Session 2007/2008
Fourteenth Report
PUBLIC ACCOUNTS COMMITTEE
Report on
National Fraud Initiative
TOGETHER WITH THE MINUTES OF PROCEEDINGS OF THE COMMITTEE
RELATING TO THE REPORT AND THE MINUTES OF EVIDENCE
Ordered by The Public Accounts Committee to be printed 22 May 2008
Report: 33/07/08R Public Accounts Committee
This document is available in a range of alternative formats.
For more information please contact the
Northern Ireland Assembly, Printed Paper Office,
Parliament Buildings, Stormont, Belfast, BT4 3XX
Tel: 028 9052 1078
Public Accounts Committee
Membership and Powers
The Public Accounts Committee is a Standing Committee established in accordance with Standing Orders under Section 60(3) of the Northern Ireland Act 1998. It is the statutory function of the Public Accounts Committee to consider the accounts and reports of the Comptroller and Auditor General laid before the Assembly.
The Public Accounts Committee is appointed under Assembly Standing Order No. 51 of the Standing Orders for the Northern Ireland Assembly. It has the power to send for persons, papers and records and to report from time to time. Neither the Chairperson nor Deputy Chairperson of the Committee shall be a member of the same political party as the Minister of Finance and Personnel or of any junior minister appointed to the Department of Finance and Personnel.
The Committee has 11 members including a Chairperson and Deputy Chairperson and a quorum of 5.
The membership of the Committee since 9 May 2007 has been as follows:
Mr Paul Maskey*** (Chairperson)
Mr Roy Beggs (Deputy Chairperson)
Mr Thomas Burns**
Mr Trevor Lunn
Mr Jonathan Craig
Mr Ian McCrea*
Mr John Dallat
Mr Mitchel McLaughlin
Mr Simon Hamilton
Ms Dawn Purvis
Mr David Hilditch
* Mr Mickey Brady replaced Mr Willie Clarke on 1 October 2007
* Mr Ian McCrea replaced Mr Mickey Brady on 21 January 2008
** Mr Thomas Burns replaced Mr Patsy McGlone on 4 March 2008
***Mr Paul Maskey replaced Mr John O’Dowd on 20 May 2008
Table of Contents
List of abbreviations used in the Report
Report
Introduction
Background
Forthcoming Changes
The Way Forward
Appendix 1
Minutes of Proceedings
Appendix 2
Minutes of Evidence
Appendix 3
List of Witnesses
List of
Abbreviations used in the Report
NFI National Fraud Initiative
C&AG Comptroller and Auditor General
DFP Department of Finance and Personnel
GB Great Britain
NIAO Northern Ireland Audit Office
SSL Secure Sockets Layer
UK United Kingdom
Introduction
1. The Public Accounts Committee received a presentation on the National Fraud Initiative (NFI) at its meeting on 3 April 2008. The witnesses attending were:
- Mr John Dowdall CB, Comptroller and Auditor General, Northern Ireland Audit Office;
- Mrs Janet Sides, Assistant Auditor General (acting), Northern Ireland Audit Office;
- Mr Peter Yetzes, Assistant Director, Audit Commission; and
- Mr David Thomson, Treasury Officer of Accounts, Department of Finance and Personnel.
2. The NFI is a data matching exercise run every two years by the Audit Commission since 1996. It has been designed to help participating bodies identify possible cases of fraud and detect and correct any under or overpayments from the public purse.
3. The NFI in Northern Ireland will be managed by the Northern Ireland Audit Office (NIAO), using the infrastructure which has been set up by the Audit Commission.
4. This report is like no other produced by the Public Accounts Committee. However, the Committee considered it important to be seen to be publicly supporting this initiative and calls upon everyone to play their respective roles to the full in taking this forward.
Background
Origins and Processes
5. The NFI originated as a result of a suspected fraud in which students, or those purporting to be students, were travelling from one London borough to another by Tube, and claiming student awards. The Audit Commission offered the London boroughs the opportunity to share data to attempt to determine the identity of the serial claimants. This exercise was so successful that other councils outside London asked to be involved in the data matching exercise. Therefore, the initiative grew into the NFI.
6. The NFI has been operating nationally since 1996, with the aim of helping participating bodies prevent and detect fraud and error. Participation in the NFI has not been confined to those bodies the Audit Commission is responsible for, but now includes many other Government bodies and private pension schemes from across the UK.
7. Data matching involves comparing the extent to which computer records held by one body match against records held by the same or another body. Computerised data matching techniques are then used to narrow down the search for duplicate or fraudulent claims upon those bodies. A body supplying data receives a report identifying instances of matching data within that body’s own records and between that body’s records and those of relevant bodies. Responsibility for taking forward and investigating matches lies with the body which supplied the data.
8. Before supplying data there is a clear onus on a body to ensure that the data is not only accurate but up-to-date, for example, any errors identified by previous data matching exercises must have been corrected.
9. Significant emphasis has been placed on data security. Bodies are obliged to use the secure, NFI web based application to submit their data. Data is encrypted and uploaded directly from organisations’ computer systems over a 128 bit SSL connection; the data is held on secure servers and there is strict password access. Each data set is reduced to the absolute minimum that will be used for data matching or for investigators if there is fraud.
10. When data is no longer required it is deleted and rendered unrecoverable using specialist software. This is done after any queries have been resolved and, in any event, within six months of the conclusion of the exercise.
Successes to date
11. In the most recent exercise some 1500 bodies participated. Overall, the NFI has helped participants to detect fraud and overpayments in excess of £440 million. The results of the 2006-07 exercise identified £140 million of fraud and error.
12. Successes have come in a wide range of data matches. In GB, local authorities are responsible for a number of payments, such as housing benefit and residential care payments. In one authority alone the last exercise revealed 11 care residents who had died but payments to the home had continued. A significant number of cases have been identified where housing benefit has been claimed by individuals for properties either where they are not residing or even where they have sublet the houses to other tenants. In Birmingham Council, 30 employees resigned or were dismissed after it was discovered that they had invalid UK visas. In North Lanarkshire, 28 taxi drivers have been investigated for non-disclosure of work on their housing benefit applications. In Scotland, 270 cases were identified involving the continued payment of occupational pensions to deceased pensioners.
13. Participation of the Northern Ireland bodies has not been as extensive as in GB. Public bodies have participated to varying degrees in exercises run since 2000. However, there was a cautious approach to release of data as a result of the Data Protection Act 1998.
14. Only pension data have been supplied for matching against the death register in the more recent exercises. It is estimated that participation has resulted in identifying overpayments of some £4 million arising from fraud and error. There is likely to have been a deterrent effect, although that is difficult to quantify.
Forthcoming Changes
Serious Crime Act 2007
15. The Attorney General carried out a Fraud Review in July 2006, which drew up a range of proposals to make the government’s anti-fraud effort more effective. It highlighted that preventing and investigating crime was a fundamental responsibility of the public sector and that Departments should co-operate with each other at all times.
16. The report also recognised the central role of data matching in general, and the NFI in particular, in combating fraud.
17. An important outcome of the Fraud Review was the inclusion of data matching provisions in the Serious Crime Act 2007 which came into force on 6 April 2008. Under the Act, the Comptroller and Auditor General for Northern Ireland (C&AG) has been given powers to conduct data matching exercises for the purpose of assisting in the prevention and detection of fraud.
18. Any body whose accounts are required for auditing by the C&AG, or by a local government auditor, will be subject to mandatory participation in the data matching exercise. There is also provision for voluntary participation, i.e. regardless of whether a body is a public sector or private sector organisation, it could participate in a data matching exercise run by the C&AG if he decides that it is appropriate to use that data. In some circumstances, the C&AG may require certain bodies, such as a local health trust, to provide information for a data matching exercise.
19. The legislation also provides for disclosure of information. Therefore, the Northern Ireland Audit Office (NIAO) can disclose data obtained for the purposes of data matching to other public sector agencies, including the Audit Commission and the Auditor General for Wales.
Code of Data Matching Practice
20. Under the legislation the NIAO is required to prepare a Code of Data Matching Practice, which will govern all data matching exercises conducted by the C&AG. The NIAO is required to consult with the Information Commissioner, bodies subject to mandatory participation, and any other bodies or persons they consider should be consulted. The Code went out to consultation on 12 March 2008 and the NIAO expects to present the finalised Code to the Assembly in July 2008.
21. The purpose of the Code is to help ensure that the C&AG, the NIAO and all persons and bodies involved in data matching exercises comply with the law, especially the provisions of the Data Protection Act 1998. It is also intended to promote good practice in data matching and to let individuals know why their data is matched and by whom, the standards that apply and where to find further information.
22. The NIAO is required to comply with the Data Protection Act 1998, so the Code will set out clearly the responsibilities of the C&AG and participating bodies, addressing such issues as governance arrangements, fair processing, quality of data, security arrangements, disclosure of data, etc.
The Way Forward
23. The NIAO plans to begin its first data matching exercise, which in practice will be undertaken by the Audit Commission on behalf of the C&AG, in October 2008. As part of that exercise, NIAO proposes to disclose Northern Ireland data to the other public audit agencies for cross jurisdictional data matching, therefore fully engaging in the NFI.
24. The Committee welcomes the close working relationship between DFP and NIAO in addressing fraud issues. DFP has already highlighted to departments that resources will have to be allocated to checking out matches which arise in the exercise. DFP has already held conferences for public sector bodies and has raised these issues at regular meetings of accounting officers and board members.
25. The Committee views the NFI as a key tool in the armoury against fraud and error, issues which the Committee has consistently highlighted in other reports. The amounts identified as potential savings are considerable and to these must be added the savings attained through discouragement of those who would want to defraud the system, knowing that they are now, more than ever, likely to be caught.
Recommendations
26. The Committee will want to demonstrate its ongoing support and looks forward to being informed on the outcome of the consultation exercise on the Code of Data Matching Practice and of any problems or sensitivities as the programme rolls out. We therefore recommend that NIAO pays attention to ensuring that its processes, and those of other participants, are in line with best practice. The highest levels of data security are particularly important.
27. The Committee recognises and welcomes the potential for NFI to identify individuals who qualify for the various benefits in the welfare system, but have not received the benefits due. It will therefore be seeking assurance from the C&AG, that appropriate use is made of the initiative, as it develops, in this regard.
28. To oversee the subsequent operation of NFI, the Committee intends to review its outworkings. Given that the C&AG intends to carry out a stocktake following the proposed October 2008 exercise, the Committee will call him to report on the results of the initiative at that stage.
