I agree with your observation as well from a "systems" perspective. It makes a lot of sense to firewall the enforcement side (prosecution etc) from the investigative. They have different inputs and outputs and confusing them into a single component as you have implied is intended does not build confidence of consistency in how things will be handled.
More fundamentally you don't mention the source of the proposal so it is hard to comment. But from the top Is "fraud" defined in the context of these proposals? You mention a question about "intent" but shouldn't proportionality by built in too? For instance does the legislation, documentation and systems that are engaged in administering the services such as forms and processes, description of "rights" and access create a level of inevitability that some threshold of mistakes should be expected? That implies not that leniency on fraud should be given but that the systems for administering public services particularly those that are self served by people can be in part culpable to mistakes being made both by "users" but also by public servants as well. I'm thinking here of those cases where child benefits were paid out by mistake and then clawed back in heavy handed fashion. Would the proposal support claims in the future that recipients should have been aware that they were receiving more than entitled and therefore were defrauding the public purse? This is potentially of concern if private companies are acting as the front end as they may have contracts making the responsible for the funds and so could be incentivised to act in heavy handed ways to remedy their own or government errors. If they are also the prosecuting and enforcement agents as well. The outcome could become very toxic. C > Javier Ruiz <mailto:jav...@openrightsgroup.org> > 22 April 2016 at 17:38 > *Combating fraud against the public sector through faster and simpler > access to data* > > *General comments:* > > Fraud investigations can be a legitimate use of data sharing, if done > narrowly and proportionately and does not involve wholesale data > matching. > > These proposals contain considerable detail and have clearly been > thought through. Unfortunately, in our view they still need more work. > > Our main area of concern is the review of the powers and the apparent > lack of Parliamentary involvement, abandoning the sunset approach. > > Other issues: > > It is positive that the proposed new power is centred on enabling > pilot projects to test ways of preventing and combating fraud against > the public sector. It is unclear however, how this will be enforced in > the legislation. > > The Government proposes to extend the power to private organisations > that provide services to a public authority. As a safeguard the > proposed legislation limits that these types of bodies can only use > the data for the function that it exercises for a public authority. We > are not sure why the general power needs to be extended in such a > manner and these situations cannot be dealt with as part of the > contracts for service delivery. This needs to be explained, as in > principle we would be opposed to this. > > The drafting of the powers in the clauses is too broad, potentially > allowing any data to be ingested by public bodies for fraud purposes. > > The draft clauses include very different activities. Our understanding > was that the programme was about prevention, detection and > investigation of fraud. The actual draft clauses include: “prosecuting > fraud of that kind; bringing civil proceedings as a result of fraud > of that kind; taking administrative action as a result of fraud of > that kind”. Once that fraud has been confirmed we would expect that > normal procedures would take over. Extending the power to prosecutions > and enforcement is very different and needs more consideration and > better explanation. > > The proposals on fraud are sensitive because there is a thin line > separating it from errors, ultimately the intention involved. Indeed, > during the discussions with the Cabinet Office we looked at the use of > data to reduce administrative errors and prevent fraud as part of the > same processes. Error is now not mentioned except in passing, and > Government should explain why. > > More generally, there is a wider public policy debate as to the focus > of fraud investigations, and whether small scale fraud by ordinary > people, sole traders and small businesses is disproportionately > targeted in relation to tax avoidance by high net worth individuals > and corporations. In the three years since we started looking at these > proposals the social climate and potential legitimacy of such measures > have changed substantially. > > *10. Are there other measures which could be set out in the Code of > Practice covering the proposed new power to combat fraud to strengthen > the safeguards around access to data by specified public authorities?