Select Committee on Home Affairs Written Evidence


Memorandum submitted by the Audit Commission

  The Audit Commission is an independent body responsible for ensuring that public money is spent economically, efficiently and effectively, to achieve high-quality local services for the public. Our remit covers around 11,000 bodies in England, which between them spend more than £180 billion of public money each year. Our work covers local government, health, housing, community safety and fire and rescue services.

  As an independent watchdog, we provide important information on the quality of public services. As a driving force for improvement in those services, we provide practical recommendations and spread best practice. As an independent auditor, we ensure that public services are good value for money and that public money is properly spent.


  1.  The Audit Commission welcomes the Home Affairs Committee's focus on data sharing and is pleased to submit evidence to its inquiry on "A Surveillance Society?"

  2.  This submission contains information about the scope of the Commission's National Fraud Initiative (NFI) as it currently stands and an indication of how it could be extended by the Serious Crime Bill currently before Parliament. After a brief introduction and a section about the development of the NFI, the submission is structured around four of the headings set out in the Committee's announcement of the inquiry: access by public agencies to private databases; data sharing between government departments and agencies; safeguards for data use; and profiling.

  3.  The Commission's NFI is a data matching exercise carried out every two years as part of the statutory audit of local authorities and NHS bodies. The NFI matches datasets including the audited body's payroll, student awards and loans, housing benefits, housing rents, the blue badge parking scheme for the disabled and single person council tax discounts to identify possible anomalies that could indicate fraud or erroneous overpayment.


  4.  The UK economy faces an increasing challenge from fraudsters. Recent estimates in a report commissioned by the Association of Chief Police Officers, The Nature, Extent and Economic Impact of Fraud in the UK, place annual losses from fraud at £13.9 billion. These losses range from low value claimant fraud to high value, orchestrated and sometimes international fraud on all sectors of the economy.

  5.  The volume of cases and the scale of the more complex frauds require the use of technical solutions, and data sharing and matching are at the forefront of these.

  6.  The Commission's NFI is a data matching exercise carried out every two years as part of the statutory audit of local authorities and NHS bodies. The NFI has resulted in the detection of more than £300 million of fraud and overpayments since it began in 1998, and this figure is likely to exceed £500 million by the close of the current 2006-07 NFI exercise in May 2008. The Commission is a world leader in the use of data matching techniques, and we believe that such methods are invaluable in protecting the public purse.

  7.  The success of the NFI can be measured in part by the range of risk areas now being reported to the Commission for inclusion in the NFI. These range from abuse of occupational pension schemes and state benefits to procurement fraud. Where any of these areas emerge successfully from pilot exercises, they may be included in the NFI portfolio.


Development of the NFI

  8.  The NFI is currently conducted as an audit exercise under the Audit Commission Act 1998 ("the Act"). Auditors must, among other tasks, satisfy themselves that bodies subject to audit, such as local government and NHS trusts, have put in place arrangements to secure the economic, efficient and effective use of their resources. In addition, auditors must comply with the Code of Audit Practice approved by Parliament under section 4 of the Act ( ID=&ProdID=CD9EFFCE-FD24-43fc-B54E-4C6E1BCC2ED4). Auditors' duties include identifying illegal items of account; identifying risks relating to the use of resources by audited bodies; and providing reasonable assurance that financial statements are free from material mis-statement, whether caused by fraud or other irregularities. Data-matching assists in identifying where such anomalies may have arisen, for further investigation by both the auditor and the audited body.

  9.  Auditors have powers under section 6 of the Act to obtain information that relates to a body subject to audit, where this is necessary for the purposes of undertaking the audit. This is the mechanism by which the auditor is able to obtain the data sets that are used in the NFI.

  10.  At the outset of the NFI in 1998, the data shared and processed by the Commission came almost exclusively from the audited bodies themselves, and the results from the data matches were returned to those participants. We used datasets including the audited body's payroll, student awards and loans, housing benefits and housing rents, and matched them to identify possible anomalies that could indicate fraud or erroneous overpayment. This included, for example, council tenants who had more than one council property and benefit claimants who had failed to declare their income from other sources.

  11.  Since 2000, we have added new datasets to address a number of emerging risks faced by audited bodies, such as abuse of the blue badge parking scheme for the disabled and single person council tax discount fraud. We have also introduced data from the Home Office and the Foreign and Commonwealth Office that detects employees of audited bodies who are not entitled to work in the UK and benefit claimants who are not entitled to claim public funds. These matches help local authorities to detect housing and council tax benefit fraud and to identify employees who have no right to live or work in the UK.