Appendix 1
Minutes of Proceedings
of the Committee
Relating to the Report
Thursday, 3 April 2008
Senate Chamber, Parliament Buildings
Present: Mr John O’Dowd (Chairperson)
Mr Roy Beggs (Deputy Chairperson)
Mr Thomas Burns
Mr Jonathan Craig
Mr John Dallat
Mr Simon Hamilton
Mr David Hilditch
Mr Trevor Lunn
Mr Ian McCrea
Mr Mitchel McLaughlin
Ms Dawn Purvis
In Attendance: Mr Jim Beatty (Assembly Clerk)
Mrs Gillian Lewis (Assistant Assembly Clerk)
Mrs Nicola Shephard (Clerical Supervisor)
Mr John Lunny (Clerical Supervisor)
Apologies: None
The meeting opened at 2.00pm in public session.
2.02pm Mr Hamilton, Mr Dallat and Mr McLaughlin joined the meeting.
2.05pm Ms Purvis joined the meeting.
4. Presentation on the National Fraud Initiative.
The Committee received a presentation on the National Fraud Initiative from Mr Peter Yetzes, Associate Director, Audit Commission, Mr John Dowdall CB, Comptroller and Auditor General, NIAO, Ms Janet Sides, Assistant Auditor General (Acting), NIAO, and Mr David Thomson, Treasury Officer of Accounts, DFP.
The witnesses answered a number of questions put by the Committee.
3.22pm Mr Burns left the meeting.
3.58pm Mr McLaughlin left the meeting.
4.02pm The evidence session finished and the witnesses left the meeting.
[EXTRACT]
Thursday, 22 May 2008
Room 144, Parliament Buildings
Present: Mr Paul Maskey (Chairperson)
Mr Roy Beggs (Deputy Chairperson)
Mr Jonathan Craig
Mr John Dallat
Mr Simon Hamilton
Mr David Hilditch
Mr Trevor Lunn
Mr Mitchel McLaughlin
In Attendance: Mr Jim Beatty (Assembly Clerk)
Mrs Gillian Lewis (Assistant Assembly Clerk)
Mrs Nicola Shephard (Clerical Supervisor)
Mr John Lunny (Clerical Supervisor)
Apologies: Ms Dawn Purvis
The meeting opened at 2.00pm in public session.
6. Consideration of Draft Committee Report on National Fraud Initiative.
Members considered the draft report paragraph by paragraph. The witnesses attending were Mr John Dowdall CB, C&AG, Mr Kieran Donnelly, Deputy C&AG, and Mr Joe Campbell, Audit Manager, NIAO.
Paragraphs 1 – 28 read and agreed.
Agreed: Members ordered the report to be printed.
Agreed: Members agreed to launch the report on Thursday 12 June 2008.
Agreed: Members agreed that they would not hold a press conference.
[EXTRACT]
Appendix 2
Minutes of Evidence
3 April 2008
Members present for all or part of the proceedings:
Mr John O’Dowd (Chairperson)
Mr Roy Beggs (Deputy Chairperson)
Mr Thomas Burns
Mr Jonathan Craig
Mr John Dallat
Mr Simon Hamilton
Mr David Hilditch
Mr Trevor Lunn
Mr Ian McCrea
Mr Mitchel McLaughlin
Ms Dawn Purvis
Witnesses:
Mr John Dowdall CB |
|
Northern Ireland Audit Office |
Mr David Thomson |
|
Department of Finance and Personnel |
Mr Peter Yetzes |
|
Audit Commission |
1. The Chairperson (Mr O’Dowd): We will now have a presentation on the national fraud initiative (NFI). The Committee welcomes Mr Peter Yetzes, who is assistant director of the Audit Commission, Mr John Dowdall, the Comptroller and Auditor General, Mrs Janet Sides, who is the acting assistant auditor general of the Northern Ireland Audit Office, and Mr David Thomson, the treasury officer of accounts.
2. Mr John Dowdall CB (Northern Ireland Audit Office): We will take the liberty today of giving an extended opening statement. To that end, Janet will first introduce our plans for the national fraud initiative, and Peter will outline the background from a Great Britain — and Audit Commission — perspective.
3. Mrs Janet Sides (Northern Ireland Audit Office): As I am sure that members are aware, the national fraud initiative is at the forefront of tackling public-sector fraud in Great Britain. Through new powers that were conferred on the Comptroller and Auditor General under the Serious Crime Act 2007, Northern Ireland can now participate fully in this initiative, which presents a significant opportunity to reduce the scale of fraud.
4. I intend to provide some background on the national fraud initiative, which Peter Yetzes will address in more detail later. I will also demonstrate the extent of participation to date of Northern Ireland’s public-sector bodies in the initiative and outline the Comptroller and Auditor General’s new statutory powers and how we propose to implement them.
5. What is the national fraud initiative? Identifying fraud is the first step in fighting it, and the national fraud initiative, which has been developed by the Audit Commission, has proved an extremely powerful tool in identifying cases of possible fraud. Using its audit powers, the Audit Commission has operated the national fraud initiative since 1996, with the aim of helping participating bodies protect the public purse from fraud and error.
6. The national fraud initiative is a computerised data-matching exercise that has been run every two years. Data matching is the process of comparing sets of data to determine how far they match. Matches usually occur when data are found in two data sets when the opposite is expected, which indicates potential fraud or error, for example, where a student has received both housing benefit and a student award, or where payment has continued after a pensioner’s death.
7. Participation in NFI has not been confined to those bodies the Audit Commission is responsible for auditing. It also includes many other Government bodies and private pension schemes from across the UK. In the most recent exercise — NFI 2006-07 — some 1,500 bodies participated.
8. Overall, the national fraud initiative has helped participants to detect fraud and overpayments that are in excess of £400 million. The results of the 2004-05 exercise identified over £111 million of fraud and error. Indications are that the results of the most recent exercise will show substantially higher amounts.
9. Participation of the Northern Ireland bodies in NFI has not been as extensive as it has been in GB. Public bodies have participated to varying degrees in exercises that have been run since 2000. Data sets that have been matched included pensions, pay and housing benefit — pensions and pay were matched against housing benefit, and pensions were matched against the death register.
10. The inclusion of Northern Ireland data in the initiative has been relatively limited compared with other regions. That is because Northern Ireland has separate legislation and there was uncertainty over whether there was a sound legislative basis for the participation of local bodies in the initiative. The Data Protection Act 1998 engendered a cautious approach to the release of data. Owing to those legislative concerns, only pension data have been supplied for matching against the death register in the more recent exercises.
11. We estimate that that participation has resulted in the identification of overpayments of around £4 million arising from either fraud or error. There is also likely to have been a deterrent effect, though that is difficult to quantify.
12. I have given a brief summary of the involvement of the public sector in Northern Ireland to date; however, the position will change significantly as a result of the new data-matching provisions of the Serious Crime Act 2007.
13. The Attorney General’s Fraud Review of July 2006 contained a range of proposals to make the Government’s anti-fraud effort more effective. It highlighted that preventing and investigating crime was a fundamental responsibility of the public sector and that Departments should co-operate with each other at all times.
14. The report also recognised the central role of data matching in general — and NFI in particular — in combating fraud. It also cut through many of the arguments, technical or otherwise, that have been invoked to inhibit data sharing.
15. An important outcome of the Fraud Review and of the deliberations of other groups was the inclusion of data-matching provisions in the Serious Crime Act 2007. That legislation has put the Audit Commission’s NFI on an express statutory footing and has expanded its scope to include organisations beyond audited bodies. Importantly, it also introduced equivalent data-matching arrangements in Wales and Northern Ireland that gave the Auditor General for Wales and the Comptroller and Auditor General for Northern Ireland the power to conduct data-matching exercises in their own jurisdictions.
16. The Serious Crime Act 2007 has inserted new provisions into our audit legislation, the Audit and Accountability (Northern Ireland) Order 2003. The new provisions come into effect on 6 April 2008. There are several elements to those, some of which I will outline briefly. They provide for the Comptroller and Auditor General to conduct data-matching exercises for the purpose of assisting in the prevention and detection of fraud. That is not an audit power, and although the Comptroller and Auditor General may take that action as part of an audit, the sole purpose of the new power is to assist with preventing and detecting fraud.
17. Certain bodies will be required to provide data for a data-matching exercise. Any body whose accounts are required for auditing by the Comptroller and Auditor General, or by a local government auditor, will be subject to mandatory participation. Therefore, all central Government bodies — Departments, non-departmental public bodies (NDPBs) and health bodies — and all local government bodies, primarily district councils, must participate if requested to do so.
18. The Northern Ireland Audit Office may also conduct a data-matching exercise using data that have been provided by a person who is not subject to mandatory participation. Under the legislation, that is known as voluntary participation. That means that regardless of whether a body is a public-sector or private-sector organisation, it could participate in a data-matching exercise run by the Comptroller and Auditor General if he decides that it is appropriate to use that data.
19. In addition, the legislation provides for the disclosure of information. That enables the Northern Ireland Audit Office to disclose data that we have obtained for the purposes of data matching to other public-audit agencies, including the Audit Commission, the Auditor General for Wales and the audit agencies in Scotland. That is an important aspect of the legislation, as it will enable cross-jurisdictional data matching.
20. The legislation requires the Northern Ireland Audit Office to prepare a code of data matching practice on which we must consult the Information Commissioner, bodies that are subject to mandatory participation, and any other bodies or persons that we think fit.
21. The code of data matching practice will govern all data-matching exercises that are conducted by the Comptroller and Auditor General. Its purpose is to ensure that the Comptroller and Auditor General, the Northern Ireland Audit Office and all persons and bodies that are involved in those data-matching exercises comply with the law. Although the Comptroller and Auditor General has the statutory power to obtain data for data matching, compliance with the Data Protection Act 1998 is required. Accordingly, the code will set out clearly the responsibilities of the Comptroller and Auditor General and participating bodies, addressing matters such as governance arrangements, fair processing, quality of data, security arrangements, disclosure of data, and so on.
22. Importantly, it will also let individuals know why their data are being matched and by whom, the standards that apply, and where to find further information. The Northern Ireland Audit Office has produced a draft code of data matching practice. That was submitted for consultation on 12 March 2008, and responses to it are invited by 4 June 2008. The code, which is available on the Northern Ireland Audit Office website, is very similar to the codes that the Audit Commission and the Auditor General for Wales have produced for consultation. All those codes have been prepared in consultation with the Information Commissioner. It is hoped that the finalised code will be presented to the Assembly in July 2008.
23. Under the legislation, the Comptroller and Auditor General may conduct data-matching exercises or arrange for them to be done on his behalf. In practice, his data-matching exercises would normally be undertaken by the Audit Commission, which would carry out the key aspects of the exercise, including the collection and processing of data. The Northern Ireland Audit Office plans to begin its first exercise in October 2008, and that will run simultaneously with the Audit Commission’s next data-matching exercise. As part of that, the Northern Ireland Audit Office proposes to disclose Northern Ireland data to the other public audit agencies for cross-jurisdictional data matching. Thus, we will engage fully in the national fraud initiative process.
