What the DEA board had sight of, compared with what the DfE and the DWP were doing in practice, do not appear to match. Only part of their fraud detection data sharing practices, were done under the fraud detection powers of the DEA. What does this mean for the validity of the internal DfE processes to have multiple-access routes?

2016/17 DEA becomes law with Codes of Practice setting out accompanying obligations. This includes that, “You must be transparent about your use of the powers so citizens can understand what data is being shared, the bodies that are disclosing or receiving data, and why.”

This is not what the ICO found in 2019 about DfE practice, or when its 2020 audit declared explicitly,The DfE are not providing sufficient privacy information to data subjects as required by Articles 12, 13 and 14 of the GDPR,and,“The DfE are reliant on third parties to provide privacy information on their behalf however, this often results in insufficient information being provided and in some cases none at all which means that the DfE are not fulfilling the first principle of the GDPR, outlined in Article 5(1)(a), that data shall be processed lawfully, fairly and in a transparent manner.”

That has not meaningfully changed in 5 years since the ICO finding.

2018 in April the DfE register shows access by the DWP of National Pupil Database for a pilot of fraud detection. “A request was received from DWP involving 185 child identities to be checked against the National Pupil Database. Of the 185 child identities, we were able to positively match one and confirmed this to DWP as a ‘Y’ only.”

2019 The DfE approves millions of national pupil records’ distribution to the DWP for a wide range of purposes from all sorts of pupil databases. Given the fraud detection purposes, we have asked, how does the DfE ensure there is oversight of and firewalls between the different uses of data given to the same department the DWP, and over time? Distribution was various methods including “via the Kingston encrypted USB stick via courier”.

2022 the DfE and DWP pilot proposals appear to have first been mentioned at the June 2022 DEA board meeting.”RT presented a pilot proposal between DWP and DfE to prevent fraud (DEA/F/26) against DWP”. The Review Board requested for DfE’s DPIA to be sent to the DEA Secretariat, clarified there was no offshoring of data, and accepted, subject to amendments, the pilot for submission to the Minister.

But the pilot was in 2018 already. The response that we got in May 2024, suggests the “official” data sharing pilot under DEA powers began only in January 2023. “The register records this data share between 1 January 2023 and 13 April 2024. However, the pilot’s end date has now been extended to 12 October 2024. The register has been updated to reflect this.” The question should therefore be asked whether the 2018 pilot was lawful or not? If it was, and under powers prior to those used in the DEA, then are the DEA powers necessary? If it used DEA powers in 2018 why did the DWP/DfE not seek board approval? But if the “official pilot” between DWP and DfE approved by the DEA board under the DEA powers was the only lawful one, then was the 2018 pilot not lawful, and what are the implications?

In January 2024 we made a request for some information about the DfE-DWP sharings. The original requests and replies exchanged between the DWP and the DfE are available here at WhatDoTheyKnow.com. One form was removed from release by the WDTK team on request, after it was found to contain sensitive personal data.

In Spring 2024, the DEA fraud powers were reviewed.

May 9th 2024 Schools Week published news of DWP access to the NPD to “let the benefit fraud team snoop on pupil data just ahead of the closing stages of the Data Protection Bill, that contained controversial powers for the DWP to be able to receive information from any bank about users accounts, with the policy proposal for the DWP to ask banks to flag signals of welfare benefit fraud to the Department.

May 17th 2024 DDM wrote to the DEA Fraud board on May 17th 2024 and received this response from the Cabinet Office together with minutes mentioning the only “pilot” approved under the DEA powers from 2022. The response claims that “Currently there is no BAU or wider scale data share in place” but does the existence of the MOU not suggest that there is?