Scottish public authorities sharing data: consultation

Page 1 of 6

Closes 15 Jun 2020

The UK Digital Economy Act 2017, Part 5

The UK Digital Economy Act 2017 (“The Act”), Part 5 introduces new information sharing powers to reduce debt owed to, or fraud against, the public sector.

Only specified public authorities listed in Schedule 7 of the Act for the debt powers or Schedule 8 for the fraud powers are able to use these powers to share data. The Act regulates when the debt and fraud data sharing powers can be used, only authorising data sharing where the public authority can justify this in line with the purposes set out in Part 5 of the Act.

In recognition of the fact that public services are also delivered by third parties who may hold key information which public authorities need, or who may need to access key information held by public authorities, bodies that provide services to a public authority can also be added to or described in the Schedules. Such bodies can only use the data sharing powers in connection with the functions they exercise when providing services to a public authority.

The Act does not compel public authorities to share data. Data sharing under the Act is additional to any existing data sharing that can take place under existing legislation applying to public authorities.

The Act does not exempt public authorities from duties under existing data protection law (including the Data Protection Act 2018 and the EU General Data Protection Regulation - see section 49(8) and 57(8) of the Act and section 3 of the Data Protection Act 2018). The Act creates criminal offences for unauthorised disclosure of personal information received under 2 the debt and fraud powers. Additionally, public authorities must always ensure that data sharing is compliant with the Human Rights Act 1998 and they must not act in a way that would be incompatible with rights under the European Convention on Human Rights.

Public authorities sharing data under the debt and fraud powers must have regard to the Code of Practice for public authorities disclosing information under Chapters 1, 3 and 4 (Public Service Delivery, Debt and Fraud) of Part 5 of the Digital Economy Act 2017.

The Scottish Ministers have powers to add Scottish Bodies to Schedules 7 and 8 of the Act by making Regulations subject to the affirmative procedure in the Scottish Parliament. This ensures that the Scottish Parliament is able to scrutinise and vote on the proposed Scottish Bodies.

Debt

Chapter 3 of Part 5 of the Act sets out powers for public authorities to share data for the purpose of taking action in connection with debt owed to a public authority or to the Crown. “Taking action” includes identifying and collecting debt, bringing civil proceedings and taking administrative action as a result of that debt. Fairness Principles are set out in the Code of Practice (see paragraph 3.4) to help ensure a common approach to fairness when sharing data under the debt powers. To be able to share data under these powers, whether disclosing or receiving, public authorities must be listed in Schedule 7 of the Act. There are conditions in the Act which public authorities must satisfy before they can be listed in relation to the debt powers.

Fraud

Chapter 4 of Part 5 of the Act sets out powers for public authorities to share data for the purpose of taking action to address fraud against a public authority. “Taking action” includes preventing, detecting, investigating and prosecuting fraud, bringing civil proceedings and taking administrative action as a result of fraud. To be able to share data under these powers, whether disclosing or receiving, public authorities must be listed in Schedule 8 of the Act. There are conditions in the Act which public authorities must satisfy before they can be listed in relation to the fraud powers.

Debt and Fraud

The process for using the debt and fraud powers is outlined in the Code of Practice, including the Fairness Principles in Part 3.4 of the Code. Information sharing proposals are piloted to explore the benefit of the data share. If public authorities wish to establish a pilot, they need to prepare a business case and data protection impact assessment. The appropriate Debt and Fraud Review Board assesses and makes a recommendation on each pilot proposal for the relevant Minister, who decides which go ahead. If reserved bodies are involved it is a UK Board and Minister. If only Scottish Bodies are involved it is a Scottish Board and Minister. The information sharing arrangements are recorded in a public register. The Act requires that the operation of the powers be reviewed after three years.