24. A priority for the Northern Ireland Audit Office is to firm up the list of participants and the range of data sets as soon as possible in accordance with the Audit Commission’s timetable for the next exercise.
25. As we progress the overall work programme, we must first catch up with the progress that the NFI has made in Britain. We wish to avail ourselves of our new powers, but at the same time, we want to use them wisely. In the first exercise, therefore, we will bring in as many data sets as is sensible. Accordingly, we propose to include those data sets that have already been included in previous NFI exercises, particularly those for matters such as pensions and housing benefit. We propose to include the larger public-sector payroll data sets, that is, Civil Service pay, teachers and the Health Service.
26. Other possible areas of work include data sets that are already under the aegis of the NFI, such as housing rents and creditors’ payments. We are also willing to consider data sets that may be volunteered by participants where there are clear indications that significant fraud exists. Responsibility for following up the matches that have been identified from an exercise will lie with the participating body, not the Comptroller and Auditor General. Therefore, participants will be required to proceed with those exercises in accordance with the procedures that they usually follow in the investigation of fraud and error.
27. I will now hand over to Peter Yetzes, who will give us an insight into what the Audit Commission has achieved. He may also give members a demonstration of the NFI secure website, which is the infrastructure that we will use to conduct our exercises.
28. Mr Peter Yetzes (Audit Commission): Good afternoon, and thank you for the invitation to give evidence to the Committee.
29. I run the Audit Commission’s national fraud initiative. Given that my name is quite unusual, it is very amenable to data matching. Later, if members wish, we will see how some of their names fit in to the data matching. [Laughter.]
30. Some of what I am about to demonstrate will be unfamiliar to you, but I will do my best to explain it in layman’s terms. That said, a great deal of technical know-how is not required to understand data matching. I will talk about the background so that members understand how we have reached this point. I will also outline the successes of the current exercise. Normally that is when people sit up and take notice, because it concerns real frauds and real case studies, some of which are quite surprising and worth looking at.
31. I will talk about the NFI process, because it takes account of elements such as data security, about which I am sure everyone is concerned. The wireless system permitting, I will try to give you a demonstration. That is bound to be brief, because the wireless system is working incredibly slowly, and you will probably all go to sleep if we try to do a full-length demonstration. However, we will try to show you the actual application, even if only in part. I will then talk about the impact that the Serious Crime Act 2007 has on the NFI in Northern Ireland, which I am sure will be of interest, and I will then try to inject a little humour towards the end of my presentation — if fraud can ever be humorous, that is.
32. London boroughs had a problem, which was picked up by the ‘Evening Standard’, with what was known as the Tube fraud. Students, or people purporting to be students, were wandering around London on the Tube, going from one borough to another, getting themselves student awards. In some cases, multiple claims were being made, and the fraudsters were making quite a good living out of it. For the most part, they were not even students. I offered the London boroughs the opportunity to share those data. Whereas normally we would conduct data matching within an organisation, we decided that in order to combat that particular fraud, it might be better to put all the data together into a single pot to try to determine who those serial claimants were.
33. That is exactly what we did. While we were doing that, we experimented with one or two other data sets, and although we found all those fraudulent claims, we found more housing-benefit than student-award fraud. When the initiative had been running for a short time, county councils outside London asked to be included, given that they were subject to the same types of fraud. Once the first wave of councils in the Home Counties became involved, a second wave that included councils in the Midlands and the north of England became involved. Therefore, what began as the London fraud initiative grew to become the national fraud initiative.
34. As it grew, we started considering other data sets, as we had started to explore other fraud risks. That included considering data on deceased persons, data from the student loan company, UK visa data, data on tenants of council properties, and those on asylum seekers. In just the same way that the initiative grew originally, as more data sets were considered, more became obvious targets for the national fraud initiative. Our presentation contains a diagram that shows that data for licensed taxi drivers, creditors and insurance — we are looking for serial insurance claimants against local authorities —company directors, parking, free travel, and care homes are possible sources of data investigation.
35. We then started to wonder what else could be done under the Serious Crime Act 2007. For example, we could become involved in cross-border data matching, we would perhaps like to see land registry data. Indeed, I will perhaps explain why we want Driver and Vehicle Licensing Agency (DVLA) and passport data. That constitutes a comprehensive series of data that could be used for matching, and it all started from one, well-publicised, but relatively minor, fraud in London.
36. The London fraud initiative developed into the national fraud initiative, which was first run in 1996. Every time that the initiative is run, more fraud is discovered. That is not because more fraud is taking place, although that may be the case — we are looking at more risk areas each time we run it, and we are getting more sophisticated in our methods of looking for fraud. The current exercise for 2006-07, which is just coming to a close, has detected almost £140 million of fraud. The figure changes every day as we receive results, but that is quite a big increase on the £111 million that was detected the previous time that the exercise was run. However, as I have said, that is because we are looking at new risk areas, not necessarily because there is more fraud in the system.
37. Our presentation contains a diagram that we used in our national report — the next national report will be published on 16 May — that shows the range of different fraud areas and overpayment areas in which we have been involved. The £132 million of detected fraud that was detected previously is now close to £140 million. Quite a number of frauds have been carried out by public-sector employees. The initiative not only gives the benefit of stopping fraudulent housing benefit claims, but it serves to identify individuals who are working in the public sector and who are known public-sector fraudsters. It therefore deals with two risks in one, so to speak.
38. This year, almost 60 council houses have been recovered from fraudulent tenancies, which is a big increase on previous years. It is still not enough, and we know that a lot more will emerge from the initiative. There are few specialist housing investigators in England, whereas there are a great many specialist housing benefit investigators. We do everything from identifying duplicate creditor payments to identifying failed asylum seekers, or those who have been refused a visa but are actually working or claiming benefits in the UK.
39. I will now outline briefly some particular cases that I think that people find most interesting. The case studies can be divided into the different sectors, the first of which is housing. I will detail a case study and give an example of an authority that has done particularly well in looking at the type of data match in question. The first such case concerns a person who has been a council tenant since 1997 and who exercised a right-to-buy discount of £26,000 in 2006. However, that person was only ever in the UK on a visitor’s visa that expired in January 2005. They had no entitlement to social housing and certainly had no entitlement to a right-to-buy discount.
40. I will not go through all the case studies, because they are contained in the submission that we have provided, but you can see the type of thing that we are able to find. Another of the case studies concerns a London borough that identified a tenant who had a second tenancy. The tenant had been allowing guests to use the local authority property, and the address had also been used to perpetrate other fraudulent activities. That property has now been recovered.
41. To return to the sector outcomes, one particular authority has done well in examining housing issues in particular. The London borough of Southwark is a relatively deprived area, and it has a huge housing stock, which is a factor that must be taken into account. To put that in perspective, it has about 60,000 properties, which is one of the largest local authority housing stocks in London or in England.
42. So far, the local authority has made savings in excess of £2 million from the current exercise. It has recovered 25 council properties, and there are many more cases in the pipeline: 65 right-to-buy cases are under investigation, and four deceased occupational pensions have been discovered. The latter cases involved people who formerly worked for Southwark Council and participated in its occupational pension scheme. We were able to tell the council that those people had died but that their pensions were still being paid.
43. The authority has been looking at single-person discounts on council tax, and it has found £146,000 of fraud. Indeed, I know that that figure has since increased considerably. It had also made payments totalling £80,000 to a private-care home after the death of a resident that it had placed there, because the death had not been reported by the care home. The council got rid of four members of staff who were ineligible to work in the UK because their visas had expired, or because they had been refused a visa in the first place. Those examples cover a range of matters, but the specialist area is housing, and the local authority has done exceptionally well in finding housing fraud, involving both tenancy and the right to buy.
44. The next subject is payroll fraud. I will describe a recent case study that members may find hard to believe. A chap who worked for an NHS trust left his employment, but he continued to submit time sheets for three years after he left — all of which were paid. He had moved to another trust, so, for three years, he was getting paid by the trust that he was actually working for and by the one that he had left.
45. The interesting point and an important issue in general, is that as well as the fraud having been detected — the chap involved is currently serving 27 months in custody — the case alerted the organisation to a system weakness. Therefore, the organisation could address the problem and ensure that time sheets for people who have left it cannot be passed for payment. The trust’s records were so poor that it was able to prove only £69,000 of fraud, as opposed to the £99,000 that the chap got away with. An ideal starting point for auditors is to discuss with any organisation the weaknesses in the payroll system.
46. Birmingham is another example of an enormous local authority that has a huge range of functions. However, we will examine what it has achieved with regard to payroll matches. In particular, that authority has done a great deal of work in matching its payroll to details of people who were in the UK on invalid visas, either because the visas had expired or had been refused in the first place. Thirty members of staff were dismissed or forced to resign because they had no right to work in the UK. That is a significant result, and, again, it is better than that that was achieved by any other individual organisation. The authority dealt in the same way with two failed asylum seekers.
47. The authority benefited from the NFI in other ways. We matched its creditors’ payments to see whether it had made duplicate payments, and we managed to find £231,000, which the authority has recovered. It also recovered council property and, as I mentioned previously, overpayments to private-care homes for deceased residents. The authority did well there also.
48. Looking at the case studies involving private-care homes, members will see that the first case, on which I will focus, is quite unusual. In that case, not only was the care-home resident deceased, the home itself was deceased — it had been demolished. However, payments were still being made to the home’s owner. I said earlier that members would sit up and take notice of some of the case studies.
49. Returning to sector outcomes, we will examine a case study involving housing benefit. There are several such case studies; we investigate hundreds of cases every year. Basically, the cases involve people who claim housing benefit while not declaring their income. That could be because they work for the public sector or because they have an occupational pension. However, the essential issue is non-declaration of income.
50. Moreover, we may pick them up because they claim housing benefit for one property, but may have another address; they may have a council property or be known to live in a private property somewhere else.
51. The next slide relates to one of the Scottish authorities whose participation has been organised by Audit Scotland. The Audit Commission provides it with data-matching services. During the current exercise, the North Lanarkshire authority has discovered that £467,660 of housing benefit overpayments and 53 frauds have occurred across all types of report. On submission of information about licensed taxi drivers, it was found that 28 taxi drivers had not declared their income on housing-benefit claims. That is not surprising, as we are informed that no taxi driver earns more than £10 a week anyway. The North Lanarkshire authority has had much success with the system.
52. Interestingly, other risk areas emerged that the authority wants us to investigate. It has become evident that there is a problem with certain licensed taxi drivers in some areas. For example, some individuals declare their clean licences to be lost, and are issued with replacements. If they need to renew their licences, but have built up points or are banned, they take the clean licences to their local authority for renewal, even when, in fact, they should not be driving. That is a new area that we will start to examine.
