- Legal basis
- Purpose of the agreement
- Security and assurance
- Data Protection Legislation and Human Rights Act 1998
- Freedom of Information (FOI) Act 2000
- Direct, (or browser) Access specific expectations
- Costs/ charges
- Reporting and review arrangements
- Resolving issues
This Memorandum of Understanding (MoU) sets out the agreement between HM Revenue and Customs (HMRC) and NHS Counter Fraud Authority England (NHSCFA) and NHS Counter Fraud Services (NHSCFS) Wales that governs the exchange of information between the two organisations
Information will only be exchanged where it is lawful to do so. The relevant legal basis is detailed within the agreement.
This MoU is neither a contract, nor legally binding. It does not in itself create lawful means for the exchange of information; it simply documents the processes and procedures arranged between the organisations. This MOU should not be interpreted as removing or reducing existing legal obligations on each party, for example as data controllers under Data Protection Act 2018.
HMRC was established in April 2005 by the Commissioners of Revenue and Customs Act 2005 (CRCA 2005), merging the Inland Revenue and HM Customs and Excise. HMRC Home Page
HMRC's purpose is to make sure that the money is available to fund the UK's public services. HMRC also helps families and individuals with targeted financial support.
NHS Counter Fraud Authority (NHSCFA) is an independent Special Health Authority established in November 2017. NHSCFA leads on work to identify and combat fraud across the NHS. Its purpose is to safeguard NHS resources so that the NHS is better equipped to care for the nation's health, providing support, guidance and direction to the NHS. This work enables effective prevention, detection and enforcement action to take place against fraud and fraudulent activity. NHSCFA also collects, collates and analyses information that holds intelligence value, which in turn broadens the understanding of fraud risks in the NHS
NHSCFA has duties and enforcement powers under the NHS Act 2006, the Health and Social Care Act 2012, and the NHSCFA (Establishment, Constitution and Staff and other Transfer Provisions) Order 2017, issued by the Secretary of State for Health. NHSCFA is responsible for:
- Leading on work to protect NHS staff, patients and resources from fraud, bribery and corruption, educating and informing those who work for, who are contracted to, or who use the NHS about fraud in the health service and how to tackle it;
- Preventing and deterring fraud in the NHS by reducing it and removing opportunities for it to occur or to re-occur; and holding to account those who have committed fraud against the NHS by detecting and prosecuting offenders and seeking redress where viable.
NHS England follows the NHSCFA strategy when undertaking its own work to combat fraud,
Officers working for NHS England must report any suspicions of economic fraud to NHSCFA as soon as they become aware of them to ensure they are investigated properly and maximise the chances of financial recovery.
The majority of allegations of economic fraud will be investigated by nominated and accredited Local Counter Fraud Specialists on behalf of NHS England.
NHSCFA will work cooperatively with officers appointed by NHS England to ensure work is conducted to prevent, deter and detect fraud within and against NHS England
NHSCFA will investigate cases of fraud that cannot be dealt with by NHS England, including cases of bribery and corruption.
NHS Counter Fraud Authority provides NHS anti-fraud services to the Welsh Assembly Government (under section 83 of the Government of Wales Act 2006)
Disclosure of Information between HMRC and NHSCFA (England) and NHSCFS (Wales)
HMRC is bound by a statutory duty of confidentiality which is set out in legislation at s18 (1) of CRCA. This is underpinned by a criminal offence of wrongful disclosure of information that identifies a person (legal or natural) or enables their identity to be deduced, which is set out at s19 CRCA. Under s18 (2) & (3) CRCA there are a number of exceptions to the duty of confidentiality that enable lawful disclosure. These include a disclosure which is made:
- For the purpose of a function of the Revenue and Customs and which does not contravene any restriction imposed by the Commissioners; (s18(2)(a))
- In the public interest in the specific circumstances and where there is no other available, appropriate legal gateway to allow lawful disclosure, HMRC may consider a disclosure under s20 CRCA on a case by case basis
- In response to a Court Order that is binding by the crown; (s18(2)e))
- With the consent of each person whom the information relates; (s18(2)(h))
- Through any other enactment i.e. a statutory information sharing gateway; (s18(3))
HMRC may disclose information to NHSCFA & NHSCFS (Wales) using the legislative gateway in s19 of the Anti-Terrorism, Crime and Security Act 2001 (ATCSA). This allows HMRC to disclose information to another law enforcement agency for the purpose of assisting criminal investigations or proceedings, including for the purpose of determining whether investigations or proceedings should be initiated or brought to an end. Each case will be reviewed individually to make sure any disclosure will comply with the Anti-Terrorism, Crime and Security Act 2001: Code of Practice on the Disclosure of Information (CoP), HMRC Code of Practice and must be proportionate.
