Robin Wilton's esoterica

There's a storm brewing between Local Authorities and their employees, on the one hand, and the Audit Commission on the other. It centres around an existing programme called the National Fraud Initiative (NFI), under which Local Authorities have had a regulatory responsibility to let the Audit Commission know the names of employees. However, the NFI was extended recently to include a requirement for Local Authorities to include the bank account details of all employees as well (account numbers and sort codes). 

The banking details are compared against benefit claims in order to identify possible cases of benefit fraud.

It's hard to know just where to start with a Data Protection/Privacy analysis of this scenario, because almost every rock seems to have something unpleasant under it.

For instance; although Local Authority employees' bank details are subject to this reporting requirement, my bank details (as a private sector employee) are not... so is someone, somewhere, starting with the assumption that local government employees commit benefit fraud and commercial sector employees don't? That sounds fairly dubious. Not that I do commit benefit fraud, you understand.

Then again, as someone who shares a joint bank account with my spouse, isn't there something odd about the idea that my banking details are being passed around from one third party to another without my knowledge or consent?

Ah, well - you may say - the Data Protection Act has exemptions in it for law enforcement access... surely as this is fraud prevention, it must be covered by an exemption? I don't think so. Even law enforcers, when claiming an exemption under Section 29 of the Act, have to specify whose PII they wish to inspect. They are not allowed to conduct loosely-specified "fishing" enquiries. "Send us all your employees' bank details" sounds like an open-ended trawl to me.

Another point is that only certain public sector employees are subject to this requirement; it covers local government and the health service. It does not, for example, include the armed services, central government departments and (as mentioned above) any private sector employees... including agency staff working on contract to local government and health service employers.

The personal details in question are not actually processed by the Audit Commission -  they go to a commercial company. I have no information about what measures that company takes to protect my PII, or about how to exercise any of my rights under the Data Protection Act (such as the right to ask what they're doing with it, how long they will have it for, whether it's correct, how they will dispose of it, and so on).

So let's recap some of the salient points:

This policy manages to be both a 'fishing' exercise and discriminatory, which is quite an achievement. It grants one subset of public sector employees fewer data protection rights than other directly equivalent public sector employees, fewer rights than contract staff working for the same employer, and fewer rights than private sector employees in general;

It is justified as a fraud prevention measure, but does not account for the fact that all those other categories of employee (not subject to the disclosure) represent as probable a source of fraud as the subset who are affected;

It fails to safeguard the data protection rights of anyone who shares a joint bank account with one of the affected employees, including of course people who don't even work for the employer in question.

All in all, it's hard to view this as a shining example of best practice in data privacy and data protection. It's all the more worrying when you consider that the government's MISC31 Committee on Data Sharing in the Public Sector would apparently like this to be the way all public sector bodies treat our personal data... and when you recall that the government's own view is that our privacy interests are well served by aggregating all our identity data into a single National Identity Register.