53. I shall finish off with parking. The Audit Commission has started to get involved with the abuse of blue badges, particularly because that is relevant to avoidance of congestion charges in London. We are aware that many blue parking badges for disabled people are used after the death of the badge holder. In the first case, the widow of the blue-badge holder was given a formal caution by the London Borough of Croydon, because for nine years after his death, she had re-applied for her late husband’s blue badge. That is becoming a frequent occurrence. There is much abuse. The disabled lobby is keen that we do as much as possible to try to help them to stamp it out.
54. I want to move on to security arrangements, because they are particularly important. The diagram gives examples of the types of data that we collect; on payroll, housing benefits and rent. In a traditional, conventional payroll file, there could be as many as 300 fields of different pieces of information, which include name, date of birth, and so on. The Audit Commission does not get involved in extracting the data in the first place: that is the responsibility of the organisation that provides it. However, we provide organisations with a specification that makes it clear that we want only a small number of fields. We do not take data for the sake of it.
55. We reduce each data-set type to the absolute minimum that will be of use for data matching, or for investigators if there is fraud. Therefore, payroll files will, typically, be reduced to 20 fields and rent files to approximately 15 fields. We take as little data as possible. You will be pleased to hear that current arrangements are that no information is downloaded to a CD-ROM; data is uploaded directly from the organisations’ computer systems to ours. The data is encrypted and comes to a secure website. That puts us a little bit ahead of the game in the light of some recent data losses of which you may be aware.
56. Once we are in possession of the data, it is held on secure servers. We do a huge amount of work on it in order to make it all look the same, so that it can be used for data matching. Any anomalies that look like they might be fraudulent, or that relate to an overpayment, are reported back to the participating bodies through the same secure website. There is strict password access to the information. Any data that is not needed, because it does not match, or any that is left at the end of an exercise, regardless of whether it has been needed, is deleted and rendered irrecoverable with special software. It is not the same process that occurs when someone deletes a file on his or her laptop, because that file will remain on the hard drive. We actually delete the data and, using specialist software, make it totally impossible for anyone to recover it. Of course, the entire process, as Janet mentioned, has become underpinned by the code of data matching practice.
57. Therefore, the data matches are accessed over the 128-bit secured socket layer. Committee members do not need to know too much about that. Suffice it to say that that is how the banking industry sends and receives data, and we have taken it to that level.
58. The upload facility is relatively new. It was introduced in August, and it has been fully tried and tested. We carried out a major data match, taking hundreds of data sets in relation to the electoral register and council tax, and that has worked exceptionally well. No one has had any difficulty in using it, and all the data have been secured.
59. We carry out a six-monthly audit review of the site. Private banking firms use the same data centre to carry out their security reviews, and we get a chance to see their audit reports. In the next few weeks, the Information Commissioner will carry out a security review of the data centre that we use.
60. I hope to run a software demonstration; I will come to back that if the IT permits. I have no idea how many people are currently using the service and it will take time to load. Things might get interesting.
61. This is an opportunity to explain the role of the Audit Commission. The exercise is run and badged completely by the Northern Ireland Audit Office, and the Audit Commission is in the background. We simply permit the Audit Office to use the infrastructure that has been built up. As we need to carry out cross-border data matching, there is no point in carrying out a separate exercise. One or other of us should do that so that we can share data, as well as match in our own regime.
62. The idea is that we bring project management expertise to the party. A data centre has been set up, and national fraud initiative software has been developed. Some data sources are involved in that, such as the Home Office, student loan companies, and so on. Those data will be of direct benefit to Northern Ireland. The Audit Commission collects those data, which can be matched against Northern Ireland data. Everything will be under the auspices of the NIAO, and the Audit Commission will be very much in the background, carrying out the function of data matching.
63. How will the national fraud initiative impact on Northern Ireland? We already collect core United Kingdom data, such as payrolls, housing benefit, and so on. Data on asylum seekers come to us from the Home Office, deceased persons’ data come from the Department for Work and Pensions, and UK visa data come from the Foreign and Commonwealth Office. All that can be matched against core data from Northern Ireland.
64. The data sets such as pay, occupational pensions, housing benefit, creditors’ payments, blue badges and housing rents are merely suggestions. Those are not agreed data sets. Above that, a decision must be made on the other key risk areas that could be addressed, such as the electoral register, rates and business rates. There are other things about which we will have no idea, because they will be local, emerging risks, and they will need to be discussed with the Audit Commission, as we build up the overall impact with the core data, to determine whether the national fraud initiative and data matching can assist in dealing with specific local risks. We may want to start thinking about other data sets that have parallels in England, Scotland and Wales. However, there are local risks that are specific to Northern Ireland.
65. If payroll data is submitted, it will be possible to match it to find housing benefit, income support or jobseekers’ allowance fraudsters; employees who have no right to work or to remain in the United Kingdom; and people who are off work due to long-term sickness but who are working elsewhere: there are many cases of that . The submission of payroll data will also help find people with incompatible work patterns — they are on two payrolls, and it is impossible to achieve both pieces of work because the hours conflict. That happens often, particularly in health.
66. Creditor data matches detect duplicate payments and the possibility of procurement corruption. The collection of that information has provided us with a national database of public-sector spend, so if we are alerted to a particular contractor, for instance, we can see who else is using that organisation.
67. Housing matches detect tenancy fraud and right-to-buy fraud, and help to trace former tenants’ arrears. Housing-benefit matches detect claimants with no recourse to public funds or people who have not declared their pay and pensions. The deceased-matching detects occupational-pension fraud, which is where payments continue to be paid to a family or neighbour, for instance, after the death of the occupational pensioner. Deceased matching also detects blue-badge abuse in cases where the blue badge is still being used after the death of the holder, and overpayments to care homes. Perhaps, at the end of the presentation, the software application can be demonstrated.
68. Under the Serious Crime Act 2007, we plan to look at several new areas, one of which is public safety. Our plans for the implementation of the national fraud initiative include child protection, in which wanted to get involved. We already collect payrolls from social services and education, and we want to run them, particularly against the sex offenders register, to detect if there are any paedophiles working in schools or social services, who, perhaps, got their employment before the new Criminal Records Bureau (CRB) checks were introduced. That initiative came about as a result of giving evidence to the Bichard Inquiry after the Soham incident.
69. Furthermore, we have had discussions with the police about using the database to help them track down absconders from justice, and on using the data in a different way: to work on identity fraud, which is a huge risk these days. Our approach will be to use the data from a series of silos to build up a picture of an individual who is using a false identity and applying for a benefit, but who does not have, for instance, a television licence or a driving licence, or who is not registered with a GP. That may be one way of cracking identity fraud, and we will pilot that.
70. Other areas are not specifically related to fraud. We hope to assist local authorities in council tax arrears, rent arrears and any other debts that may be owed to them. The database will not be used merely in cases where money is owed to a local authority and the person’s whereabouts are known, but in cases where the individual has absconded and the database might track him or her down. Moreover, the Attorney General has asked if the database can be used for unpaid court fines. We are looking into that: it could be worth approximately £75 million a year.
71. We want to introduce the payrolls of Departments and agencies to match against housing benefits. We also examine procurement issues. The development of work that was piloted a few years ago is under discussion with the Council of Mortgage Lenders. Its purpose is to track down owner/occupiers who claim housing benefit, and that will further help to detect landlord fraud. I cannot go into the detail today, but it is an important piece of work.
72. Cross-border matching will come about as a result of Northern Ireland’s participation, and the introduction of housing associations will bring in the remaining 50% of social housing stock that is not run by local authorities in England.
73. As a bit of a diversion, I found out who was going to be here today, and I have used some of your names to show you one of the techniques that we use to assist investigators who do not have any other matches —no National Insurance number or address, for instance. Some names are common, and others are rare, and that might persuade them that they have a good match and they might investigate. I thought it best to start with John Dowdall.
74. Do you have any idea about how many other John Dowdalls there are?
75. Mr John Dowdall CB (Northern Ireland Audit Office): Very few, I imagine.
76. Mr Yetzes: There are 29.
77. Mr Dowdall CB: I have never met any of them.
78. Mr Yetzes: I am not in the business of making introductions. [Laughter.] I know only how many times a name occurs. David Jones appears because it is the most common name in the UK. Does anyone wish to venture a guess about how many times that name appears? You would probably be miles out. At the last count, there were 14,687 people called David Jones. Therefore, if an investigator had a match between two David Joneses, and no other information, he or she might decide to move on and deal with a John Dowdall.
79. Forgive me for taking the opportunity to run the application using some of your names, and you are welcome to guess how many times they occur. There are almost 700 people called Thomas Burns, but not as many Simon Hamiltons as I would have imagined. Dawn Purvis —
80. Mr O’Dowd: There is only one Dawn Purvis.
[Laughter.]
81. Mr Yetzes: Actually, there are nine.
82. Mr McLaughlin: John Dallat is unique. There is definitely only one.
83. Mr Yetzes: There is definitely only one John Dallat.
[Laughter.]
84. Mr McLaughlin: Three would be too many.
[Laughter.]
85. Mr Yetzes: There is an amusing side to that; however, at the same time, such a result is quite valuable for investigators. In fact, statistically, if a name occurs 85 times or fewer and the date of birth is the same, there is a 95% probability that it is the same person, which is important for ensuring that investigators do not waste their time on false matches. As well as an amusing side, there is also a serious side.
86. On the subject of humour, I will show you a recent cartoon from local press in England. If you cannot see it, it shows an old man being escorted from his house to a police van, and a Government official saying:
“It’s my first hat-trick — an illegal immigrant with his dead grandad’s disability parking permit and ‘living alone’ … with a wife and three kids!”
That is a joke, but it illustrates some of the emerging, and sometimes quite powerful, results from data-matching.
87. I shall give you a quick demonstration of the data-matching application. It does not use real data, but, because one would expect to see names and addresses, it does use real cases that have been anonymised for training purposes. I had planned to show two or three data-match types, but the signal strength is very low, and the system is running so slowly that it might be dangerous to do that.
88. For someone entering the application, the initial screen is a summary of the different data match types received by the exemplar organisation. Report 66 happens to be displayed, which is a payroll-to-payroll data match. If I click on “view it”, we can see what a data match looks like. Hopefully it will not be too slow. For the most part, data matches consist of two lines of data: one that has been provided by the investigating body and one to which it is matched — an A and a B record. When I run the cursor over the first match, you can see that there are two lines for every data match — a white match and a red match.
89. Report 10 is an actual case that has been anonymised. It is quite difficult to view this particular data match because the data continues across the page, and I do not wish to tab across the page. Therefore, I can apply the “vertical view”, which allows me to look at two matched pieces of information. Items highlighted in orange match exactly: the surnames, forenames, dates of birth, National Insurance numbers, addresses and postcodes are identical.