  12.  The Serious Crime Bill (currently at Report stage in the House of Lords) contains provisions that could place the NFI on a broader statutory footing, so that it will no longer be conducted simply as an audit exercise. Rather, the Commission itself will have powers to undertake data matching for the purposes of preventing and detecting fraud, so that both public and private sector bodies can participate in the benefits of this exercise more generally. The Commission will decide which data sets should be matched on the basis of its knowledge and experience of where fraud is likely to be either serious or prevalent, informed by pilot exercises where appropriate.


  13.  Under the Act as it currently stands, the NFI is restricted to collecting and matching data that "elates to bodies subject to audit". This therefore excludes a large amount of data that is held by both public and private sector bodies.

  14.  However, Clause 65 Schedule 6 of the Serious Crime Bill provides a statutory gateway that will allow both private and public sector[76] bodies to contribute data voluntarily to the Commission for the purposes of data matching. Such data can only be provided if the Commission believes it to be appropriate for the purposes of preventing and detecting fraud, and bodies will not be able to share patient data voluntarily under this provision. All data matching must comply with the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000. This power will be enabling; private and public sector bodies will be under no obligation to provide this information to the Commission.


  15.  The Serious Crime Bill provisions for the NFI would enable government departments and agencies to use the NFI as a conduit for data sharing to address local and national fraud risks in a controlled, secure and well regulated environment. Clause 65 Schedule 6 of the Bill provides that bodies subject to the Commission's audit and inspection regime must provide their data to the Commission for data-matching. Other public bodies can do so on a voluntary basis (as outlined above).


  16.  The Commission has adopted a range of methods to ensure that the data matching process is managed at all times in a way that is proportionate and secure, and that data subjects are advised of the use of their data. The principal methods include:

    —    distributing a Code of Data Matching Practice governing all aspects of NFI data matching to all participating bodies and making it available on the Commission's website at This Code reflects the core underlying principle that personal data will only be obtained and processed in accordance with the Data Protection Act 1998. Clause 65 Schedule 6 of the Serious Crime Bill could place a statutory duty on the Commission to produce a Code of Data Matching Practice, and for all those who are participating in data matching exercises to have regard to the Code. The Commission could be required to consult with all its audited and inspected bodies and any other body it considers appropriate; this would always include the Information Commissioner, who has written the foreword to the current Code;

    —    extracting from each dataset only the minimum fields required for effective fraud detection. Handbooks with data specifications can be found at;

    —    requiring participating bodies to notify data subjects about the inclusion of their data in NFI;

    —    making no assumptions as to whether or not an individual has been involved in fraudulent activities. Instead, anomalies that are detected as a result of data-matching are referred back to the relevant participating body for further investigation, and clear guidance is given to the relevant bodies and their auditors that they should treat all matches as anomalies to be checked, rather than being proof that fraud has occurred;

    —    holding data under strict security and destroying and rendering it irrecoverable at the end of each exercise;

    —    releasing data matches through a secure website, access to which is carefully monitored;

    —    ensuring that each participating body can only access its own matches and that investigators have their access restricted to those match types for which they are responsible;

    —    piloting new datasets and risk areas prior to their inclusion in NFI, and only including them if warranted by the value or number of frauds they detect;

    —    monitoring the results of investigations to ensure that any data no longer considered essential to fraud detection is left out of future data submissions; and

    —    keeping site security at our data centre permanently under review.

  17.  It is the Commission's intention that these principles will continue to apply to the new provisions under the Serious Crime Bill if they come into effect. We believe that they provide an appropriate balance between restricting intrusion into the privacy of citizens and protecting the public purse against fraud. There will also be additional protections under the new provisions. These include tight restrictions on the circumstances in which data can be disclosed, and tough criminal sanctions for disclosure in breach of these requirements.

  18.  There will also be specific restrictions on the use of patient data within NFI, which will be limited to uncovering fraud within the NHS only, and it will not be permissible to disclose any further than necessary for that purpose. In fact, clinical patient data is not used within the NFI because it is not relevant to fraud.


  19.  While the NFI concentrates primarily on data matching to detect fraud, there are instances where data mining (a search across multiple datasets for patterns that might suggest organised fraud) is also effective, particularly where patterns of abuse may emerge over a large number of participating bodies. However, this technique is employed exclusively to detect existing, rather than predict future, fraud. The Commission does not intend to profile individuals according to their behaviour and characteristics in order to predict their future likelihood or propensity to commit offences. The use of mining techniques to profile fraudsters and thereby predict future fraudulent behaviour is controversial, unproven and not considered appropriate to the NFI.

April 2007

76   Excluding those bodies that are within the Commission's audit and inspection regime; with the exception of registered social landlords, these bodies will be under a mandatory duty to participate in NFI. Back

previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2008
Prepared 8 June 2008