On 23 March 2015 the Home Office published its snappily-titled Code of practice for public authorities disclosing information to a specified anti-fraud organisation under sections 68 to 72 of the Serious Crime Act 2007 (the Code).
Background and context
Under section 71(1) of the Serious Crime Act 2007 (SCA) the Secretary of State must prepare and keep under review a Code of Practice on the disclosure of information by public authorities for the purposes of fraud prevention. The purpose of the Code is to ensure, combined with data protection legislation, that data is shared in a way that is necessary and proportionate, and that disclosure takes place within a framework that properly protects individuals' rights and the security of the data. The Code is supported by the Information Commissioner who urges public authorities to read it alongside the guidance issued by his office on data sharing, in particular the Data Sharing Code of Practice, published in 2011 (the ICO Code).
Who does the Code apply to?
The Code applies to any "public authority" within the meaning of section 6 of the Human Rights Act 1998 ; namely, a court or tribunal and "any person certain of whose functions are functions of a public nature." The Code will certainly apply to local authorities, registered providers of social housing, and NHS bodies.
What does the Code require?
Public authorities must have regard to the Code when disclosing information for the purposes of fraud prevention, either as a member of a "specified anti-fraud organisation" (SAFO) or in accordance with arrangements made by such an organisation. There are currently 11 SAFOs designated by Order. They are:
- BAE Systems Allied Intelligence Limited
- Callcredit Information Group Limited
- Dun and Bradstreet Limited
- Equifax Limited
- Experian Limited
- Insurance Fraud Bureau
- Insurance Fraud Investigators Group
- N Hunter Limited
- Synectics Solutions Limited
- Telecommunications United Kingdom Fraud Forum Limited
Most public authorities will not be members of a SAFO but may disclose information to them in the course of investigating fraud, or possibly as a matter of routine when processing, for example, applications for housing, benefits, services or employment. In addition, some public authorities will have common law or statutory powers to disclose information. The Code applies to all such disclosures. The Code does not authorise a disclosure that would otherwise contravene the Data Protection Act (DPA) and public authorities must in all circumstances ensure that any disclosure is lawful and fair under the DPA.
The Code requires public authorities to satisfy themselves that the practices and procedures under which they disclose data are fair and transparent before any data is shared. The Code strongly advocates the use of fair processing notices to the individuals whose personal data the authority will or may share. The ICO recommends the use of "layered" notices involving a relatively simple first explanation (for example a standard sentence on an application form) backed up by a more detailed explanation, possibly via a link to a website or contact details for a named data protection officer. Examples of layered fair processing notices are provided in an Appendix to the Code.
The Code requires that disclosure to a SAFO is made in accordance with a written information sharing document that should be agreed in advance with the SAFO. The agreement should specify agreed arrangements for, among other things, fair processing, data minimisation, data use and retention, the rights of data subjects, and data security. The Code states that written agreements should specify a maximum period for which information shared under the agreement will be held, and should set out agreed standards governing the transmission of data to and from SAFOs.
Individuals whose data is shared for the purposes of fraud prevention will have a right of access to that data under the DPA or Freedom of Information Act. In some cases it will be appropriate to refuse disclosure under section 29 of the DPA (exemption from disclosure of data processed for tax purposes of the prevention or detection of crime). However, the Code makes it clear that this must be decided on a case by case basis and the exemption should only be applied where disclosure is likely to prejudice the processing of the data.
Review and compliance
Public authorities should, in consultation with SAFOs, undertake periodic reviews to ensure that their data sharing agreements comply with the Code, the DPA, and the ICO's code on data sharing. Public authorities are able to enter into pilot data sharing exercises with SAFOs but all such pilots must comply with the DPA. The Home Office will periodically review arrangements between public authorities and SAFOs to ensure their compliance with the Code. In some instances, public authorities are also required to grant access to the ICO to ensure compliance with the DPA generally.
What does this mean for public authorities?
Public authorities should:
- Prepare (or review) an agreed information sharing document with each SAFO to whom they may disclose information, to ensure that it complies with the DPA, the Code, and the ICO Code;
- Ensure that there is someone in the organisation with specific responsibility for data protection issues;
- Ensure that there are members of staff who are nominated to handle subject access requests, enquires, and complaints from data subjects;
- Periodically review and "quality-assure" data that could be shared;
- Ensure that sufficient technical and organisational measures are in place to assure the security of personal data, and that these measures are set out in all data sharing agreements. Such measures could include:
- Establishing role-based access to personal data;
- Providing specialised training for persons with access to sensitive personal data;
- Implementing appropriate controls on access to information, such as firewalls, computer passwords, or secure premises;
- Undertaking periodic audits of security arrangements.
- Having procedures in place to contain and limit damage that a security breach can cause;
- Carrying out risk assessments and having procedures in place to investigate security breaches.
Bevan Brittan's Information Law team regularly advise public
authorities in relation to both one off disclosures of personal
data and more extensive data sharing projects.