90. This line of the presentation is the important part, as it shows the individual’s gross pay to date. Bearing in mind that the data was collected half-way through the year — we tend to do that either at month six or at month seven — the individual in question probably earned about £52,000 to £53,000 a year for whatever role she held in one authority. Moreover, she was either employed by, or on the payroll of, another organisation, where she earned approximately £24,000 a year.
91. This application can be used as a management system for fraud cases. Therefore we can see the investigators’ comments, that the case has been investigated, and that, while on three months’ long-term sick leave, this person has worked for another authority. It can be seen that action to recover the overpayment has commenced, and that a disciplinary process is in progress.
92. That case ended up with a resignation and a dismissal, and the recovery of the £3,000 overpayment.
93. If the system had worked quickly I would have shown you more examples. Ultimately, however, it is the principle that matters. The Committee has seen how the software works and how it is used. We develop the software all the time, and the next release of it will allow people to add comments, showing how their investigations are progressing. The other organisations that the investigations matched with will be able to see those comments, so they, too, will know its progress.
94. Given the speed of the software, it is dangerous to try to do too much.
95. The Chairperson: Thank you, John and Peter, for that useful presentation. You have shown that the system is beneficial for tackling fraud, securing public funds and for the collection of public funds that should have been spent. When I spoke to you yesterday, you mentioned another application of the software: it can be used to ensure that public funds, such as social security benefit, are paid out. The elderly are a prime example of a section of society who do not claim all of the benefits owed to them. Could the system be used to deal with that?
96. Mr Yetzes: Yes. Some years ago we had a case of an occupational pensioner who was shown as deceased by the General Register Office, although she was not. This individual’s state pension had been stopped for 10 years, and she was due a significant refund as a result of that. That case made us think that there was a possibility of using the system to ensure the uptake of benefits rather than just look for fraud, as we did when we operated the national fraud initiative. Certainly, the system can be used to look for people who fraudulently claim certain benefits and discounts — for example, in relation to council tax or rates. It is also possible, in a sense, to use the reverse side of the system to ensure that people who appear to be entitled to benefits but do not claim those are brought to the attention of the relevant organisation, which can then ensure that those people are offered the benefits to which they are entitled.
97. Mr Beggs: You indicated that the Fraud Act 2006 has facilitated your route into Northern Ireland by enabling data-sharing. Given that the fraud aspect allows that data-sharing, can that data currently be used for non-fraudulent investigations? If not, what legislative changes would be necessary to allow that? For example, the new rates relief for single pensioners over the age of 70 currently must be applied for by those pensioners, therefore that is one area where there is an urgent requirement for such data-sharing. The Government must know the details of everyone claiming a state pension, including the date of birth; therefore why can the new rates relief system not be implemented in a much more automated fashion?
98. Mr Yetzes: We are in danger of using the NFI to do things that perhaps other agencies should be doing already. Those agencies already have the data. The national fraud initiative matches one data set against another. Most rating systems, for example, have a reporting function of some sort that should show cases where people are not receiving a benefit to which they are entitled.
99. I am not averse to using the national fraud initiative for that purpose; however, I would not want to interfere with the management responsibilities of those who should carry out those functions. If they do not, then it can, by default, be used.
100. Mr Beggs: Can you clarify if data protection currently prevents the Government using the initiative for that purpose, unless pursuing fraudulent activity?
101. Mr Yetzes: No, specific bodies are not barred from using the initiative for that purpose. Under conditions laid out in the Serious Crime Act 2007, if the Audit Commission wants to use the NFI for wider, non-fraud purposes, it must get an order from the Secretary of State with a specific area in mind. For example, child protection or arrears-type issues are considered civil debts rather than fraud and, therefore, the Audit Commission requires a separate order from the Secretary of State to pursue such cases. However, the Audit Commission will not race forward, because there will be much work to do in the early days of implementing the Serious Crime Act 2007. We are currently drafting business cases in order to have those ready in 12 months.
102. The Chairperson: I have one other question for Mr Dowdall. I am sure that the Audit Office is looking forward to using the data references available to the national fraud initiative. Information on tax fraud and erroneous claims is already shared among the Social Security Agency, the Housing Executive and Customs and Revenue, and has demonstrated some limited success. Although I appreciate that we need time to catch up, what will be the financial benefits for us over the coming years?
103. Mr Dowdall CB: Probably the main benefits of the exercise will be fraud prevention. If properly publicised, a strong message can be sent out that defrauding the public sector will be more difficult in the future. I want to get on the front foot with that, as well as with the backdating process. If the Committee produces a short report, that may give a salutary call that it is worth issuing a warning to the effect that, in future, people who chance their arm will be more vulnerable to detection. Prevention sees enormous benefit from deterrents.
104. From our partial participation in the exercise in the past, a rough estimate indicated about £4 million of identified overpayments. With more comprehensive participation in the national fraud initiative from October, our minimum aim must be £4 million. However, at this stage my guesstimate is that the initiative will generate upwards towards £10 million of financial benefit. We will, of course, see how that works out.
105. Mr McLaughlin: It is a frightening, but fascinating, scenario, and the benefits are obvious. Prevention and detection are worthwhile, but there has been some discussion about using the initiative proactively to ensure that people have fully exercised their rights and claimed their entitlements. In another Committee it was discovered that data-matching could be applied to land and property registers, although they were not listed as one of the data sets that could be considered.
106. Mr Dowdall, data matching will usually be undertaken by the Audit Commission. Could you perhaps outline the rationale behind that, whether there will be a charge for that service, and how much that will be?
107. Mr Dowdall CB: In principle, the Audit Office can carry out those and undertake some small exercises itself.
108. It would not be cost-effective for us to duplicate the big databases that the Audit Commission already has the infrastructure and expertise to handle, and it would take us a long time to move up the learning curve. Therefore, we are pleased that, through the efficiency exercise, we have the opportunity to buy in to the national fraud initiative. Our participation so far has shown that the cost for each data set has not been high: for example, it costs a few thousand pounds for the type of data set that any large Department might have. Although the Audit Commission is revising its fees for the latest exercise, I am not concerned about the charges, because they are very small in comparison with the benefits.
109. Mr McLaughlin: Thank you very much for that fascinating presentation.
110. Mr Yetzes, paragraph 2.4.6 of the consultation draft states that those participating in data-matching exercises will have access to the guidance material and training modules that are on the Audit Commission’s secure website. What type of guidance and training will be made available?
111. Mr Yetzes: Due to the pace of my demonstration, the Committee will not have noticed that after logging on to the application, the first question that is posed to the user is whether he or she wants to read the guidance notes. Most users do not and plunge straight into matches, which is not a clever way of approaching the task, so we try to persuade them to read the guidance.
112. We have run several training events, and I have been to various parts of England, Wales and Scotland to train people who might use the application. However, given that there are so many participants, those events happen over a period of time, and many of those trained are not in post at the time that the data are made available to them. Therefore, we have decided to take a completely new approach: for every data-match type — whether it is payroll, housing-benefit or blue-badge fraud — there will be a training module on our secure website. There will also be an interactive section so that users can test whether they have understood the guidance. The application is not complex and takes only about five minutes to become familiar with.
113. Users will have training in their own areas so that anyone who is involved in one or more areas can do the training a day or a week before they begin the data matching so that they are comfortable with it and it is fresh in their minds. It is also part of the Audit Commission’s policy not to hold training events where they can be avoided, because people travel miles and spend a long time — as do we — to go to them. Therefore, in order to reduce our carbon footprint, putting the training programmes on the Internet seems to be the logical answer.
114. Ms Purvis: Is the code of data matching practice subject to an equality impact assessment to determine whether it is compliant with human rights legislation?
115. Mrs Sides: Yes; the legislation went through the appropriate procedures to assess whether it is compliant with equality and human rights legislation. We have issued the code to a range of bodies and invite feedback from them, which is what we are required to do under section 75 of the Northern Ireland Act 1998. We will then screen their feedback in accordance with our equality scheme.
116. Ms Purvis: Mr Dowdall, the consultation draft deals with the importance of fairness and transparency in processing data. What does the code require you to do in practice?
117. Mr Dowdall CB: I will ask Janet to answer that question, because she has focused on those requirements.
118. Mrs Sides: The code requires fair-processing notices to be issued to all individuals whose data may be processed in a data-matching exercise. That notification process is in accordance with the Data Protection Act 1998. The responsibility for issuing the notices lies with the participants rather than with the Comptroller and Auditor General. However, the code assists in that process by providing guidance on the process, and it includes examples of good practice in fair-processing notices.
119. When participants provide data to the Comptroller and Auditor General, they must submit a declaration that confirms compliance with the fair-processing notice requirements. It is then for the Comptroller and Auditor General to ensure that that has been complied with.
120. Ms Purvis: Paragraph 2.8.6 refers to participants confirming their compliance to the Northern Ireland Audit Office. Why is it your role to agree the steps that are necessary for participants to achieve compliance with those requirements?
121. Mrs Sides: That is important because we want to bring everyone on board with the data matching and to ensure that there is full compliance with the data protection legislation. However, perhaps Peter might be better placed to clarify that.
122. Mr Yetzes: That would occur with a number of participants with which we deal normally. It is impossible to go around and check. Even if somebody has produced a fair-processing notice, for example, how would we know whether it had gone to every household or employee? That is impossible to know. If we have doubts about whether anyone confirmed their compliance properly, the key element is to ensure that they become compliant. It is not a question of us not matching the data because an organisation has not achieved compliance — they have to achieve compliance as quickly as is practicable.
123. Where compliance and fair-processing notices are concerned, we try to work with each organisation to make sure that they do not spend a lot of money unnecessarily and that if they are communicating in any way with data subjects that they include those fair-processing notices. However, it is critical that individuals are made aware. The proof of that awareness is that occasionally when fair-processing notices are sent, the commission receives quite a lot of telephone calls from people saying that their friend’s aunt is a bit worried, for example, when they are actually talking about themselves because they have received such a notice. That is where prevention kicks in: people start to panic, and the best advice we can give is they had best tell their friend’s aunt that she should go to the local authority or to the Department for Work and Pensions and come clean. That is the best way of dealing with the matter. Therefore, the point is to ensure compliance with data protection, but there is an element of deterrence.
124. Ms Purvis: The consultation draft refers to retrospective fair-collection notices. Paragraph 2.8.18 gives examples of when issuing such notices might be impractical. Should it not be the right of every individual to challenge the data match and should every effort, therefore, not be made to notify the individual concerned?
125. Mr Yetzes: It is not always possible to be sure that everyone has been notified. For example, we talked a little about absconders who owe council tax or rent arrears. We do not know where they are. If we knew where they were, they would not be absconders. The data in any database will never be 100% up to date. There will be changes in payrolls. Given that people are often paid by bankers automated clearing system (BACS), they do not give notification of changes of address. Therefore, we try to come up with ways of notifying people that will be sure to come to their attention, should they choose to read it. For example, for payroll we try to put it on the payslips. Some people do not provide payslips any more; people have to go online to find their payslip. That means that if they do not receive payslips, they will never be notified.
