APPENDIX 6
Memorandum submitted by the Audit Commission
The Audit Commission is an independent body
responsible for ensuring that public money is spent economically,
efficiently and effectively, to achieve high-quality local services
for the public. Our remit covers around 11,000 bodies in England,
which between them spend more than £180 billion of public
money each year. Our work covers local government, health, housing,
community safety and fire and rescue services.
As an independent watchdog, we provide important
information on the quality of public services. As a driving force
for improvement in those services, we provide practical recommendations
and spread best practice. As an independent auditor, we ensure
that public services are good value for money and that public
money is properly spent.
EXECUTIVE SUMMARY
1. The Audit Commission welcomes the Home
Affairs Committee's focus on data sharing and is pleased to submit
evidence to its inquiry on "A Surveillance Society?"
2. This submission contains information
about the scope of the Commission's National Fraud Initiative
(NFI) as it currently stands and an indication of how it could
be extended by the Serious Crime Bill currently before Parliament.
After a brief introduction and a section about the development
of the NFI, the submission is structured around four of the headings
set out in the Committee's announcement of the inquiry: access
by public agencies to private databases; data sharing between
government departments and agencies; safeguards for data use;
and profiling.
3. The Commission's NFI is a data matching
exercise carried out every two years as part of the statutory
audit of local authorities and NHS bodies. The NFI matches datasets
including the audited body's payroll, student awards and loans,
housing benefits, housing rents, the blue badge parking scheme
for the disabled and single person council tax discounts to identify
possible anomalies that could indicate fraud or erroneous overpayment.
INTRODUCTION
4. The UK economy faces an increasing challenge
from fraudsters. Recent estimates in a report commissioned by
the Association of Chief Police Officers, The Nature, Extent
and Economic Impact of Fraud in the UK, place annual losses
from fraud at £13.9 billion. These losses range from low
value claimant fraud to high value, orchestrated and sometimes
international fraud on all sectors of the economy.
5. The volume of cases and the scale of
the more complex frauds require the use of technical solutions,
and data sharing and matching are at the forefront of these.
6. The Commission's NFI is a data matching
exercise carried out every two years as part of the statutory
audit of local authorities and NHS bodies. The NFI has resulted
in the detection of more than £300 million of fraud and overpayments
since it began in 1998, and this figure is likely to exceed £500
million by the close of the current 2006-07 NFI exercise in May
2008. The Commission is a world leader in the use of data matching
techniques, and we believe that such methods are invaluable in
protecting the public purse.
7. The success of the NFI can be measured
in part by the range of risk areas now being reported to the Commission
for inclusion in the NFI. These range from abuse of occupational
pension schemes and state benefits to procurement fraud. Where
any of these areas emerge successfully from pilot exercises, they
may be included in the NFI portfolio.
DETAILED RESPONSE
Development of the NFI
8. The NFI is currently conducted as an
audit exercise under the Audit Commission Act 1998 ("the
Act"). Auditors must, among other tasks, satisfy themselves
that bodies subject to audit, such as local government and NHS
trusts, have put in place arrangements to secure the economic,
efficient and effective use of their resources. In addition, auditors
must comply with the Code of Audit Practice approved by
Parliament under section 4 of the Act (http://www.audit-commission.gov.uk/reports/NATIONALREPORT.asp?Category
ID=&ProdID=CD9EFFCE-FD24-43fc-B54E-4C6E1BCC2ED4). Auditors'
duties include identifying illegal items of account; identifying
risks relating to the use of resources by audited bodies; and
providing reasonable assurance that financial statements are free
from material mis-statement, whether caused by fraud or other
irregularities. Data-matching assists in identifying where such
anomalies may have arisen, for further investigation by both the
auditor and the audited body.
9. Auditors have powers under section 6
of the Act to obtain information that relates to a body subject
to audit, where this is necessary for the purposes of undertaking
the audit. This is the mechanism by which the auditor is able
to obtain the data sets that are used in the NFI.
10. At the outset of the NFI in 1998, the
data shared and processed by the Commission came almost exclusively
from the audited bodies themselves, and the results from the data
matches were returned to those participants. We used datasets
including the audited body's payroll, student awards and loans,
housing benefits and housing rents, and matched them to identify
possible anomalies that could indicate fraud or erroneous overpayment.
This included, for example, council tenants who had more than
one council property and benefit claimants who had failed to declare
their income from other sources.
11. Since 2000, we have added new datasets
to address a number of emerging risks faced by audited bodies,
such as abuse of the blue badge parking scheme for the disabled
and single person council tax discount fraud. We have also introduced
data from the Home Office and the Foreign and Commonwealth Office
that detects employees of audited bodies who are not entitled
to work in the UK and benefit claimants who are not entitled to
claim public funds. These matches help local authorities to detect
housing and council tax benefit fraud and to identify employees
who have no right to live or work in the UK.
