Skip to main content

Eligibility Verification Measure in the Public Authorities Bill - Information Commissioner's response

The Public Authorities (Fraud, Error and Recovery) Bill was introduced to Parliament on 22 January 2025. It includes provisions to give the Department for Work and Pensions (DWP) and the Public Sector Fraud Authority (PSFA) more powers in order to recover losses due to fraud and error. 

Clause 74 and Schedule 3 specifically would introduce an eligibility verification measure (EVM), which would give the DWP power to give certain financial organisations an eligibility verification notice. Our understanding is that the notice would require the receiver to identify relevant accounts which specified benefits are paid into, or are linked to such accounts, assess the accounts against eligibility indicators in the notice, and where there is indication that incorrect payments have been or may be made, share specified details of the account(s) with the department. 

A similar measure (clause 131 Power to require information for social security purposes) was included in the Data Protection and Digital Information Bill (DPDI Bill) which fell in 2024. I previously published a response on clause 131 within the DPDI Bill. For completeness, I am publishing an updated response on the new proposal included in the Public Authorities (Fraud Error and Recovery) Bill. 

Updated Commissioner view

Ultimately it is the responsibility of government to determine whether this measure is necessary, proportionate and fair. It will also be the responsibility of DWP and those within scope of the legislation to ensure that they process information under this measure in compliance with data protection law. 

I recognise that recovering money lost to fraud and error in the social security system is an important and legitimate aim for government to pursue. Government also states that the measure will help to identify overpayments caused by error more quickly, helping claimants to avoid building up debt. However, these legitimate aims must be balanced with individuals’ right to privacy. 

I welcome that the government have reviewed the previous proposal under DPDI and sought to make changes within this bill which address some of my previous concerns. The measure now:

  • more tightly scopes the type of information that can and cannot be shared;
  • specifies those in scope of the power and the uses of the information gathered under this power;
  • requires that a code of practice must be issued before a notice is given; and 
  • includes a requirement for the Secretary of State (SoS) to appoint an independent person to carry out reviews of the functions under the measure. 

I consider that these changes have mitigated some concerns I previously raised with government on the proposal under DPDI. 

The importance of further specificity in the code of practice

I welcome that issuing a code of practice is now mandatory, and that it must be issued before a notice can be given. The code will be an important additional safeguard to ensure the government is transparent about the operation and use of the measure. It is therefore important that the government ensure that the code of practice includes sufficient detail, as outlined in the bill and the Explanatory Notes, to ensure that organisations within scope and the public are clear on their requirements and responsibilities.

I recognise that it will in some cases be necessary to share information about account holders who are not themselves in receipt of the specified benefits. It will be important that the code sets out clearly how these circumstances will be managed and the way in which this data will be handled, including the approach to ensuring these individuals are still able to exercise their data protection rights. 

Schedule 3 of the Bill would insert a new Schedule 3B into the Social Security Administration Act 1992. Paragraph 1 (3) of new Schedule 3B sets out some detail of the information to be shared by financial institutions with the DWP after receiving a notice, and examples are used to provide further context. The risk of sharing unnecessary and sensitive information is also mitigated by paragraph 1 (4) of new Schedule 3B which prohibits the sharing of transaction information or special category data. However, I would welcome more guidance in the code of practice to reinforce that only the minimum necessary information must be shared in order to identify the account and account holders and how the eligibility indicators have been met to suggest incorrect payments.   

The ICO will provide a response to the code of practice when it is out for public consultation. I look forward to continuing to engage with government as they develop the code of practice and the technical requirements to enable the measure.

The importance of ensuring necessity and proportionality and keeping the measures under review. 

The measure states that information given to the SoS in response to an eligibility verification notice can only be used to identify, or assist in identifying, incorrect payments or in criminal or civil proceedings relating to such payments. It does however allow for the information to be used to identify incorrect payments in any benefits. I consider using the information to identify incorrect payments for other associated benefits to be reasonable and compatible with the original purpose of the measure, where it has been made clear to individuals what benefits are associated with each other, and how eligibility for one may impact eligibility for the other.  

The measure limits the types of persons who can be served an eligibility verification notice to those who are described in regulations, are authorised to accept deposits, issue electronic money and provide relevant accounts into which a relevant benefit can be paid. Were the government to amend the legislation to bring other types of persons in scope of an eligibility verification notice, I would expect them to provide sufficient evidence and evaluation to justify the necessity. 

I welcome the fact that the measure now specifies on the face of the bill the types of relevant benefit that an eligibility verification notice can relate to: universal credit, employment and support allowance and state pension credit. Government have also provided evidence in the Explanatory Notes on why these specific benefits are the focus of the measure. It will be important for government to keep the measure and the benefits within scope under regular review to ensure it is a proportionate, effective approach to achieving the aims set out. This is also important given that the levels of fraud and error across benefits may be subject to change. I expect this to be addressed and reviewed as part of the Independent Review referred to in clause 75. 

The bill requires the SoS to appoint an independent person to review the exercise of the measure every 12 months after the Act comes fully into force. This review will provide an important safeguard to ensure that the measure remains fit for purpose. Given that the requirements of the review go beyond data protection, it would not be appropriate for the ICO to be the reviewer. However, I would like to explore with government the role the ICO can play a role in assisting with the review process.

I look forward to continuing to engage with the government on this measure.