126. The cost of sending out a separate letter must also be considered. For example, the largest pension scheme with which we deal has 500,000 members. Instead of sending 500,000 letters now, it seems to be a more appropriate use of resources to wait a few weeks and put the notice in a letter about a pensions increase or some such that was going to be sent anyway. It is not a question of deliberately notifying people retrospectively; it is about being sensible if there is some other way. If it is done retrospectively, the chances are that the actual data matching and the production of the results will still not occur until months afterwards. Therefore, it is not retrospective to the production of the results; it is just retrospective to the submission of the data.
127. Ms Purvis: May I ask further questions at the end of the meeting?
128. The Chairperson: Yes.
129. Mr Beggs: I am trying to understand why Northern Ireland has lagged behind England, Wales and Scotland where data protection is concerned, and the Comptroller and Auditor General’s submission suggests as much. Surely our data protection and other legislation are similar to those of other regions. If it is possible to have data matching elsewhere, why is it happening here only now?
130. Mr Dowdall CB: You are right. Our data-protection legislation was precisely the same as that elsewhere. I think that the problem was primarily connected to my powers, which are excellent for audit, but they were drawn up historically at a time when nobody had this kind of technology in mind.
131. As my powers in that area were not as strong as those of the Audit Commission, I began to cajole people to come in. They began to get worried about the data-protection requirements because as you know, data protection was new in 1998, and people were wary of the stringent obligation that it imposed on the public sector to handle data particularly carefully. As I had only weak powers, I found it extremely difficult to reassure people who were worried about the careful application of data protection. In some ways, it was lucky that we managed to get even a few databases started, but we could not have continued on that basis. The Serious Crime Act 2007 was invaluable when it came along, and the Department of Finance and Personnel (DFP) helped us to take that on board and ensured that the new powers applied in Northern Ireland.
132. Mr Beggs: The memorandum mentions some experience of data matching in Northern Ireland, for example, for housing benefit, pensions and so forth. What have we learned to date from that experience that would help to progress a national fraud initiative?
133. Mr Dowdall CB: Although we considered housing benefit at one stage — for which there is a large database — the key lesson that we learned from our fairly limited participation is that the data match that comes back from the Audit Commission is only the first stage, in that it indicates that a problem may exist. Any participating organisation must be geared up to putting some resources into investigating those matches in a planned and sensible way, otherwise they sit on the shelf until they are out of date and full advantage is not taken of them.
134. Therefore, this time, we will take particular care with gearing up participating bodies to the fact that when they receive data matches after the October exercise, they must be prepared to put in effort on the investigatory side.
135. Mr Beggs: My final question is for Mr Yetzes. I did not see child-maintenance payments listed, but a previous investigation found increasing amounts of moneys owed to the Child Support Agency (CSA). One outcome of that is that many children live in poverty, because parents, primarily fathers, have absconded and not passed on their details to the agency. Have you included child-maintenance payments in your system already? Is that, or could it be, a live application?
136. Mr Yetzes: I will be frank: we have always studiously avoided child-maintenance payments. As the databases were being developed, many organisations started to ask questions. One particular question, which was asked by fire services in the UK more than anyone else, was whether data would be shared with the Child Support Agency. I am not quite sure what the link is — one suggestion was that it may be something to do with ladders. There was a great deal of concern about the matter, and we stayed clear of the CSA. Dealing with the CSA is not in our audit remit: we are not the National Audit Office; we are the Audit Commission, and the services that we support do not include child support. Therefore, it would be an intrusion into someone else’s domain.
137. We stayed clear of one or two areas; for example, we do not want data from credit reference agencies, because people would get the wrong impression of what the NFI data are used for. It is as valid an application as many others that have been discussed today, and I am sure that over time, now that the Serious Crime Act 2007 is in force and the initial concerns have been overcome, we will assist in that area. Child-maintenance payments were not excluded for any particular reason; we simply wanted to show you what we are doing now, and you may be able to take advantage of that.
138. Mr Beggs: If I understand you correctly, the Child Support Agency could request information from you, although it may have to pay you for that kind of work. Is that a possibility?
139. Mr Yetzes: Yes.
140. Mr Dowdall CB: That will come into sharper focus for the Audit Office, because the Child Support Agency is in our remit, whereas it is not in that of the Audit Commission in Britain. The new powers mean that, for the first time, there is a link between us and child-maintenance payments, and we will have to consider that.
141. Mr Yetzes: The opportunities that exist in Northern Ireland will move it ahead of England because of the way in which the audit regime works here and the particular data that are available on a mandatory, as opposed to a voluntary, basis. If you take advantage of all those opportunities, Northern Ireland will be ahead of the game in relation to the risk areas that it can address.
142. Mr Burns: Paragraph 2.4.7 of the consultation draft refers to the legal requirements for data controllers to notify the Information Commissioner of, among other things, the provision of data to the Northern Ireland Audit Office and its agents. Failure to do so may constitute a criminal offence. Is there a responsibility on the Audit Office to confirm that that has been done before actioning the information that it receives?
143. Mrs Sides: Organisations that process personal data are required to notify the Information Commissioner. The Northern Ireland Audit Office is registered for a range of purposes and has recently been laising with the commissioner regarding the inclusion of the Comptroller and Auditor General’s new power to data match. Participants are also required to ensure that their registry entry with the Information Commission covers the provision of data to the Comptroller and Auditor General for the purpose of preventing and detecting fraud.
144. I understand that it is up to the Information Commissioner, not the Comptroller and Auditor General, to ensure that a participant is registered. However, I also understand that the Audit Commission has been giving the matter some thought recently and has been laising with the Information Commissioner.
145. Mr Yetzes: To put the meat in the sandwich, so to speak, from the Information Commissioner’s point of view, the Audit Commission has agreed an informal protocol whereby it will advise the commissioner of every area of data that it introduces into the exercise, so that the commissioner can consider them. The Audit Commission wants to ensure that it does not proceed in an area that the Information Commissioner thinks is inappropriate, or that it is carrying out data matching that would cause the commissioner concern. I do not think that that is likely to happen, because we are mindful of the appropriateness of piloting data matching properly and ensuring that fraud is detected. The Audit Commission includes the Information Commissioner in its quarterly meetings. I believe that such information will spread to the other audit agencies, so that we keep the Information Commissioner fully briefed on all the areas that are going through the national fraud initiative.
146. Mr Burns: Data security is obviously a major concern, and section 2.10 of the consultation draft deals with that. Has the national fraud initiative experienced any security breaches in the exercises that it has run in earlier years?
147. Mr Yetzes: No, I am pleased to say. Although the Audit Commission is delighted that it has never lost any data and that there has never been any breach of security, it is important to understand that that does not sound as though the organisation is complacent. However successful one is, one is only as good as the next exercise and the next disastrous revelation about lost data. In my presentation, I tried to explain how we have moved on to being in such a situation. Even though we have a 100% record, we were timely in producing the new upload facility with automatic encryption. Any data that come in must do so in that way. When I say “must”, the protocol is that our audited bodies must send the data in via that secure process. That does not mean that I can actually physically stop somebody putting data on a CD and sending it to us in the post, although if we receive the information we will use it. However, the protocol goes beyond that. If we receive the data in that way, we will trigger an instant email to the director of finance saying that his or her authority’s data have been put at risk and that it is unacceptable that data should be submitted in that format. The Audit Commission is doing everything in its power to not only ensure that it provides a safe facility, but that it insists that organisations use that safe facility.
148. Mr Craig: No doubt, Mr Thomson, you have been working closely with Mr Dowdall in progressing the matter. What is the role of the Department of Finance and Personnel in ensuring that the other Departments co-operate and pass on information?
149. Mr Thomson: Co-operation will not be the problem, because the process is mandatory and Departments will not have a choice. If there is a problem, it will be when the results come back and there are, say, 500 matches — the resources have to be available to deal with that.
150. The legislation having gone through, DFP is now ramping up awareness of the initiative. A major conference was held at the beginning of March, which was attended by Peter Yetzes and representatives of the Audit Office, and at which the Committee Chairman, Mr O’Dowd, gave an introduction. The event was attended by over 200 people, and virtually every public-sector body in Northern Ireland was represented.
151. Just before Easter, I had one of my regular sessions for accounting officers and board members, at which, again, the Chairman spoke. Five minutes were spent talking about the fraud-awareness initiative. We are now trying to illustrate to Departments the importance of the issue. Departments have to be ready to be able to address the issues as they arise, and that is where the challenge will be.
152. Having said that, several Departments are already working on such issues. The Committee has already heard of, for example, the Social Security Agency’s anti-fraud units that are already in place.
153. Mr Dowdall CB: It is enormously helpful that DFP is giving the initiative that kind of support. Willing participation is so much better than mandatory participation. The signals that DFP has been giving out are making it clear to Departments that there is plenty in this for them and that is not simply an audit-driven exercise. That has been helpful.
154. Mr Craig: Mr Dowdall, a lot of information will emerge from the data-matching exercises. Do you intend to report to the Public Accounts Committee (PAC) on the outcome of those exercises? If so, will that be on a monthly or yearly basis?
155. Mr Dowdall CB: There should be a report to the PAC at the end of each major run of the NFI exercise. The first reports will be particularly interesting. Our counterparts in Scotland — Audit Scotland — produced an impressive report at the end of their first run about 18 months ago. That will serve as a model for the kind of report that I have in mind to bring to the PAC.
156. The advantage of that kind of reporting, of bringing it to the PAC for it to comment on and possibly discussing it with the Committee, is that it keeps this issue in the public eye, which will create a deterrent as well as prevention and check-ups.
157. Mr Dallat: I was enjoying the presentation until my own name came up. Either I have disappeared, or my namesake at the University of Ulster has gone; I must ring him after the meeting. [Laughter.]
158. Given the increasing movement of people across frontiers between here, Europe and the Republic of Ireland, is there a wider dimension to the data-matching exercises?
159. Mr Yetzes: When we were first invited to produce a business case for new powers for the national fraud initiative, we asked that the Republic of Ireland and most of Europe be included. Obviously, fraud knows no natural boundaries. If people are making fraudulent claims from one part of England to another, the same could be happening between Holland, England, Germany and so on.
160. We also thought that it would useful for Northern Ireland agencies to be able to liaise with counterparts in the Republic of Ireland. Our requests were refused. It was decided that it was a step too far in the first instance and that we should concentrate on building up the initiative by including the private sector and central Government, for which we do not have an audit remit. It was also thought that the other audit regimes should be included in the new arrangements. We accept that.
161. The widening of the data-matching exercises will probably happen in the future, but we have to prove the value of the new powers that we have been given and make them work successfully, which will provide a sufficiently persuasive argument to bring those other countries into the NFI fold.
