processing Activity (ROPA) is an inventory of all HMRC’s major processing activities involving personal data and is to be created or revised if setting up or reviewing an exchange.
1.9 Assurance
In accordance with the review and assurance agreed, a Certificate of Review and Assurance (CoRA) must be completed by both departments for the DUA when the data share has completed.
1.10 Costs
HMRC Risk and Intelligence Service (RIS) Government Data Exchange team (GovDET) will recharge SAAS for the time taken to provide the data for this data share.
1.11 Procedure
This is a one-off pilot data matching exercise.
The data share will be using SAAS data from the current academic session 2022 to 2023 that is taken from full-time undergraduate, part-time fee grant and supplementary grant applications where there is an element of income assessed funding.
All applications received up until 31 July 2022 that fit these criteria will be analysed.
Due to the nature of the application process and the annual increase in applications, it is difficult to specify the exact the number of students involved, however it is estimated to be around 55,000.
Data matching is carried out in accordance with the agreed RIS team Quality Assurance Standards Framework and only the most up to date information available to HMRC will be shared with SAAS.
A dataset of approximately 55,000 individuals will be transferred from SAAS via Secure Data Exchange Service (SDES) to HMRC RIS GovDET using a Microsoft Excel spreadsheet. This will be split into 2 files to cover the independent bursary applications and the young student bursary applications.
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
Using Connect, HMRC RIS GovDET will match the full dataset from SAAS.
Students will be matched on name, date of birth, National Insurance number and address.
Where HMRC cannot match the student or verify the student lives at the provided address, no data will be returned for that application.
Where HMRC have matched the student, they will then match the partners or sponsors on name, National Insurance number and address. Where HMRC cannot match the partner or sponsors or verify they live at the provided address, no data will be returned for that application (sponsor or applicant).
In instances where two sponsors are provided, they will both need to match and have their address verified for either of them to be returned.
Where the student and partner or sponsors have matched and been verified at the supplied address, HMRC will look to provide a yes or no indicator where there is additional occupant information for the following:
- additional occupants – (yes or no) – flag whether other people between 25 and 65 years old are living at the property
- additional occupants with income – (yes or no) – of those how many of them have an income
- house in multiple occupancy (HMO) – (yes or no) – are there 6 or more people with 3 or more surnames living at the property
There are parameters in place where the following data is excluded:
- excluding income at address for earners who are under the age of 25
- excluding income at address for earners who are over the age of 65
1.12 Data specification - for independent bursary
Where an application is received for an independent bursary, SAAS will provide the following data for the students, and their partner (where provided):
- student reference number
- student full name
- student date of birth
- student National Insurance number (where available)
- full address and postcode
- funding start date
- partner full name and title
- partner National Insurance number
- partner income declared
HMRC will return the following data for the students, and their partner (where provided):
- student reference number
- student full name
- student date of birth
- student National Insurance number
- full address and postcode
- partner full name
- partner National Insurance number
HMRC will also provide the following data for the students, and their partner (where available):
- partner income declared
- employment income (funding year -1)
- occupational pension (funding year -1) - yes or no
- relevant Self Assessment income (funding year -1)
- Self Assessment self-employed income (funding year -1) - yes or no
- Self Assessment property income (funding year -1) - yes or no
- Self Assessment foreign income (funding year -1) - yes or no
- employment income (funding year -2)
- occupational pension (funding year -2) - yes or no
- relevant Self Assessment income (funding year -2)
- Self Assessment self-employed income (funding year -2)
- Self Assessment property income (funding year -2) - yes or no
- Self Assessment foreign income (funding year -2) - yes or no
- additional occupants - yes or no
- additional occupants with income - yes or no
- house in multiple occupation (HMO) - yes or no
1.13 Data specification - for young student bursary