* > > More safeguards and limitations in scope should be set out in the > bill, and expanded in the code. > > The draft clauses have limitations on sensitive data (race, religion, > trade union membership…). It would be simpler to refer to data > protection law to avoid potential inconsistencies. > > Draft clause 3(2)a allows for the disclosure of data “which is > required or permitted by any enactment” and the next clause if it “is > required by an EU obligation”. These exemptions are too broad and > could make any safeguards practically useless. The clause does not > apply to HMRC data. > > To ensure that the disclosure of data under this power is consistent > with the Data Protection Act 1998, it is proposed that the legislation > explicitly states that data cannot be disclosed under the new power if > it contravenes the DPA or Part 1 of the Regulation of Investigatory > Powers Act 2000. This may not be enough, and both legislations are in > the process of being superseded. More specific safeguards should be > provided. > > A definition of personal information for the purpose of the power is > included in the legislation, covering legal persons. The relationship > to data protection - covering natural persons - needs to be clarified. > > It is positive to see a proposed Strategic Steering Group which would > include representatives from Government, interested Civil Society > Organisations and independent observers. > > We broadly support the proposed three stage process, moving from > validation to light analytics, to detailed analytics. However, > although it is true that at each stage the number of people under > consideration would be reduced, the richness of the data would > increase and new safeguards should be triggered. > > The proposed principles for the Code of Practice are sound, but there > is no reason not to mention some of them in primary legislation: > > /a. all participating organisations must submit themselves to audit by > the Information Commissioner;/ > /b. all participating organisations must publish Privacy Impact > Assessments in relation to their data disclosures once the power is > commenced;/ > /c. all participating organisations must periodically publish the > measurement data coming from the data sharing arrangements; and/ > /d. all recommendations of the Strategic Steering Group being > published and made available online./ > > Transparency over the data sharing is important, although we > understand concerns about hindering enforcement by tipping off would > be fraudsters. It would be important that impact assessments and other > documents are detailed enough to allow proper scrutiny. > > *11. It is proposed that the power to improve access to information by > public authorities to combat fraud will be reviewed by the Minister > after a defined period of time. This time will allow for pilots to be > established and outcomes and benefits evaluated. How long should the > Fraud gateway be operational for before it is reviewed?* > > It is proposed that the power be reviewed three years after it comes > into force, with a decision then taken whether to amend or repeal the > power. Criteria for reviewing the power would be published by the > relevant Minister. It is proposed that the review itself would be > carried out in consultation with the Information Commissioner’s Office > and other appropriate persons and the results published and laid > before Parliament. > > We do not have a view on the best time period but it should enable > proper assessment. It would be better to have a longer period than > rush an incomplete review. > > We are very concerned about moving away from a sunset clause, which > was the view taken during the open policy-making discussions. We do > not believe that carrying out a review and then providing the relevant > Minister the option to repeal the legislation is an equivalent > safeguard against potential future abuse. There is very little > evidence of legislation ever being repealed in such a manner. > > We can see the attractiveness of avoiding the need to reintroduce the > powers in primary legislation if the powers proved to be effective; > but not at the cost of abandoning Parliamentary approval. We don’t > agree that “the approach taken in the proposed legislation is > consistent with the spirit of what was agreed during the open > policy-making process”. > > The decision to continue with the legislation should not fall to the > Minister but Parliament. Interim procedures or some other solutions > would need to be found to ensure that was is working is not abandoned. > > Here, as in the rest of the data sharing process, we must find the > balance between flexibility and protection of rights. The document > makes this clear when stating that the current numerous express > gateways on fraud have been designed “to be specific to ensure a > smooth passage through parliament”. We must be careful that the > process does not appear to bypass future democratic controls. > > The successful completion of the pilot period would not simply trigger > the extension of the powers, but also their expansion from pilots into > wider use. Surely this will need to be discussed and agreed. > -- Christian de Larrinaga FBCS, CITP, ------------------------- @ FirstHand ------------------------- +44 7989 386778 c...@firsthand.net ------------------------- -- Please support ORG's work - join and help fund our future: https://www.openrightsgroup.org/join To unsubscribe, send a blank email to org-discuss-le...@lists.openrightsgroup.org or use https://lists.openrightsgroup.org/listinfo/org-discuss