162. We have, of course, spoken informally to auditors in other countries, and they are keen to co-operate. However, we have to wait for the appropriate legislation.
163. Mr Dallat: Therefore, it is not exactly a modern-day satnav yet.
164. The phrase “closing the stable door after the horse has bolted” comes to mind. Is it possible to use this measure before the money is sent or the crime committed? You and I know through previous PAC inquiries that the chances of recovering fraud money can be extremely high if the fraud is detected early.
165. Mr Yetzes: It would cost a fortune to build a system that enables us to use the national fraud initiative in the way in which you suggest. The fact is — and I speak for the Audit Commission — that 98% of our audit effort involves examining controls in the systems and ensuring that they are secure and adequate. The Audit Commission’s national fraud initiative is a tiny part of the audit effort. Therefore, by concentrating on ensuring that all the correct controls are in place and by having the national fraud initiative as a backstop, not only can we detect fraud that has slipped through systems that have control weaknesses, but our audited bodies and the external auditors can be advised where those weaknesses are so that they can address them. That is why when I discussed how much fraud we detected each year, I was at pains to point out that we keep the success rolling on by examining new risk areas. If we were to continue to focus on the same area, there would be a diminishing return over time. That is why I described a tree that illustrates all the different data sets. Our approach is to prove the success and then examine other areas. If an area is left alone for a while, over time, the level of fraud may build up again. However, we have been very careful to move the spotlight into other fraud areas. Unfortunately, there are always other fraud areas.
166. Mr Dallat: It is really a searchlight.
167. Mr Yetzes: Absolutely.
168. Mr Dallat: There is an old phrase “garbage in, garbage out.” Can you measure progress? If a system is not right in the first place, will the problems not be found?
169. Mr Yetzes: When an organisation sends in a data set, we provide that organisation with a data-quality report on the secure website. Thus, we are working to improve data quality as well. It may have been true that there were issues at the beginning of the process, but we are very advanced in our work now. One of the reasons that we have improved is that we are now collecting many more data sets. I will give you an example of data collection for housing rents and housing benefits in England. The quality of housing-rents data in England is quite poor. Often the forenames of tenants have not been captured — often just an initial has been provided — and there are no dates of birth, National Insurance numbers, and so on. That makes those data very unsuitable for data matching. However, many of those people are also on housing benefit, and records for that include a National Insurance number and a full forename. Therefore, before we carry out the data-matching exercise, we are able to improve the quality of the data while they are in our possession. We can then carry out the data matching to a much higher standard, even though the data might be relatively rubbish when they first arrived. Therefore, there is a lot of scope in the processes that we run to improve the quality of those data that we receive. Moreover, if the data are of a poor quality in the first instance, we tell the systems operators to address that problem.
170. Mr Dallat: That is very important.
171. Mr Hamilton: Section 2.11.1 of the consultation draft deals with the security of data transmission. Are those measures tight enough? Electronic transmission is mentioned, but encryption is not. There is also talk about the use of couriers — we all remember how the use of couriers was at the heart of the recent problem at HM Revenue and Customs.
172. Mr Dowdall CB: One of the points that emerged in Peter Yetzes’s presentation is that, in participating in the national fraud initiative, we will be relying entirely on an encrypted link. Those references are probably relevant only to action that we might take in future — we might carry out some small exercise on data matching locally using those powers, and that would be beyond the national fraud initiative. Following recent experiences, we too would be wary of using couriers.
173. Mr Hamilton: The consultation draft mentions the retention of data. Again, the recent losses of data show that old data can be just as sensitive as up-to-date information.
174. The code says that data will be destroyed “promptly”. How will you ensure that?
175. Mr Dowdall CB: That is one of the more reassuring points. The code makes it clear that we have to destroy data promptly — and, in any event, within six months of the conclusion of the exercise — unless it is being held for a specific purpose. It would perhaps be best for me to pass that question to Peter. He has experience of how data is currently destroyed, and we will simply match those methods.
176. Mr Yetzes: It is important to bear in mind that we will no longer be sent CD-ROMs containing data. We used to have a physical process of destroying all original data sets sent to us. In the past, that data reached us on cartridges, tapes and in all sorts of wonderful forms. We decided never to send that data back under any circumstances, but simply to destroy it, because it could have got lost in transit.
177. That is no longer an issue. The data is sent to us in encrypted form, via the web link. Every individual is entitled to password-protect that data. Our current destruction process is much more technical than the old method of crushing or mincing CD-ROMs. We now conduct a rigorous audit to ensure that all data is properly destroyed, even if it has not been used to data-match. A member of my National Fraud Initiative team — an IT auditor — personally supervises the entire process so that we can be confident that data has been destroyed and rendered irrecoverable.
178. It is not solely down to the commission to approve that process; in addition, we commission an external audit. The Information Commissioner organises an audit so that he can be satisfied that we actually do what we say we do.
179. Mr Hilditch: There is a reference in the memorandum to the voluntary participation of a person or body not subject to mandatory participation. Can you clarify the circumstances in which that would be relevant?
180. Mr Dowdall CB: When initially considering the powers that were coming forward, I focused on the mandatory bodies — those that we audit — rather than on the voluntary participation element. However, Peter has informed me that there is considerable interest from private sector organisations in GB in linking with the national exercise.
181. It is conceivable that, bodies such as banks and building societies may indicate interest in participation. If that happened, we would have to consider the benefits. Are any banks or building societies on board already?
182. Mr Yetzes: A wide number of private sector organisations supply detail of occupational pension schemes, and have those matched against deceased persons records. Deceased persons do not have data protection rights, so that is not a controversial matter.
183. There are benefits for the private sector. For example, private sector organisations are interested in knowing whether they employ people who are not entitled to be in the UK, and what risk they may pose.
184. However, there could also be a wider interest because those organisations could inform the Home Office of any employees who are not entitled to be in the country. Therefore, it is in the public interest and not merely in the private sector interest. For example, banks and building societies will be interested in redundant accounts in the names of deceased people, so that action can be taken. Pension schemes carry a liability with regard to deferred pensioners. If a deferred pensioner dies, the bank or building society wants to contact that person’s family to ensure that they receive their entitled benefits.
185. There is a balance to be struck. We try to uncover fraudsters and overstayers; however, we look for people who do not receive the benefits to which they are entitled.
186. There is much information to come from this process, and we are convinced that the private sector will play a big part in future.
187. Mr Hilditch: As ever, Mr Dowdall, there is a question of funding such initiatives. The memorandum says that, with DFP’s approval, you can charge a fee for data-matching. Is that how you intend to fund participation in the initiative? How much will that charge be? How will you collect it?
188. Mr Dowdall CB: The Audit Commission will charge us a fee, based on participating organisations. We will pay that fee and charge the individual participants.
189. As I indicated earlier, on the basis of past experience and the signals from Peter, the individual charges to organisations will be small — thousands rather than tens of thousands of pounds. I shall approach DFP for the approval necessary to charge Crown bodies for this exercise. The Department will probably agree that that is the right way to fund it.
190. Mr Lunn: In the consultation draft, it says that:
“the Comptroller and Auditor General will only use data to be matched where there is evidence of fraud or potential fraud.”
Please outline where you expect that evidence to come from. How will you know what databases to include?
191. Mr Dowdall CB: There are several sources, and I am already the auditor of all of those mandatory areas. It is part of my job, in auditing, to form a judgement on whether there is material fraud in the databases. In performing my function, I should have a feel for whether an area has a high, moderate or low vulnerability to fraud.
192. Supplementary evidence is available. If we know that a system in use here has yielded many fraud cases in GB, that gives a strong indication of the potential for fraud. If we are unsure, or if we include a new area, we are required to run a small pilot, to test that that is a sensible thing to do. The safeguards to ensure that we are not pushing at just anything are good.
193. Mr Lunn: The consultation draft states that failure to provide data may be a criminal offence. Most of the time the data will flow readily; however, can you assure the Committee that you will pursue those who fail to provide data and prosecute where appropriate?
194. Mr Dowdall CB: We could not tolerate a case where a public body did not conform to a mandatory legislative requirement. However, it would be almost inconceivable that a public body would take it to a point where we would have to prosecute, rather than just ask it to do it — or threaten to bring it before the Public Accounts Committee. There are many ways to crack that nut before it comes to prosecution, but, if that had to be done I would do it.
195. Mr Lunn: I think that that body would prefer prosecution.
196. Mr Yetzes: We have been running this exercise for ten years or more. It has always been mandatory for all of our audited bodies. We have never needed to prosecute, as long as we work on persuasion. Prosecution, in lieu of the data, would be of no value to NFI, and the organisation would be alienated; therefore, we persuade. We have never had an incident where data was not provided.
197. Mr Lunn: The consultation document allows for provision of a “reasonable excuse”. What might be a reasonable excuse?
198. In some reports that the Committee has seen, an excuse offered — that may or may not be “reasonable” — is that the computer system is not up to the task of providing the information sought. Furthermore, it is possible that a Government Department might contest the interpretation of data protection.
199. Mr Dowdall CB: Legislation has clarified that. We have had many discussions of that kind with Departments in the past. The member is correct: there is room for differing perspectives on that in the absence of good case law on data protection. However, now that we have the Data Protection Act 1998 and our own legislative powers, it is clear that provision of such information is mandatory. It is mandatory for everyone to comply with the code of practice that safeguards that data protection.
200. Mr Lunn: If you were conducting an investigation, and you knew that input from a non-mandatory participant would be extremely useful, is there any way that you could demand that participation? Do you envisage any situation in which you have the power to demand it?
201. Mr Dowdall CB: I cannot think of any. Outside the mandatory area — which is essentially the public sector that I audit — I have no audit, or other investigatory, powers to deal with that. It would have to be done by moral persuasion, although the Northern Ireland Audit Office has considerable credibility to do that. I do not say that I could not compel such bodies to participate; only that I have no power to do that. If the Northern Ireland Audit Office had a very good case, with Government support, for going to banks and building societies, I have no reason to think that they would not co-operate.
202. Mr Yetzes: In the private sector, the Audit Commission, largely, pushes an open door. The key to any data-matching exercise is to look for mutual benefits. If data is asked for simply because it is useful in data-matching exercises, with no benefit for the provider of the data, those exercises are likely to be unsuccessful. Why would a body volunteer its data unless it gets something out of the exercise? Bodies could be asked to provide data in the public interest, for example, but gaining their participation is much more likely if the benefit to them can be demonstrated. There are always benefits and, approaching those bodies on that basis can be quite persuasive.
203. Mr I McCrea: In the memorandum we see that the new data-matching powers include local authorities. What plans do you have for district councils to participate, and what kind of data do you envisage receiving from them?
