MoU - HMRC (National Coordination Unit & Witness Statement Unit)

Information Sharing Agreement between the NHS Counter Fraud Authority, NHS Counter Fraud Services (Wales) and HMRC (National Coordination Unit & Witness Statement Unit)

Contents

Purpose of the agreement

The purpose of this MoU is to document the arrangements and obligations for the sharing of information between HMRC, and NHSCFA (England) and NHSCFS (Wales) .

The NHS Counter Fraud Authority (NHSCFA) England is a health authority charged with identifying, investigating, and preventing fraud and other economic crime within NHS England and the wider health group. As a health authority focused entirely on counter fraud work, the NHSCFA is independent from other NHS bodies and directly accountable to the Department of Health and Social Care (DHSC) .

NHS Counter Fraud Service Wales (NHSCFS) Wales have a remit to identify and tackle Economic Crime including Fraud, Bribery and Corruption in NHS Wales. NHSCFS Wales provide specialist criminal and financial investigation services to all health bodies in Wales. The NHSCFS Wales team consists of experienced investigators who deal with large scale, complex frauds, and all corruption issues in NHS Wales.

HMRC considers that the disclosure of information to NHSCFA (England) and NHSCFS (Wales) is necessary and proportionate because it will be used.

  • For the purposes of any criminal investigation, whatever which is being or may be carried out, whether in the United Kingdom or elsewhere
  • For the purposes of any criminal proceedings whatever which have been or may be initiated, whether in the United Kingdom or elsewhere
  • For the purposes of the initiation or bringing to an end of any such investigation or proceedings; or
  • For the purpose of facilitating a determination of whether any such investigation or proceedings should be initiated or bought to an end.

What are the specific aims the participants have for sharing data

The sharing of HMRC data will support NHSCFA (England) and NHSCFS (Wales) in achieving maximum effectiveness and efficiency in carrying out investigations and criminal proceedings, particularly where there are overlapping responsibilities and interests.

The sharing of HMRC information will help reduce overall fraud and corruption within the NHS, and free up resources for better patient care. It will also help broaden the understanding of fraud risk within the NHS.

NHSCFA (England) and NHSCFS (Wales) will use information supplied by HMRC for the progression of criminal investigations under Anti-Terrorism, Crime and Security Act 2001 (ATCSA) Section 19.

b) Please explain why the data sharing is necessary to achieve those aims

Income and employment information can only be obtained by HMRC. HMRC hold this information which has been supplied to HMRC by customers, both individuals and companies as a requirement for mandatory tax compliance. Without HMRC information NHSCFA (England) and NHSCFS (Wales) would be unable to progress their investigation into criminal cases

c) Please explain the benefits participants hope to bring to individuals or to society more widely including financial savings or improved evidence-based decision making

(England) and NHSCFS (Wales)

Working with our partners helps reduce fraud, recover losses and put money back into patient care via fraud prevention and investigation. NHSCFA (England) and NHSCFS (Wales) will use information provided by HMRC for regulatory enforcement purposes e.g. as part of prosecution evidence. The sharing of HMRC information helpsNHSCFA (England) and NHSCFS (Wales) understand fraud risks and investigate serious and complex fraud within the NHS.

HMRC

HMRC do not have a function to share, other than to support NHSCFA (England) and NHSCFS (Wales) in their functions.

a) What is the legal basis under which data will be disclosed and used under this agreement

HMRC may, where appropriate, disclose information to NHSCFA (England) and NHSCFS (Wales) using the legislative gateway in s19 of the Anti-Terrorism, Crime and Security Act 2001 (ATCSA) .

This allows HMRC to disclose necessary, proportionate, and relevant information for the purpose of assisting criminal investigations or proceedings, including for the purpose of determining whether investigations or proceedings should be initiated or ended. All disclosures must comply with Anti-Terrorism Crime & Security Act 2001: Code of practice on the disclosure of information and must be proportionate.

b) What is the lawful basis for the data processing as set out in Article 6 of the UKGDPR?

Public task Article 6(1) (e) UK GDPR

Details about the data sharing

a) What type of data / information is being shared?

HMRC

Personal Tax Information for individuals and Companies tax information

NHSCFA (England) and NHSCFS (Wales)

NHSCFA (England) and NHSCFS (Wales) receive and process personal tax information for individuals and companies from HMRC

b) Describe which particular data fields are to be shared and why it is necessary to achieve the objective.

Each request for information will be considered by HMRC on a case-by-case basis and could include the disclosure of any relevant information that HMRC holds on the individual including personal data and company data, to the extent this information will enable the NHSCFA (England) and NHSCFS (Wales) to discharge its function.