Where an application is received for a young student bursary, SAAS will provide the following data for the student, and their sponsor (parent or guardian):
- student reference number
- student full name and title
- student date of birth
- student National Insurance number (where available)
- full address and postcode
- sponsor 1 full name
- sponsor 1 National Insurance number
- sponsor 1 income declared
- sponsor 2 full name and title
- sponsor 2 National Insurance number
- sponsor 2 income declared
Where an application is received for a young student bursary, HMRC will return the following data for the student, and their sponsor (parents, stepparents, legal guardians, parents’ partners or civil partners):
- student reference number
- student full name
- student date of birth
- student National Insurance number
- full address and postcode
- sponsor 1 full name
- sponsor 1 National Insurance number
HMRC will also provide the following data for the student, and their sponsor (parents, stepparents, legal guardians, parents partners or civil partners):
- sponsor 1 income declared
- sponsor 1 employment income (funding year -1)
- sponsor 1 occupational pension (funding year -1) - yes or no
- sponsor 1 relevant Self Assessment income (funding year -1)
- sponsor 1 Self Assessment self-employed income (funding year -1) - yes or no
- sponsor 1 Self Assessment property income (funding year -1) - yes or no
- sponsor 1 Self Assessment foreign income (funding year -1) - yes or no
- sponsor 1 employment income (funding year -2)
- sponsor 1 occupational pension (funding year -2) - yes or no
- sponsor 1 relevant Self Assessment income (funding year -2)
- sponsor 1 Self Assessment self-employed income (funding year -2) - yes or no
- sponsor 1 Self Assessment property income (funding year -2) - yes or no
- sponsor 1 Self Assessment foreign income (funding year -2) - yes or no
- sponsor 2 full name
- sponsor 2 National Insurance number
- sponsor 2 income declared
- sponsor 2 employment income (funding year -1)
- sponsor 2 occupational pension (funding year -1) - yes or no
- sponsor 2 income declared
- sponsor 2 employment income (funding year -1) - yes or no
- sponsor 2 occupational pension (funding year -1) - yes or no
- sponsor 2 relevant Self Assessment income (funding year -1) - yes or no
- sponsor 2 Self Assessment self-employed income (funding year -1) - yes or no
- sponsor 2 Self Assessment property income (funding year -1) - yes or no
- sponsor 2 Self Assessment foreign income (funding year -1) - yes or no
- sponsor 2 employment income (funding year -2)
- sponsor 2 occupational pension (funding year -2) - yes or no
- sponsor 2 relevant Self Assessment income (funding year -2)
- sponsor 2 Self Assessment self-employed income (funding year -2) - yes or no
- sponsor 2 Self Assessment property income (funding year -2) - yes or no
- sponsor 2 Self Assessment foreign income (funding year -2) - yes or no
- sponsor 2 relevant Self Assessment income (funding year -1)
- sponsor 2 Self Assessment self-employment income (funding year -1) - yes or no
- sponsor 2 Self Assessment property income (funding year -1) - yes or no
- sponsor 2 Self Assessment foreign income (funding year -1) - yes or no
- sponsor 2 employment income (funding year -2)
- sponsor 2 occupational pension (funding year -2) - yes or no
- sponsor 2 relevant Self Assessment income (funding year -2)
- sponsor 2 Self Assessment self-employed income (funding year -2) - yes or no
- sponsor 2 Self Assessment property income (funding year -2) - yes or no
- sponsor 2 Self Assessment foreign income (funding year -2) - yes or no
- additional occupants - yes or no
- additional occupants with income - yes or no
- house of multiple occupancy (HMO) - yes or no
1.14 Data retention and storage
HMRC
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
Auto reminders in outlook are set by the GovDET analyst to delete the data as required after delivery.
As an added level of assurance, the data deletion is also recorded on a RIS GovDET GDPR tracker document which is an Excel tool outlining all data sharing and what date the data is deleted. This is reviewed on a monthly basis by the Grade 7 RIS GovDET lead and checks are undertaken that data is deleted on time. In the event of an analyst being absent, the Grade 7 will arrange for the deletion of the data.
SAAS
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
The data will be deleted when results have been analysed. This will be 6 months from the data being disclosed to HMRC or earlier if the initial report has been drafted and submitted to the DEA Review Board. SAAS will inform HMRC once the data has been deleted.
1.15 Disputes
This content has been withheld because of exemptions in the Freedom of Information Act 2000.
1.16 Signatures
This content has been withheld because of exemptions in the Freedom of Information Act 2000.