DPIA Blackpool Council, DWP and HMRC Digital Economy Act Data Sharing Pilot.

Step 1: Identify the need for a DPIA

Explain broadly what project aims to achieve and what type of processing it involves. You may find it helpful to refer or link to other documents, such as a project proposal. Summarise why you identified the need for a DPIA.

This is a follow-up pilot to the Council Tax Pilot (DEA/D/1-29) that was in operation from March 19 to March 20. This new pilot involves over 30 local authorities, DWP and HMRC.

Both this new pilot and the first are and were aimed at:

• Increasing the management and recovery of debt by utilising HMRC PAYE and Self Assessment (SA) data,
• Identifying and supporting vulnerable debtors.

As the country begins to recover from Covid-19, debt recovery action will recommence. Thus, the aims of this pilot are to support public authorities in enacting fair debt recovery programmes, supporting those who can’t pay whilst managing and recovering debt from those who can pay.

The first pilot involved 29 local authorities supplying a sample of their Council Tax debtors to HMRC, whereupon HMRC returned the associated PAYE and Self Assessment data to the local authorities for them to use in managing and recovering debt (via communication with the debtors and by using Attachments of Earnings (AoE) where appropriate).

The first pilot has now ended and the results are being analysed. Early indications suggest it has successfully achieved a Council Tax debt recovery rate of approximately 20%. This new pilot is again limited to Council Tax debtors.

In building upon the first pilot, there are two areas that can be improved upon in launching this second pilot:

• The identification of vulnerability, and,
• The matching rate.

Identification of Vulnerability - In the first pilot, we anticipated that the PAYE and SA information of debtors could indicate their vulnerability. This proved to be erroneous and no determination could be made from either data set.  

Matching Rate - The first pilot's matching success rate was 54%. Although this was better than expected, the introduction of additional identification information can increase the match rate significantly, thus increasing the debt recovery rate. 

Public authorities  -  This second pilot aims to include the following:

Local Authorities, comprising  

• A core from the first pilot, and, 
• A small selection of those who have expressed a new interest.

DWP - Included as the source for:

• Increasing the vulnerability identification, by returning matched debtors in receipt of income-based benefits,
• Increasing the matching rate with HMRC, by adding additional identification data (including NINO to debtors it matches).

The data requested from HMRC is:

• Address data
  • To aid communication
• PAYE data
  • To aid segmentation of recovery action
• Self Assessment data
  • To aid segmentation of recovery action
• Furlough data
  • To aid in the identification of vulnerable debtors

Neither HMRC or DWP is to retain the data beyond its matching operations. Cabinet Office is not to retain the data beyond its collation of the Local Authorities’ spreadsheets, its passing of this to DWP and its return of disaggregated information to respective Local Authorities.  An MOU will be drawn up between all parties (including Blackpool Council, Cabinet Office, DWP and HMRC) prior to the data share under Article 28 of the UK GDPR. Here, the process of transferring the data shall be detailed.

Background of the authority

Council Tax is levied on each domestic dwelling within the council’s boundary. When payments are not made based on the statutory instalment plan, reminder notices are issued and non-paid amounts are enforced through the Magistrates’ Court to obtain a Liability Order. Recovery is based on the regulations enacted by the Local Government Finance Act 1992.

As at 29.01.2021, there are 8,287 Liability Orders totaling in excess of £1.5m outstanding for the five years prior to 31.03.2020.

Details of the steps to recover non-payment are at the following link: Blackpool

Blackpool Council has identified that customer income-based benefit information from DWP and PAYE and Self-Assessment customer information from HMRC is useful and able to support:

• The managing of overall arrears and further developing of recovery procedures, by:
  • Identifying customers whose circumstances make them vulnerable and providing appropriate support and appropriate recovery action whereupon they engage with the Local Authority;
  • Identifying those in employment and allowing the recovering of individual debts by Attachment to Earnings Orders, where appropriate;
  • Identifying forwarding addresses for customers who have moved leaving arrears outstanding;
  • Identifying those receiving benefits and allowing the recovering of individual debts by Attachment to Benefits Orders, where appropriate.

This is a significant change from the current process and allows us to take positive action to identify and support vulnerable customers and recover debt from those customers who are not engaging in the process and who have already been informed of the action the Local Authority may take.

Blackpool Council, DWP and HMRC are joint data controllers in this pilot using the definition as set out in the Data Protection Act 2018.

Cabinet Office is a data processor using the definition as set out in the Data Protection Act 2018. Cabinet Office is to be the Data Processor of Blackpool Council, DWP and HMRCs data (i.e., the Data Controllers of the pilot). 

The purpose of the pilot is to gather evidence that the data shared from DWP and HMRC will increase the identification of vulnerable individuals and increase Blackpool Council’s Council Tax debt recovery rate.

This DPIA is needed as we will be collecting new information from DWP and HMRC to enable Council Tax recovery which may have a significant impact on the individuals concerned, for example:

• Financially vulnerable individuals may be identified and offered debt support 
• AoE’s may be implemented where the individual will have no choice regarding payment of the debt.
• Individuals may be contacted to discuss the new information provided by the HMRC

This may also raise privacy concerns as this data was originally collected for the purposes of calculating benefits and Income Tax liability.