204. Mr Dowdall CB: Local authorities are included in this exercise, but the local authorities in Northern Ireland are very different from the bigger entities in GB that Peter deals with. We agreed earlier that it would be beneficial to involve local authorities in Northern Ireland, in a fairly small way, on their key databases. It would be a good idea to involve all of the local authorities, but only in regard to the large databases. Local authority pensions are already included in the national fraud initiative. That is probably the most important area. Payroll is another useful area across the public sector. It is also important to have access to creditor payments, because those throw up duplicate payments, to which every organisation is vulnerable. That is a very good check.
205. Mr I McCrea: The memorandum states that the Northern Ireland Audit Office must consult with the Information Commissioner and others. Can you expand on who the others are? Have any responses or concerns come through that area?
206. Mr Dowdall CB: It means others as the Northern Ireland Audit Office sees fit. The consultation document needs to be circulated as widely as possible, to ensure that it gets reasonable publicity. People need to be informed that the document is not just available for formal consultation, because those types of consultations do not attract many responses.
207. The Northern Ireland Audit Office made sure that there was good publicity in the press when the document went out for consultation earlier this month. It was copied to the people who are usually consulted on public sector issues, and the Northern Ireland Audit Office awaits the responses. There is normally a reasonable response from others who take an interest in consultation exercises, and there will often be comment from the voluntary sector area on matters like that.
208. Mr I McCrea: Is there a timescale for the close of the consultation process?
209. Mrs Sides: Yes — 4 June 2008.
210. Ms Purvis: The consultation code refers to access by individuals to data included in a data-matching exercise. Individuals could be refused full access to information held about them. It explains that individuals should be able to check the accuracy of the data held on them by approaching the participant.
211. The success of any data-matching exercise is based on the accuracy of the data in the first place. Committee members know from discussing previous reports that errors have been made by staff when inputting data. Should the part that says that individuals should be able to check the accuracy of the data be strengthened, given that the outcome might be that someone goes to prison? Will an individual be able to see the results and check their accuracy, or does that provision mean that the individual will be able check the accuracy of the data that was used prior to the data-matching exercise?
212. Mr Yetzes: Perhaps there is a misunderstanding: the data match has no status whatsoever. It is clearly indicated in all of our literature and on the website that a match is simply a match. If we want to go ahead and deal with it as possible fraud, the investigation starts there, and we must establish that the data was accurate in the first place. We have not had an opportunity to examine such cases today; however, sometimes we get a match in a serious report — for example, between pay and housing benefit — which has occurred because two different individuals are using the same National Insurance number. Therefore, NFI is used to clean up the data, because one or both of those individuals must be using the wrong National Insurance number. It does not mean that the individual will be sent to prison for having the wrong National Insurance number; it simply means that an error was made somewhere down the line. By matching the data, we have an opportunity to correct the mistake.
213. Members must look at the data-matching side of the NFI. We make every effort to improve the quality of the data by running reports that indicate that there is an error in the data — nothing more serious than that. A match might show, for example, that someone earning £50,000 claims £300 a week in housing benefit and does not declare his or her income. Even if it is clear that there is a perfectly obvious match and, prima facie, a case of fraud, that is not so — it is nothing more than a data match. We must investigate and provide the normal levels of proof that one would expect to find. No one will be locked up on the strength of a data match; only on the strength of a full investigation that demonstrates that fraud has been committed. No one should worry about that.
214. It is true that people should have access, through the data provider, to check that the information is correct. For example, many local authorities in England run regular checks on their housing-benefit systems, by getting in touch with HM Revenue and Customs to ensure that all the National Insurance numbers on their payrolls are correct. Therefore, bulk cleansing exercises are carried out. We recommend that — in fact, it is in the guidance on our website — to ensure that when data comes in, it is as clean as it can be.
215. Ms Purvis: I have one further question. The consultation document mentions complaints being sent to the Comptroller and Auditor General. If you are best placed to deal with complaints — although you might expect none — what type of complaints might you receive?
216. Mr Dowdall CB: That refers to the sort of complaint that goes to Peter, as distinct from the participants.
217. Mr Yetzes: They tend to be fairly seasonal. For example, when the fair-processing notices come out, we receive a handful of complaints from people who say that they do not want their data to be included in the exercise. Normally, we ask the individual participating body to deal with the concern in the first place, but, if is unable to satisfy the concern, we tell it to put the person in touch with us directly, and we will explain the nature of the exercise. In so doing — and this is really important — we explain what we will not do with the data, because people can panic and assume that all sorts of things will happen to the data. They will not have seen the presentation that the Committee has seen, they do not know that the data will all be destroyed at the end and that, if it does not match, it will never be presented to anyone, etc. We go to great lengths to explain what we do. However, occasionally, somebody will have a bee in his or her bonnet about that sort of thing and, in the end, we must disappoint that person, because the exercise is mandatory, and their data will be used. The data is subject to all the safeguards, and we cannot take it any further.
218. About eight years ago, someone took a complaint to the Pensions Ombudsman, which was rejected because the commission had acted totally within its powers and had ensured that the person received an appropriate fair-processing notice. In any case, it was not really clear what that person was complaining about.
219. Another gentleman objected to deferred pensions being used. A deferred pension is one that is frozen when an employee leaves an organisation. The data match was carried out to ensure that dependants of deferred pensioners who had died, or who had lost contact with the pension providers, receive the benefits to which they are entitled. I have no idea why anyone would wish to prevent that from happening. The match was carried out purely to ensure that appropriate benefits were paid — it was not about fraud at all. That gentleman eventually calmed down when we explained the purpose of data-matching. Generally, there are not many complaints.
220. Mr Dowdall CB: I am slightly insulated from the complaints process, because I will never report on individual cases, but simply on the overall level of results. Therefore, individuals do not come into it.
221. Mr McLaughlin: If there were a match that then triggered a formal investigation, could you be drawn into the investigatory process on behalf of an outside agency? If you were asked to take another snapshot in any given year, would you examine a selected band of information that may demonstrate an anomaly, or the probability of fraud, for example, by location? Would you be contacted to assist in a further investigation to establish how much retrospection or history is involved in that?
222. Mr Dowdall CB: That is a possibility. We stand ready to assist all of the organisations that we audit and to advise them how to handle fraud issues. Generally, we do not get involved in fraud investigations, but we have an advisory role. We have a small unit that reviews all fraud cases and gives advice where appropriate. However, there may be cases that need examination in a broader sense — for example, if a match comes up in one area of the databases that we put into the national fraud initiative. That would lead us to believe that the individual involved, by the nature of his or her background or occupation, may be attempting fraud elsewhere in the system, and draw the name to the attention of other areas. At the least, we might suggest to the participating body that it should think of sharing information on the names of known fraudsters with other public bodies that might be vulnerable to that kind of fraud. Therefore, there are wider links than simply the national fraud initiative, but it is not something that we focus on very much.
223. Mr McLaughlin: A case was publicised last year about a lady from this region who received tax demands for another individual. There was a similarity in the family name, but there was a complete mix-up for the revenue authorities in relation to one of the key identifiers, which may have been the social security number. The situation went as far as the initiation of legal action and persistent yearly demands for tax, on the basis of business and property of which the lady had no knowledge, or in which she had no involvement. It reached the point that she was able to identify the person with whom she was confused — but could she get the record straightened out? Therefore, in the mandatory participation, where you feel obliged to comment on the quality of information, or where you identify an anomaly, is it mandatory for agencies then to respond? If there is an issue with the quality of information, how do we put an end to that? It creates problems.
224. Mr Dowdall CB: I am not sure whether their response is mandatory.
225. Mr McLaughlin: Is it in their interest?
226. Mr Dowdall CB: It would be of great concern for Departments if we in the Audit Office were to tell them that we were not happy with the quality of their data. There are consequences for those Departments if they do not accept that fairly quickly. That puts a considerable impetus behind the need for a response. The difference in the case you mentioned is that HM Revenue and Customs is outside the network. At the moment I do not audit that organisation, and it is not involved in the network in GB.
227. Mr McLaughlin: It is a particular example, but not an unusual one. It turned out to be surprisingly difficult to change the official record.
228. Mr Dowdall CB: That is an example of how, against all expectations, something is taken much further than it should be taken, and it is a salutary warning for all of us in that area. Certainly, if any organisation displays a pattern of poor-quality data, or poor-quality processing of the data-matching information that they receive from the Audit Office, that is something in which I, as Comptroller and Auditor General, am bound to take a strong interest.
229. Mr Lunn: I would like Mr Yetzes to comment on the experience of the project in GB, particularly on the cost of the whole exercise. There were recent reports that the famous Child Support Agency was successful in recovering some arrears; however, the cost of recovery was more than the amount that was recovered. From the figures you have given us I get the feeling that the process is becoming highly cost-effective. Can you provide a figure to show that?
230. Mr Yetzes: The returns tend to be something like 100 to one, or better. It is a very low-cost exercise, because of the way the process was built. We have been asked whether we could not have created an exercise to run at an earlier stage, as the process deals with the post-payment stage. If one were to try to build an application that links in to everyone else’s systems and is constantly keeping a check, it would never work anyway, and it would have cost billions even to have thought about it.
231. This is a very low-cost exercise, and in a way it is quite low-tech. We have carried out data-matching exercises as IT auditors for around twenty years, and have simply taken techniques that we use locally, and applied them in a more global sense, taking advantage of our audit regime. The systems used by local authorities, for example, were not built to talk to each other, and there is no reason why they should have been. However, it has now become important to confront the spread of fraud. We can tell those authorities to provide us with the data; we look for the anomalies in it, and post the results out to them. The number of matches that we find makes it sensible to do it in one hit. All of the authorities and organisations can examine the data at the same time: they all have the same interest. It is an effective way of doing it at a low cost with high rates of return.
232. The Chairperson: If Members have no other questions, that leaves me to thank Mr Yetzes for coming to Belfast to present his work to us and show us how the system works. It is an interesting and intriguing project. I thank Mrs Sides, too, for her presentation and her work to date in the Audit Office in bringing the project to life here. We heard from Mr Dowdall that these important new powers will ensure that Departments here can take full advantage of modernising technology in tackling public sector fraud. I am sure the Committee will support the Audit Office in taking forward this new task.
233. The Committee would like to be kept informed about any problems or sensitivities, some of which have been raised today, as the programme rolls out. You have already indicated that you wish to bring us an early report on how the programme is working and on your first findings, and we will appreciate that. Thank you for your time.
Appendix 3
List of Witnesses Who
Gave Oral Evidence
to the Committee
1. Mr Peter Yetzes, Assistant Director , Audit Commission.
2. Mr John Dowdall CB, Comptroller and Auditor General, Northern Ireland Audit Office.
3. Mrs Janet Sides, Acting Assistant Auditor General, Northern Ireland Audit Office.
4. Mr David Thomson, Treasury Officer of Accounts, Department of Finance and Personnel.