(England) and NHSCFS (Wales) will be requestinginformation from HMRC by completing the request template providing enough information for HMRC to identify the subject. This will include some or all of the data elements.

  • Requested tax years
  • Full name (individual / Company)
  • Full address
  • Date of birth
  • Date of incorporation
  • NINO
  • Company Registration Number
  • Previous address
  • Employer(s)

HMRC information will only be shared if it is lawful, justified, proportionate, and necessary to do so. This may include.

  • Individual’s name (First name/surname/middle name if given)
  • Date of BirthAddressContact detail if requested (phone number and email address)
  • NINO (a justified reason must be provided)
  • Employer nameEmployer address (if requested)
  • Employment start and end dates
  • Employment taxable pay for the year
  • Tax paid if requested.
  • Tax Return details
  • VAT Return details
  • Bank Details
  • Number of Employees

c) What is the source system for the information set?

HMRC

HMRC Data may be extracted from any HMRC system, which could include but is not limited to;

  • TBS
  • PAYE
  • NIRS
  • VISION
  • MSS
  • SA
  • CENTAUR
  • CSEFLOW
  • DTR
  • CONNECT (ICE)
  • CBOL
  • CBIX
  • TAX CREDITS
  • ETMP
  • CO TAX VIEW
  • ELECTRONIC FOLDER
NHSCFA (England) and NHSCFS (Wales)

Data is recorded on the following NHSCFA (England) and NHSCFS (Wales) systems:

  • CLUE
  • FIRST
  • iBase Intellishare

d) What is the government security classification?

The material that will be shared will be marked as Official Sensitive

e) Is there any special category data, sensitive data or criminal offence databeing shared?

HMRC may be processing criminal offence data for General Processing under DPA-18, conditions for processing criminal offence data, para 10, 12 & 14 Schedule 1 of the DPA 2018:

HMRC may also be processing data under Part 3 DPA-18 Schedule 8 para 1.

f) What is the duration of the data sharing under this agreement?

Start date of agreement: 01/03/2022

End of date agreement: 01/03/2023

A formal review will take place annually

g) How will the data be shared?

Procedure for NHSCFA (England) and NHSCFS (Wales) to obtain HMRC Information

Every request for disclosure of information must be made in writing (by secure e-mail) on the latest HMRC Request template available through the HMRC Single Point of Contact (SPOC) . Requests made other than in writing will not normally be accepted.

The number of requests for disclosure of information that the NHSCFA (England) and NHSCFS (Wales) will make to HMRC is anticipated not to exceed 50 annually.

Any NHSCFA (England) and NHSCFS (Wales) officer may request disclosure of HMRC information for any of the purposes set out by ATCSA 2001 S19(2) (b) , (c) , (d) or (e) but it must be submitted to HMRC by a registered authorised officer, authority is to be given only if the authorising officer is satisfied that the request meets the legal requirements for disclosure

Disclosures will be made on a case-by-case basis. Requests must therefore be for a specifically named individual or company. The NHSCFA (England) and NHSCFS (Wales) may request information that HMRC holds, as detailed in our Privacy Notice. HMRC will assess the information that is being requested, and only disclose information, which is lawful, relevant and proportionate to the individual request.

A request must bear the appropriate Government Security Classification (GSC) . Under the GSC Policy, documents carrying a Protective Mark of OFFICIAL do not need to be protectively marked. However, information exchanged under this MoU relates to personal information of individuals and sensitive information which may be evidence of a crime. All requests should be protectively marked OFFICIAL: Sensitive or higher. If any request carries a SECRET and TOP SECRET classification the NHSCFA (England) and NHSCFS (Wales) must contact the HMRC Intelligence Exchange Team before transmitting the request

E-mail requests for Information Requests must be submitted to:

E-mail requests should include the authorisation from the authorising officer in the e-mail chain after the requestor.

HMRC must be satisfied that all requests made under s19 ATCSA 2001, are for the purposes allowed by ATCSA. HMRC will only disclose information when it is lawful to do so. All disclosures must be relevant and proportionate to the purposes for which it is requested. Requests under S19 ATCSA must comply with the ATCSA Code of Practice. Any data disclosed will be data held by HMRC.

Any disclosure by HMRC will be made in writing or by secure electronic communication to the officer who initiated the request and where requested copied to the SPOC.

Data may be extracted from the following HMRC systems.

  • TBS
  • PAYE
  • NIRS
  • VISION
  • SA
  • CENTAUR
  • CASEFLOW
  • SEARCHLIGHT
  • DTR
  • CONNECT (ICE)
  • ADD
  • TAX CREDITS
  • ETMP
  • CO TAX VIEW
  • ELECTRONIC FOLDER

Requests for Information will be responded to within 25 working days and results returned to the NHSCFA (England) and NHSCFS (Wales) requesting Officer.