Step 2: Describe the processing

Describe the nature of the processing

How will you collect, use, store and delete data? What is the source of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved?

Blackpool Council will supply Cabinet Office, DWP and HMRC with the names and addresses of Blackpool Council’s customers with Council Tax debt, plus supporting identification information, (e.g., NINO, DoB, email address and phone numbers) as a one-off data share.  DWP and HMRC will match against their data and matching cases will be supplied to Blackpool Council with income-based benefits information, PAYE and Self-Assessment data.

The data will be used to enable management and recovery of Council Tax debt, via:

• Where financial vulnerability is identified, discussions around the use of debt support
• AOE where employment information has been provided
• Further discussion with the individual where self-assessment information has been provided

The data will be stored in a secure folder within Blackpool Council and Cabinet Office will send this to DWP via secure government email. DWP will then send the data to HMRC via secure government email. 

Neither HMRC or DWP is to retain the data beyond its matching operations. Cabinet Office is not to retain the data beyond its collation of the Local Authorities’ spreadsheets, its passing of this to DWP and its return of disaggregated information to respective Local Authorities.

The standard data retention period for the pilot is 12 months.  However, data that is being used operationally to recover debt (e.g., via an Attachment of Earnings, bankruptcy action or supporting identified vulnerable customers) will be retained in line with Blackpool Council’s data retention policies and deleted in accordance with said policies.

From the information supplied by HMRC, if Blackpool Council subsequently has this information confirmed by either the employer or the individual, then that information can be classed as having been supplied via another source (i.e., other than HMRC), then Blackpool Council shall be able to retain this data on its systems. However, the data received from HMRC in its raw format shall be deleted at the end of the pilot. 

For HMRC, the pilot data will be deleted one year after the data has been shared with Cabinet Office, except where the data is being used operationally and will be deleted once recovery action has been completed.

The data will not be shared with anyone else.

A data flow process is shown below.

 

Describe the scope of the processing

what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?

An overview of the activity under the arrangement and how the data will be used

Blackpool Council will undertake a one–off data share as to a reasonable sample of debtors. This sample is to be of an appropriate size in relation to Blackpool Council (as may include all debtors contained within our Liability Order dataset). There is no limit to this sample size. This sample is to be shared with Cabinet Office. Cabinet Office will then collate all of the submitted samples from the pilot’s Local Authorities into a single document. This collated document will then be passed by Cabinet Office to DWP who will match against their benefits records. For those records matched, DWP will add income-based benefits data and add corroborative customer information (e.g., NINO and/or DoB) and then forward these records to CO.  

HMRC will then match these customer records against their systems and return the records to Cabinet Office with the associated address, PAYE and/or Self Assessment information. Cabinet Office will then disaggregate this information and provide the respective samples to each local authority, whereupon Blackpool  Council shall receive its sample back. No special category or criminal offence data shall be contained within the sample.

The sample will exclude debtors who are;

• In receipt of debt support - full or partial
• Deceased
• Subject to committal and bankruptcy cases
• Companies
• Subject to a current Attachment of Earnings

A snapshot of data will be taken before being issued to DWP/HMRC for evaluation during and post-action.

Once the data has been returned, Blackpool Council will analyse the results from DWP and HMRC and;

• For those in receipt of DWP Income-based benefits:
  • Pass to debt support team for action
  • Communicate with the debtor
  • If debtor contacted and vulnerability discussed, support offered (where appropriate) and/or payment plan agreed
  • If no contact, Blackpool Council shall continue recovery action

• For those in receipt of PAYE:
  • 14-day letter (as per the first pilot) to be issued to the debtor
  • If debtor contacted, payment plan or vulnerability discussed
  • If no contact, Blackpool  Council shall progress Attachment of Earnings action

• For those in receipt of S/A:
  • Communicate with the customer noting they are in receipt of S/A
  • If debtor contacted, payment plan or vulnerability discussed
  • If no contact, Blackpool Council shall continue recovery action

An outline of what types of data will be shared and the data security arrangements to be put in place

Blackpool Council will supply Cabinet Office with our sample which contains the following;

• Full name:
  • Title
  • First name
  • Middle name or initials
  • Surname

• Current address and postcode
• Forwarding address and dates
• Date of commencement of Liability Order (if applicable)
• Unique identifier (Future proof)
• Telephone numbers (where available)
• Email addresses (where available)

In addition, either DoB or NINO will be provided as a minimum (where available) to assist DWP data matching

Cabinet Office will collate our sample with the other samples from the Local Authorities involved in this pilot for onward transmission to DWP.

DWP will match against their benefits records and, for those matched customers, will add additional corroborative data and income-based benefits information as follow:

• Match successful – Yes or no
• Customer name as recorded on DWP records
• NINO as recorded by DWP (where available)
• DoB as recorded by DWP (where available)
• Telephone numbers (where available)
• Email addresses (where available)
• Income-based benefit in payment – Yes or no
• Payment frequency – weekly or monthly 
• Benefit amount

This data will then be sent securely to HMRC.