NHSCFA & NHSCFS (Wales) will use information supplied by HMRC for regulatory enforcement purpose, e.g as part of prosecution evidence. NHSCFA & NHSCFS (Wales) will not disclose information supplied by HMRC to any outside organisation unless permitted or required by law. Where the disclosure is permitted, NHSCFA will not make any such disclosure without prior approval by HMRC and such disclosures will be proportionate to the need. Where the disclosure is required by law, NHSCFA & NHSCFS (Wales) will notify HMRC, preferably before disclosure, that this is being required by law to make the disclosure.
HMRC will not disclose information supplied by NHSCFA & NHSCFS (Wales) to any outside organisation unless permitted or required by law. Where disclosure is permitted, HMRC will not make any such disclosure without prior approval by NHSCFA & NHSCFS (Wales). Where the disclosure is required by law, HMRC will notify NHSCFA & NHSCFS (Wales), preferably before disclosure that is being required by law to make the disclosure. Disclosures will be made on a case by case basis.
NHSCFA & NHSCFS (Wales) may disclose information to HMRC under Schedule 2 Section 2(1) and Schedule 2 Section 5(3) of the Data Protection Act 2018. This allows NHSCFA and NHSCFA (Wales) exemptions from specified obligations in the GDPR ,for the prevention or detection of crime and/or the apprehension or prosecution of offenders and for the purpose of legal proceedings. All such requests will be subject to review by their Central Intelligence Lead prior to any discussion on disclosure.
Purpose of the agreement
The purpose of this MoU is to document the arrangements and obligations for the sharing of information between HMRC, and NHSCFA and NHSCFS (Wales).
NHSCFA and NHSCFS (Wales) will request data that can only be provided by HMRC. NHSCFA and NHSCFS (Wales) identify and investigate NHS fraud, the information provided is for the purpose of the prevention, detection, investigation and prosecution of fraud offences within the NHS.
Procedure for NHSCFA and NHSCFS (Wales) to obtain HMRC information
Every request for disclosure of information must be made in writing (by e-mail preferably) on the latest HMRC Request template available through the HMRC Single Point of Contact (SPOC). Requests made other than in writing will not normally be accepted.
Disclosures will be made on a case-by-case basis. Requests must therefore be for a specifically named individual or company. Bulk requests or lists covering many individuals or companies will not be accepted.
The NHSCFA & NHSCFS (Wales) may request information that HMRC holds, as detailed in HMRC's Privacy Notice. HMRC will assess the information that is being requested, and only disclose information which is lawful, relevant and proportionate to the individual request.
The request must contain details of the investigation or proceedings to which it relates and specify the information required, Information requested may include the following e.g.
- Individual's Name (first name/surname/middle name if given)
- Date of Birth
- Address (and start date)
- Employer Name
- Employer address is requested
- Employment start and end dates
- Employment taxable pay for the year
A request must bear the appropriate Government Security Classification (GSC). Under the GSC Policy, official documents do not need to be marked. However, given that information exchanged under this MoU will most likely relate to personal information of individuals and sensitive information which may be evidence of a crime, it is anticipated that most of the information will be marked as 'Official-Sensitive' and treated accordingly.
E-mail requests for Information Reports and Witness Statements must be submitted to:- firstname.lastname@example.org
Information Reports and Witness Statement (WS) requests are received via the NCU mailbox. See Appendix A for a copy of the Information report template. For requests made under s19 ATCSA 2001, providing that the principles of the ATCSA CoP have been respected and the HMRC GET is satisfied that the request is for the purpose of investigations or proceedings covered by disclosure under ATCSA it will normally disclose the requested information as long as it is relevant, justified and proportionate to the purpose for which it was sought.
Witness Statement requests are forwarded onto the Witness statement Unit (WSU).See Appendix B for a copy of the WS Request Template The WSU will then assess each request on a case by case basis, a Witness Statement can request any HMRC information so long as it is for its functions and is relevant, justified and proportionate to the purpose for which it is sought. The information will then be disclosed in an evidential format
Exceptional postal requests for Information Reports and Witness Statements must be sent to:Gateway Exchange Team - HM Revenue & Customs, PO Box 440, Ipswich IP4 1WB
Such postal requests should be double enveloped (e.g. inner envelope should be marked 'Official-Sensitive' and sealed inside another envelope without a security marking on it and show a return address in the event of non-delivery). The protective marking must be shown prominently on the inner cover only.
E-mail requests should include the authorisation from the authorising officer in the e-mail chain after the requestor.
Any disclosure by HMRC will be made in writing or by secure electronic communication to the officer who initiated the request and where requested copied to the SPOC.
NHSCFA & NHSCFS (Wales) to provide information to HMRC
Every request for disclosure of information must be made in writing (by e-mail preferably) on the NHSCFA request template, available from the Single Point of Contact (SPOC). Requests made other than in writing will not normally be accepted.
Requests must be for a specifically named individual. Bulk requests and lists will not be accepted. The request must contain details of the criminal investigation or criminal proceedings to which it relates and specify the information required.
Any HMRC officer may make a request, but it must be authorised by the authorising officer. The Authorising Officer must be satisfied that the request is for the purpose of obtaining information to assist the HMRC enquiry.