The Gateway Exchange Team (GET) retention policy is six months. This is for:

  • Quality assurance: sample checking the accuracy of the information shared with Public Sector Bodies (PSB) by GET and WSU
  • Duplicate requests: to identify when a duplicate request is received, to avoid sharing the same information more than once
  • Follow up requests: to identify requests for further information on the same subject as a previous request. This ensures that only the additional information requested by the subsequent request is shared with the PSB

All requested information is currently held on HMRC Request Management Systems(RMS) for 6+1 years, and then is automatically deleted from the system. Data cannot be deleted from RMS, as the system does not allow deletion of the data any earlier than 6+ 1 years. A replacement for RMS is currently being investigated which should bring retention in line with UK GDPR requirements. This is anticipated to be in place by July 2023.

Procedure for NHSCFA (England) and NHSCFS (Wales) to obtain HMRC Information as a Witness Statement:

Every request for disclosure of information must be made in writing (by secure e-mail) on the latest HMRC Request template available through the HMRC Single Point of Contact (SPOC) .

Requests made other than in writing will not normally be accepted.

The number of requests for disclosure of information in evidential format that the NHSCFA (England) and NHSCFS (Wales) will make to HMRC is anticipated not to exceed 16,000 annually ·Any NHSCFA (England) and NHSCFS (Wales) officer may request disclosure of HMRC information for any of the purposes set out by ATCSA 2001 S19 (2) (b) , (c) , (d) or (e) but it must be submitted to HMRC by a registered authorised officer. A requesting officer cannot normally self-authorise, and authority is to be given only if the authorising officer is satisfied that the request meets the legal requirements for disclosure.

Disclosures will be made on a case-by-case basis. Requests must therefore be for a specifically named individual or company.

Bulk requests or lists covering many individuals or companies will not normally be accepted, however in exceptional circumstances & for proportionate operational needs, bulk requests will be accepted. Notification of such Operations should be made to the Gateway Exchange Team prior to submission.

The NHSCFA (England) and NHSCFS (Wales) may request information that HMRC holds, as detailed in our Privacy Notice.

HMRC will assess the information that is being requested, and only disclose information, which is lawful, relevant and proportionate to the individual request.

The request must contain sufficient details of the investigation or proceedings to enable HMRC to assess whether it is necessary and proportionate to provide the information it holds.

All requests must fully specify the information required:

  • Individual Name (first name/surname/middle name if given)
  • Company information
  • Date of Birth
  • Address (and start date)
  • NINO · Employer Name
  • Employer address is requested
  • Employment start and end dates
  • Employment taxable pay for the year

A request must bear the appropriate Government Security Classification (GSC) . Under the GSC Policy, documents carrying a Protective Mark of OFFICIAL do not need to be protectively marked. However, information exchanged under this MoU relates to personal information of individuals and sensitive information which may be evidence of a crime. All requests should be protectively marked OFFICIAL: Sensitive or higher. If any request carries a SECRET and TOP SECRET classification the NHSCFA (England) and NHSCFS (Wales) must contact the Intelligence Exchange Team before transmitting the request.

E-mail requests for Witness Statements must be submitted to:-

risgatewayexchangeteam@hmrc.gov.uk

E-mail requests should include the authorisation from the authorising officer in the e-mail chain after the requestor.

HMRC must be satisfied that all requests made under s19 ATCSA 2001, are for the purposes allowed by ATCSA. HMRC will only disclose information when it is lawful to do so. All disclosures must be relevant and proportionate to the purposes for which it is requested. Requests under S19 ATCSA must comply with the ATCSA Code of Practice.

Any data disclosed will be data held by HMRC. Any disclosure by HMRC will be made in writing or by secure electronic communication to the officer who initiated the request and where requested copied to the SPOC. We aim to respond to Witness Statement requests within 35 working days All Witness Statements are returned to the NHSCFA (England) and NHSCFS (Wales) Requesting Officer.

The Witness Statement Unit (WSU) retention policy is six months.This is for:

  • Quality assurance: sample checking the accuracy of the information shared with Public Sector Bodies (PSB) by GET and WSU
  • Duplicate requests: to identify when a duplicate request is received, to avoid sharing the same information more than once
  • Follow up requests: to identify requests for further information on the same subject as a previous request. This ensures that only the additional information requested by the subsequent request is shared with the PSB

All requested information is held on HMRC Request Management Systems for 6+1 years, and then is automatically removed from the system. Data cannot be deleted from RMS, as the system does not allow deletion of the data any earlier than 6+ 1 years. A replacement for RMS is currently being investigated which should bring retention in line with UK GDPR requirements. This is anticipated to be in place by July 2023.

h) Will Direct, (or browser) Access to HMRC systems be granted under this agreement?