HMRC will match against their records and, for those matched customers, will add the following data and return to local authorities via Cabinet Office;

• Match successful  - yes or no
• Address as recorded by HMRC
• If person is in current employment - PAYE data, including:
  • Employer name
  • Employer address
  • Employer contact details (e.g., name and phone number)
  • Currently employed (as of last PAYE update) - Y/N
  • Employment end date
  • Employment pay frequency
  • Taxable pay in period
  • Taxable pay year to date
  • Payroll ID in this employment
  • Individual address

• Self-Assessment data, including:
  • Tax year
  • SA total income
  • SA correspondence address

• Furlough payments data, including:
  • Furlough payment or average
  • Payment frequency
  • Period of furlough payments
  • Total furlough amount paid

HMRC will return the collated sample to Cabinet Office, who will split the samples and forward to each relevant council. In the spreadsheet to be produced with the data (both matched and unmatched), there shall be fields for both the Local Authority Reference Number and Name of Local Authority. This should prevent data from being sent to the wrong Local Authority. Other measures that Local Authorities seek to institute shall be detailed in the MOU to be produced prior to the data sharing commencing. 

DWP and HMRC will conduct their own quality matching policy to the data to ensure match quality and data returned meet their standards.

Data will be securely transferred by encrypted email from a secure email address, will be stored in a secure folder and deleted after the completion of the pilot and analysis.

Persons at Blackpool Council receiving and disclosing data are limited to debt analysts and debt recovery officers.  All such users sign data disclosure agreements before system access is granted. All staff have had DPA and lately GDPR training.

Persons at DWP and HMRC receiving, analysing and disclosing data are limited to data analysts and processors, within the Centre for Data Exploitation, data management team. These staff have been security trained.

For any third-party entity or body which provides services to Blackpool Council and which has access to its software suppliers and is able to extract data to be used in a search tool available for other councils – Blackpool Council shall ensure no data supplied to them under this pilot is available for any other council to obtain.

Describe the context of the processing

What is the nature of your relationship with the individuals? How much control will they have? Would they expect you to use their data in this way? Do they include children or other vulnerable groups? Are there prior concerns over this type of processing or security flaws? Is it novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?

The individuals reside (or resided) within Blackpool Council’s boundary and are/were liable to pay Council Tax to Blackpool Council but are in arrears.

The individuals will have no control.

Council tax is covered by the Local Government Finance Act 1992 and individuals are required to pay Council Tax and would expect Blackpool  Council to pursue recovery of their debt.

Children and other vulnerable groups are not included.

There are no prior concerns over this type of processing and security flaws.  

The use of data sharing to manage and reduce debt is well established throughout the debt industry.

There is no new technology in this area for this type of pilot.

There are no issues of public concern to be factored in. 

Blackpool Council, Cabinet Office, DWP and HMRC are required to adhere to the DEA Code of Practice, DPA 2018 and LGFA 1992 (as amended).

Describe the purposes of the processing

What do you want to achieve? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly? 

What do you want to achieve?

The pilot is aimed at:-

Increasing recovery of Council Tax debt from individuals who have not paid and debt support for those individuals identified as financially vulnerable.

What is the intended effect on individuals? 

The intended effect on individuals will be for those who are able to pay and choose not to pay is to manage and recover their debt.  For those who are identified as vulnerable, the effect will be to help them via debt support.  It will also be fairer for those who do pay their Council Tax.

What are the benefits of the processing – for you, and more broadly?

The benefits of the processing are:-

• Increased debt recovered
• Increased in-year collection rate
• Increased identification of vulnerable debtors, as can be signposted for assistance within or externally of the Council, where they engage;
• Increase in debt recovery due to knowledge of PAYE and Self-Assessment information 
• Increase in take-up of reliable Attachment of Earnings
• Reduced failure rate of Attachment of Earnings
• Reduced need for using enforcement agents as a first port-of-call and the increasing of debt with fees.
• A fair approach to reducing debt with an ability to pay over a regular period
• Improved effectiveness in debt recovery and thus reduced pressure on budgets
• Those in regular employment will avoid expensive and stressful enforcement agent visits.
• Customers knowing that we have access to HMRC data will encourage earlier take-up in contacting Blackpool Council and making arrangements to pay.
• Efficiency savings by reducing time/court hearings on committal or insolvency cases.
• Efficiency savings on not transferring cases to enforcement agents.
• Swifter repayment of debt
• Identification of individuals with a propensity to pay and take appropriate recovery action
• Reduced or mitigated problem debt

Step 3: Consultation process

Consider how to consult with relevant stakeholders

Describe when and how you will seek individuals’ views – or justify why it’s not appropriate to do so.

Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult information security experts, or any other experts?

Step 4: Assess necessity and proportionality

Describe compliance and proportionality measures, in particular

Does the processing actually achieve your purpose? 

Is there another way to achieve the same outcome? 

How will you prevent function creep? 

How will you ensure data quality and data minimisation? 

What information will you give individuals? 

How will you help to support their rights? 

What measures do you take to ensure processors comply? 

Step 5: Identify and assess risk

Step 6: Identify measures to reduce risk

Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5

Step 7: Sign off and record outcomes