Resisting profiling: our response to the National Fraud Initiative consultation
PI submitted a response to the Cabinet Office’s consultation on the expansion of the National Fraud Initiative powers. The consultation is open until 5 May 2021.
- The proposed expansion of the National Fraud Initiative raises significant privacy and discrimination concerns.
- Insufficient information is currently available to truly comprehend the functioning and consequences of the NFI under the new changes suggested.
- PI is urging anyone with an interest in the National Fraud Initiative to submit their views by 24 March 2021.
We have set out our understanding of the NFI’s current functioning here.
The National Fraud Initiative is a data-matching exercise overseen by the Cabinet Office which allows a range of public and private sector entities to access personal data, exclusively for the purposes of preventing and detecting fraud. A current government consultation suggests expanding the NFI to include four new, wide-ranging purposes:
- Data-matching to assist in the prevention and detection of crime (other than fraud);
- Data-matching in the apprehension and prosecution of offenders;
- Data-matching to assist in the prevention and detection of errors and inaccuracies; and
- Data-matching to assist in the recovery of debt owing to public bodies.
We believe that the proposed developments to the NFI pose a threat to privacy and other rights and must be subjected to strong safeguards and transparency measures.
Below, we provide a brief summary of the issues we have identified so far.
It’s important to understand that the current iteration of the National Fraud Initiative (NFI) can only be used for the purposes of preventing and detecting a single crime: fraud. The proposed changes would make the NFI useable for all other crimes, but not just that: they also make it possible for extensive data-matching powers to be put to the service of other, much less urgent purposes, such as the detection of errors and inaccuracies.
Under the UK GDPR, data protection principles must be observed. These include, but are not limited to, transparency, fairness, purpose limitation, and data minimisation.
The proposed changes to the NFI foreshadow increased data processing, under the umbrella of extremely broad purposes, with little guarantees that the data processed will be kept to the minimum necessary, or that it will be fair. Alarmingly, the government will be able to usher these new changes without the benefit of extensive parliamentary scrutiny, through secondary legislation.
Expanded profiling powers
Neither the Consultation nor the Draft Code mention once the word “profiling”. However, that is exactly what the NFI entails. Profiling is defined by the UK GDPR as:
any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Profiling is understood to be so data-intensive in nature, that its extensive use automatically triggers an obligation to carry out a Data Protection Impact Assessment. The fact that profiling has been carried out for years in relation to fraud investigations is already concerning. The proposed expansion of the use of profiling for a range of new purposes raises significant additional concerns which must be addressed prior to implementation.
Lack of transparency
There is a lack of transparency on multiple levels, which is significant in at least three key aspects.
Firstly, we do not know whether the additional powers proposed will be effective in addressing the government’s concerns - in other words, whether they will actually work. It is inherently disproportionate for the government to engage in significant profiling, in circumstances where the potential benefits are undisclosed to the public, or simply unknown.
Secondly, there is no publicly available list of all participants to the NFI, meaning that we do not know all of the data recipients benefitting from the personal data stored in the NFI. Similarly, we still know very little about the ways in which participants as a whole can engage with the NFI, particularly in regard to the amount of granularity of data they can access in relation to a single individual and his family, and the range of inferences that they can make based on data accessed through the NFI. What we do know, however, is that there are mandatory and voluntary participants to the NFI, across the public and private sector: meaning that the number of recipients could potentially be unlimited.
Lastly, it is unclear what categories of data are fed into the NFI. While the publicly available data specifications (both public and private) go some way towards answering this question, they are not exhaustive. For example, we know that the Department for Work and Pensions and the Home Office share data with the NFI, but the Cabinet Office is silent as to the datasets that they provide. These omissions are significant, considering that both entities are known, respectively, to undertake surveillance of benefits claimants (see our investigation here) and asylum-seekers.
Fairness and legitimacy concerns
The NFI is grounded in the Local Audit and Accountability Act 2014, which empowers the Cabinet Office to carry out data-matching activities within the NFI framework, and lists the authorities which are legally compelled to hand over data to the Cabinet Office.
Based on this statutory grounding, the legal basis for data processing under the NFI for mandatory participants is, according to the text of the Consultation, the “public task” basis i.e. it is necessary for the performance of a task carried out in the public interest. By extension, whether or not the individual concerned gives consent is irrelevant: there is a lawful basis to process their data even if they do not consent to it. From a data protection standpoint, this approach has its limits: it can hardly be said to be fair, and legitimate, for the data of individuals to be accessed by a potentially unlimited number of third parties.
The potential impact of NFI data processing on equalities was recognised in a Data Protection Impact Assessment carried out in 2018 - back when the NFI’s functioning was limited to the detection and prevention of fraud.
Given that the new power to use data-matching in the prevention and detection of crime beyond fraud brings the NFI closer to a new law enforcement tool, it is possible that the use of the NFI for this expanded purpose may replicate the discrimination seen in the application of other law enforcement powers, such as stop and search.
Additional concerns arise when considering the potential opportunities that the NFI presents to enforcers of the hostile environment. As the NFI case-studies illustrate, the NFI has been used in the past to identify those without leave to remain both by public and private sector organisations.
To the extent that participants are able to run the data-matching exercise in relation to specific individuals, many public and/or private bodies may choose to carry out such “searches” in relation to individuals sharing protected characteristics. The Consultation and the Draft Code are silent on the existence of any safeguards to ensure that discriminatory results are avoided or, at a minimum, mitigated.
Punishing the poor
As we warned in 2020, the financial impact of Covid-19 foreshadowed an increase in automated data processing in the welfare realm. The UK quickly fulfilled this prediction, and went even further, putting on the table the use of profiling to facilitate debt recovery for public bodies.
The pandemic has ravaged individual and household incomes, pushing thousands towards debt. Just this year, the Financial Conduct Authority found that 1 in 4 UK adults were left financially vulnerable as a result of Covid-19. Earlier studies found that nearly 700,000 people had been plunged into poverty as a result of the economic crisis following the pandemic.
The expansion of the NFI to include debt recovery suggests that individuals having incurred public debt, including in the pandemic context, are likely to be targeted by NFI data-matching and therefore subjected to disporportionate data processing. Against the backdrop of the DWP’s surveillance practices, this new power entrenches the surveillance of the poor.
PI's response to the consultation can be found below.