HMRC authorising officers must be of Senior Officer Grade or above.
HMRC will keep NHSCFA informed about any changes in the details of the contacts listed in this agreement.
A request should bear the appropriate level of protective marking under the Government Security Classifications policy. Each piece of information will be assigned an appropriate level of protection for its handling, processing, storage and movement. It is anticipated that most of the information will be marked as 'Official-Sensitive'.
E-mail requests must be submitted to: email@example.com
Exceptional postal requests should be sent to :NHS Counter Fraud Authority, Central Intelligence Unit, 4th Floor Skipton House, 80 London Road, London SE1 6LH
Proactive disclosures by NHSCFA to HMRC should be sent, preferably in Intelligence Report format to the following e-mail address: firstname.lastname@example.org, if necessary contact the Intelligence Bureau for advice on 03000 521779
Security and assurance
HMRC & NHSCFA & NHSCFS (Wales) agrees to:
- Only use the information for purposes that are in accordance with the legal basis under which they received it
- Only hold the data while there is a business need to keep it
- Ensure that only people who have a genuine business need to see the data will have access to it.
- Store data received securely and in accordance with the prevailing central government standards, for example in secure premises and on secure IT systems.
- Move, process and destroy data securely i.e. in line with the principles set out in HM Government Security Policy Framework, issued by the Cabinet Office, when handling, transferring, storing, accessing or destroying information.
- Comply with the requirements in the Security Policy Framework, and in particular prepare for and respond to Security Incidents and to report any data losses, wrongful disclosures or breaches of security relating to information
- Any losses/security incidents should be handled in accordance with the policy of each organisation and notified to the respective SPOC within 24 hours of identification. In the event of an incident the organisations will endeavour to cooperate, agreeing on the appropriate steps to take.
- Mark information assets with the appropriate security classification and apply the baseline set of personnel, physical and information security controls that offer an appropriate level of protection against a typical threat profile as set out in Government Security Classifications, issued by the Cabinet Office, and as a minimum the top level controls framework provided in the Annex – Security Controls Framework to the GSC.
- Allow HMRC Internal Audit to carry out an audit to help in deciding whether HMRC should continue to provide the data, upon request
- Provide written, signed assurance that they have complied with these undertakings regularly upon request
Data Protection Legislation and Human Rights Act 1998
Nothing in this Memorandum of Understanding will limit the receiving department's legal obligations under the Data Protection legislation – see section 17 below, Glossary of Terms & Abbreviations.
All the information transferred by HMRC and NHSCFA & NHSCFS (Wales) should be relevant, necessary and proportionate to enable HMRC and NHSCFA & NHSCFS (Wales) to carry out their task or process.
HM Revenue and Customs and NHSCFA & NHSCFS (Wales) will become the Data Controller (as defined in the glossary of terms) of any personal data received from the other under the terms of this MOU.
HM Revenue and Customs and NHSCFA & NHSCFS (Wales) are public authorities for the purposes of section 6 HRA. It would be unlawful for HMRC and NHSCFA & NHSCFS (Wales) to act in a way that is incompatible with European Convention on Human Rights.
Freedom of Information (FOI) Act 2000
HMRC and NHSCFA & NHSCFS (Wales) are subject to the requirements of the Freedom of Information Act 2000 (FOI) and shall assist and co-operate with each other to enable each department to comply with their information disclosure obligations.
In the event of one department receiving a FOI request that involves disclosing information that has been provided by the other department, the department in question will notify the other to allow it the opportunity to make representations on the potential impact of disclosure.
All HMRC FOI requests must be notified to HMRC FOI Team who will engage with the central FOI team in the supplying organisation.
All NHSCFA & NHSCFS (Wales) FOI requests must be notified to NHSCFA & NHSCFS (Wales) Information Governance Team who will engage with the FOI team in the supplying organisation.
Direct, (or browser) Access specific expectations
No Direct Access is part of this agreement
HMRC will not charge NHSCFA & NHSCFS (Wales) for information requested under the arrangements in this MoU. However, HMRC reserves the right to review, negotiate and adjust the Service Level Agreement response times in order to meet demand, where it has identified a significant increase of requests during any financial year.
NHSCFA & NHSCFS (Wales) will not charge HMRC for information requested under the arrangements in this Memorandum of Understanding.
HMRC will respond to requests of information within 25 working days except for Witness Statements, which we will respond to within 35 working days
For these purposes each individual or company named on a request counts as a separate request.
Reporting and review arrangements
This Memorandum of Understanding will be reviewed at least annually.
The parties may agree to meet more frequently to resolve matters or concerns arising from the operation of the MoU.
Assurance will normally be provided by annual completion of a certificate, but can be up to every 5 years depending on the levels of risk involved. Assurance processes should include checking that any information sharing is achieving its objectives (in line with this MoU) and that the security arrangements are appropriate given the risks.
Any complaints, problems, issues etc. that are specific to the information exchanges covered by this MoU should immediately be referred to the contacts named in section 10. If these cannot be resolved they should be reported, in writing.