12. The Serious Crime Bill (currently at
Report stage in the House of Lords) contains provisions that could
place the NFI on a broader statutory footing, so that it will
no longer be conducted simply as an audit exercise. Rather, the
Commission itself will have powers to undertake data matching
for the purposes of preventing and detecting fraud, so that both
public and private sector bodies can participate in the benefits
of this exercise more generally. The Commission will decide which
data sets should be matched on the basis of its knowledge and
experience of where fraud is likely to be either serious or prevalent,
informed by pilot exercises where appropriate.
ACCESS BY
PUBLIC AGENCIES
TO PRIVATE
DATABASES
13. Under the Act as it currently stands,
the NFI is restricted to collecting and matching data that "elates
to bodies subject to audit". This therefore excludes a large
amount of data that is held by both public and private sector
bodies.
14. However, Clause 65 Schedule 6 of the
Serious Crime Bill provides a statutory gateway that will allow
both private and public sector[76]
bodies to contribute data voluntarily to the Commission for the
purposes of data matching. Such data can only be provided if the
Commission believes it to be appropriate for the purposes of preventing
and detecting fraud, and bodies will not be able to share patient
data voluntarily under this provision. All data matching must
comply with the Data Protection Act 1998 and the Regulation of
Investigatory Powers Act 2000. This power will be enabling; private
and public sector bodies will be under no obligation to provide
this information to the Commission.
DATA SHARING
BETWEEN GOVERNMENT
DEPARTMENTS AND
AGENCIES
15. The Serious Crime Bill provisions for
the NFI would enable government departments and agencies to use
the NFI as a conduit for data sharing to address local and national
fraud risks in a controlled, secure and well regulated environment.
Clause 65 Schedule 6 of the Bill provides that bodies subject
to the Commission's audit and inspection regime must provide their
data to the Commission for data-matching. Other public bodies
can do so on a voluntary basis (as outlined above).
SAFEGUARDS FOR
DATA USE
16. The Commission has adopted a range of
methods to ensure that the data matching process is managed at
all times in a way that is proportionate and secure, and that
data subjects are advised of the use of their data. The principal
methods include:
distributing a Code of Data
Matching Practice governing all aspects of NFI data matching
to all participating bodies and making it available on the Commission's
website at http://www.audit-commission.gov.uk/nfi/codeofdmp. This
Code reflects the core underlying principle that personal data
will only be obtained and processed in accordance with the Data
Protection Act 1998. Clause 65 Schedule 6 of the Serious Crime
Bill could place a statutory duty on the Commission to produce
a Code of Data Matching Practice, and for all those who
are participating in data matching exercises to have regard to
the Code. The Commission could be required to consult with all
its audited and inspected bodies and any other body it considers
appropriate; this would always include the Information Commissioner,
who has written the foreword to the current Code;
extracting from each dataset
only the minimum fields required for effective fraud detection.
Handbooks with data specifications can be found at http://www.audit-commission.gov.uk/nfi/handbooks.asp;
requiring participating bodies
to notify data subjects about the inclusion of their data in NFI;
making no assumptions as to
whether or not an individual has been involved in fraudulent activities.
Instead, anomalies that are detected as a result of data-matching
are referred back to the relevant participating body for further
investigation, and clear guidance is given to the relevant bodies
and their auditors that they should treat all matches as anomalies
to be checked, rather than being proof that fraud has occurred;
holding data under strict security
and destroying and rendering it irrecoverable at the end of each
exercise;
releasing data matches through
a secure website, access to which is carefully monitored;
ensuring that each participating
body can only access its own matches and that investigators have
their access restricted to those match types for which they are
responsible;
piloting new datasets and risk
areas prior to their inclusion in NFI, and only including them
if warranted by the value or number of frauds they detect;
monitoring the results of investigations
to ensure that any data no longer considered essential to fraud
detection is left out of future data submissions; and
keeping site security at our
data centre permanently under review.
17. It is the Commission's intention that
these principles will continue to apply to the new provisions
under the Serious Crime Bill if they come into effect. We believe
that they provide an appropriate balance between restricting intrusion
into the privacy of citizens and protecting the public purse against
fraud. There will also be additional protections under the new
provisions. These include tight restrictions on the circumstances
in which data can be disclosed, and tough criminal sanctions for
disclosure in breach of these requirements.
18. There will also be specific restrictions
on the use of patient data within NFI, which will be limited to
uncovering fraud within the NHS only, and it will not be permissible
to disclose any further than necessary for that purpose. In fact,
clinical patient data is not used within the NFI because it is
not relevant to fraud.
PROFILING
19. While the NFI concentrates primarily
on data matching to detect fraud, there are instances where data
mining (a search across multiple datasets for patterns that might
suggest organised fraud) is also effective, particularly where
patterns of abuse may emerge over a large number of participating
bodies. However, this technique is employed exclusively to detect
existing, rather than predict future, fraud. The Commission does
not intend to profile individuals according to their behaviour
and characteristics in order to predict their future likelihood
or propensity to commit offences. The use of mining techniques
to profile fraudsters and thereby predict future fraudulent behaviour
is controversial, unproven and not considered appropriate to the
NFI.
April 2007
76 Excluding those bodies that are within the Commission's
audit and inspection regime; with the exception of registered
social landlords, these bodies will be under a mandatory duty
to participate in NFI. Back
|