No direct browser access

i) How will you ensure data to be shared is accurate and up to date

HMRC will use the latest, most accurate and up to date data it holds. Requests will be sent as soon as possible after the information has been extracted from the HMRC system.If any errors or inadequacy are identified by HMRC through the assurance process, the checks will be redone and the results will be resent to NHSCFA (England) and NHSCFS (Wales) , and we would ask that the previous results are deleted by NHSCFA (England) and NHSCFS (Wales) , and deletion is confirmed to HMRC.

j) What are the arrangements concerning onward disclosure of data?

NHSCFA (England) and NHSCFS (Wales) will use information supplied by HMRC for the progression of criminal investigations under S.19 ATCSA. NHSCFA (England) and NHSCFS (Wales) will not disclose information supplied by HMRC to any outside organisation unless permitted or required by law.

Where the disclosure is permitted, NHSCFA (England) and NHSCFS (Wales) will not make any such disclosure without prior approval by HMRC, and such disclosures will be proportionate to the need. Where the disclosure is required by law, NHSCFA (England) and NHSCFS (Wales) will notify HMRC, preferably before disclosure, that this being required by law to make disclosure.

Retention and destruction of data

a) How will the information be held? Describe how each party will ensure the information is held securely and disposed of at the right time.

HMRC

All data received is stored within our CPIA (Criminal Procedure Investigation Act 1996) compliant Request Management System (RMS) that only HMRC Volume Intelligence (inc. GET, Witness Statement Unit (WSU) and OSIT (Operational Support Intelligence Team) ) staff have access to.

Access to RMS is controlled by HMRC Change and Performance Team. The Gateway Exchange Team (GET) retention policy is six months. This is for:

  • Quality assurance: sample checking the accuracy of the information shared with Public Sector Bodies (PSB) by GET and WSU
  • Duplicate requests: to identify when a duplicate request is received, to avoid sharing the same information more than once
  • Follow up requests: to identify requests for further information on the same subject as a previous request. This ensures that only the additional information requested by the subsequent request is shared with the PSB

All requested information is currently held on HMRC Request Management Systems (RMS) for 6+1 years, and then is automatically deleted from the system. Data currently cannot be deleted from RMS, as the system does not allow deletion of the data any earlier than 6+ 1 years.

A replacement for RMS is currently being investigated which should bring retention in line with UK GDPR requirements. This is anticipated to be in place by July 2023.

Request Management System (RMS) are classed as official notebooks and log actions and decisions made regarding the information supplied. Therefore, these need to be retained in line with HMRC Records Management and Retention and Disposal Policy

NHSCFA (England) and NHSCFS (Wales)

All data is held on the NHSCFA Fraud Information System Reporting Toolkit (FIRST) , CLUE and the NHSCFA intelligence system iBase Intellishare. NHSCFA is accredited under the ISO 27001 certification, full ITIL service management processes are followed to manage user accounts and access permissions. Regular reviews of user accounts are undertaken. Data is removed in line with the NHSCFA Data Retention and Destruction Schedule. The NHSCFA Information Security Team is responsible for oversight of system access and authorisation.

b) What access controls will be in place at the receiving department including, where appropriate, the right security clearance?

HMRC

Staff are SC vetted which permits access to this category of data and some staff may have a higher level of clearance. The GET manages access to group mailbox where requests are sent, only GET have access to the mailbox. HMRC Change and Performance Team, manages accesses to Request Management Service (RMS) which is reviewed monthly. The data is held on RMS

NHSCFA (England) and NHSCFS (Wales)

Users are only granted sufficient rights to systems to enable them to perform their job function, rights and permissions are kept to a minimum.Access permissions are requested via the NHSCFA Service Desk after approval and authorisation by line managers.

Data will be destroyed securely i.e. in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information. Removable media will not be used.

d) How will any onward transfers of information from the Public Sector Body (PSB) to another third party be handled (if allowed) under the legal basis and permission is granted by HMRC?

NHSCFA (England) and NHSCFS (Wales)

Where permitted by HMRC, any onward disclosure of information will be transferred via a mutually compatible secure system. Information will be anonymised /pseudonymised where possible. NHSCFA uses Egress for the encryption and secure transfer of files.

e) What is the agreed Data Retention Policy?

