On 23 March 2015 the Home Office published its snappily-titled <em>Code of practice for public authorities disclosing information to a specified anti-fraud organisation under sections 68 to 72 of the Serious Crime Act 2007</em> (the Code).
On 23 March 2015 the Home Office published its snappily-titled Code of practice for public authorities disclosing information to a specified anti-fraud organisation under sections 68 to 72 of the Serious Crime Act 2007 (the Code).
Under section 71(1) of the Serious Crime Act 2007 (SCA) the Secretary of State must prepare and keep under review a Code of Practice on the disclosure of information by public authorities for the purposes of fraud prevention. The purpose of the Code is to ensure, combined with data protection legislation, that data is shared in a way that is necessary and proportionate, and that disclosure takes place within a framework that properly protects individuals' rights and the security of the data. The Code is supported by the Information Commissioner who urges public authorities to read it alongside the guidance issued by his office on data sharing, in particular the Data Sharing Code of Practice, published in 2011 (the ICO Code).
The Code applies to any "public authority" within the meaning of section 6 of the Human Rights Act 1998 ; namely, a court or tribunal and "any person certain of whose functions are functions of a public nature." The Code will certainly apply to local authorities, registered providers of social housing, and NHS bodies.
What does the Code require?
Public authorities must have regard to the Code when disclosing information for the purposes of fraud prevention, either as a member of a "specified anti-fraud organisation" (SAFO) or in accordance with arrangements made by such an organisation. There are currently 11 SAFOs designated by Order. They are:
Most public authorities will not be members of a SAFO but may disclose information to them in the course of investigating fraud, or possibly as a matter of routine when processing, for example, applications for housing, benefits, services or employment. In addition, some public authorities will have common law or statutory powers to disclose information. The Code applies to all such disclosures. The Code does not authorise a disclosure that would otherwise contravene the Data Protection Act (DPA) and public authorities must in all circumstances ensure that any disclosure is lawful and fair under the DPA.
The Code requires public authorities to satisfy themselves that the practices and procedures under which they disclose data are fair and transparent before any data is shared. The Code strongly advocates the use of fair processing notices to the individuals whose personal data the authority will or may share. The ICO recommends the use of "layered" notices involving a relatively simple first explanation (for example a standard sentence on an application form) backed up by a more detailed explanation, possibly via a link to a website or contact details for a named data protection officer. Examples of layered fair processing notices are provided in an Appendix to the Code.
The Code requires that disclosure to a SAFO is made in accordance with a written information sharing document that should be agreed in advance with the SAFO. The agreement should specify agreed arrangements for, among other things, fair processing, data minimisation, data use and retention, the rights of data subjects, and data security. The Code states that written agreements should specify a maximum period for which information shared under the agreement will be held, and should set out agreed standards governing the transmission of data to and from SAFOs.
Individuals whose data is shared for the purposes of fraud prevention will have a right of access to that data under the DPA or Freedom of Information Act. In some cases it will be appropriate to refuse disclosure under section 29 of the DPA (exemption from disclosure of data processed for tax purposes of the prevention or detection of crime). However, the Code makes it clear that this must be decided on a case by case basis and the exemption should only be applied where disclosure is likely to prejudice the processing of the data.
Public authorities should, in consultation with SAFOs, undertake periodic reviews to ensure that their data sharing agreements comply with the Code, the DPA, and the ICO's code on data sharing. Public authorities are able to enter into pilot data sharing exercises with SAFOs but all such pilots must comply with the DPA. The Home Office will periodically review arrangements between public authorities and SAFOs to ensure their compliance with the Code. In some instances, public authorities are also required to grant access to the ICO to ensure compliance with the DPA generally.
Public authorities should:
Bevan Brittan's Information Law team regularly advise public
authorities in relation to both one off disclosures of personal
data and more extensive data sharing projects.