HMRC

The Gateway Exchange Team (GET) and Witness Statement Unit (WSU) retention policy is six months. This is for:

  • Quality assurance: sample checking the accuracy of the information shared with Public Sector Bodies (PSB) by GET and WSU
  • Duplicate requests: to identify when a duplicate request is received, to avoid sharing the same information more than once
  • Follow up requests: to identify requests for further information on the same subject as a previous request. This ensures that only the additional information requested by the subsequent request is shared with the PSB

All requested information is held on HMRC Request Management System for 6 years + 1 year and then is automatically removed from the system. Data cannot be deleted from RMS, as the system does not allow deletion of the data any earlier than 6+ 1 years. A replacement for RMS is currently being investigated which should bring retention in line with UK GDPR requirements. The replacement system is due to be implemented July 2023.

NHSCFA (England) and NHSCFS (Wales)

Case data held on management systems is retained for a minimum period of 6 years from date of case closure, with a review on a case-by-case basis where an extension is required. The Information Asset Owner is responsible for authorising record destruction.

Security

NHSCFA (England) and NHSCFS (Wales) agrees to:

  • Only use the information for purposes that are in accordance with the legal basis under which they received it
  • Only hold the data while there is a business need to keep it
  • Ensure that only people who have a genuine business need to see the data will have access to it
  • Store data received securely and in accordance with the prevailing central government standards, for example in secure premises and on secure IT systems.
  • Move, process and destroy data securely i.e. in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information.
  • Comply with the requirements in the Security Policy Framework, and in particular prepare for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information.
  • In the event of a security incident, inform the other organisation via the designated contacts immediately (within 24 hours of becoming aware) and agree to both advise, and consult with, the other organisation on the appropriate steps to take.
  • Seek permission from HM Revenue & Customs before onward disclosing information to a third party.
  • Seek permission from HM Revenue & Customs if you are considering offshoring any of the personal data shared under this agreement.
  • Mark information assets with the appropriate government security classification and apply the baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, issued by the Cabinet Office, and as a minimum the top level controls framework provided in the Annexe – Security Controls Framework to the GSC.

Review and Assurance Reporting Arrangements

How often is this agreement to be reviewed?

NHSCFA (England) and NHSCFS (Wales) agrees to:

  • Comply with the review and assurance process within the time limits specified by HMRC upon request
  • Formally renew this data sharing agreement when it ceases to be valid (see section 4f for date this agreement ceases to be valid) , if the data is still required
  • Provide written, signed assurance that they have complied with the terms of this agreement, regularly upon request. Assurance will be provided by annual completion of a Certificate of Review & Assurance or as a minimum every 2 years dependent on the level of risk
  • Allow HMRC Internal Audit to conduct reviews of risk management, control effectiveness and governance in respect of this agreement.

HMRC as a data controller has a duty of care under Data Protection legislation and the Commissioners of Revenue and Customs Act 2005 to assure any data that we pass on to others. Failure to comply with the review process or provide signed assurance will result in escalation to the HMRC data owning Director General who will consider what action to take.

Facilitating the exercise of the rights of data subjects

In the event that a subject access request is received by NHSCFA (England) and NHSCFS (Wales) , they will issue a formal response on the information that they hold following their internal procedures for responding to the request within the statutory timescales.

Freedom of Information Act (FOI) 2000

HMRC and NHSCFA (England) and NHSCFS (Wales) are subject to the requirements of the Freedom of Information Act 2000 (FOI) and shall assist and co-operate with each other to enable each department to comply with their information disclosure obligations.

In the event of one department receiving a FOI request that involves disclosing information that has been provided by the other department, the department in question will notify the other to allow it the opportunity to make representations on the potential impact of disclosure.

All HMRC FOI requests must be notified to HMRC FOI Team who will engage with the central FOI team in the supplying organisation.

Resolving Issues

Any issues or disputes that arise as a result of exchanging data under thisagreement must be directed to the relevant contact points listed in Section 1 of this agreement.Each participant will be responsible for escalating the issue as necessary withintheirgiven area of responsibility.

Where a problem arises, it should be reported as soon as possible. Should theproblem be of an urgent nature, it must be reported by phone immediately to thedesignated contact(s) and followed up in writing the same day. If the problem is not ofan urgent nature it can be reported in writing within 24 hours of the problemoccurring.

Costs / Charges

Will there be a charge for this service?

No Charge

Signatories

For HMRC For NHSCFA (England) and NHSCFS (Wales)
Print Name Stuart Murtha Print Name Alex Rothwell
Grade Assistant Director (SIBP) Grade Chief Executive
Date 05/08/2022 Date 16/06/2022

Help us improve cfa.nhs.uk

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.

Close

Thanks for the feedback!

Close