The data protection regulator has criticised plans by the government to require financial organisations to monitor the bank accounts of people claiming benefits.
Information Commissioner John Edwards has questioned whether ministers have shown that new powers to require banks or other organisations to disclose information on benefit claimants are “proportionate”.
In a response to the government’s Data Protection and Digital Information Bill (DBDI), Edwards said he had “concerns” that the proposed new powers for the Department of Work and Pensions (DWP) did not provide “appropriate safeguards”.
“While I agree that the measure is a legitimate aim for government, given the level of fraud and overpayment cited, I have not yet seen sufficient evidence that the measure is proportionate,” he wrote.
The government estimates that the proposals, announced in the King’s Speech, will save £300m a year by 2028-29 by reducing benefit fraud and overpayments to people claiming benefits over the next five years.
The Department of Work and Pensions will use the new powers to require banks and financial organisations to identify benefit claimants with more than £16,000 in savings or who claim from abroad for more than the four week limit, without needing to show any suspicion of wrongdoing by individuals.
It estimates the programme, which will identify benefit claimants who may have committed fraud or received overpayments for further investigation, will lead to 74,000 prosecutions and 2,500 custodial sentences over the course of 10 years.
The ICO has warned, however, that the Data Protection and Digital Information Bill was not “sufficiently tightly drafted” to protect individuals against “arbitrary interference”.
The draft legislation could be interpreted as “requiring a wide range of information to be shared”, and it was unclear which organisations could be subject to orders to disclose information on clients.
Edwards said the government should be “transparent” about the underlying evidence for introducing the new powers and their effectiveness at addressing fraud.
He warned that extra safeguards would be needed if DWP used its powers to seek information on people claiming health-related benefits that could disclose sensitive medical information.
“I am therefore unable, at this point, to provide my assurance to Parliament that this is a proportionate approach,” wrote Edwards.
“Parliament will need to decide whether this measure is necessary and proportionate, given the level of fraud and error in relation to benefits and the predicted savings this intervention could produce.”
MPs raised concerns
MPs have raised concerns that the legislation could allow the DWP to investigate the bank accounts of a significant proportion of the population.
Labour MP Stephen Timms, speaking in the Commons in November 2023, said the new powers, introduced in clause 34 of the DPDI, would give the government the right to inspect the bank account of anyone who claims a state pension.
“It will give the Government the right to look into the bank account of every single one of us at some point during our lives, without suspecting that we have ever done anything wrong, and without telling us that they are doing it,” he told the Commons.
Labour peer Lord Bassam told the Lords in December that the DPDI would require banks and financial institutions to provide data on an estimated 40% of the population that receive benefits, including working tax credit, child tax credit, child benefit, pension credit, job seekers allowance and personal independence payments.
The legislation has also been criticised by civil society groups. Silkie Carlo, director for Big Brother Watch, said in November that people who are disabled, sick, carers or looking for work “should not be treated like criminals by default”.
“Such proposals do away with the longstanding democratic principle in Britain that state surveillance should follow suspicion rather than vice versa, and it would be dangerous for everyone if the government reverses this presumption of innocence,” she added.
Mariano delli Santi, legal officer at the Open Rights Group, said the proposals could lead to some of the most vulnerable people facing unjust accusations of fraud and potentially having their lives destroyed.
DWP will target top 15 banks
Data published by DWP reveals the scheme will cost £370m to set up, and £30m a year to run once it’s fully up and running from 2032.
The department plans to test the monitoring regime from 2025, initially working with a limited number of banks and building societies and trade body UK Finance, which represents banks and financial services companies, to develop IT systems and data sharing mechanisms.
DWP has yet to work out how the banks will share data with the department, but has identified the an application programming interface as one possible mechanism.
The department will initially focus on the top 15 banks in the UK, which account for 97% of the accounts used by people claiming benefits. They include Bank of Scotland, Barclays, Halifax, HSBC, NatWest, Santander and TSB.
DWP plans to start rolling out the monitoring programme from 2027-28, reaching full scale by 2030-31. It said it will also have powers to issue notices to Fintech companies and providers of crypto currency, but has no plans to do so “at this point”.
Measures will be targeted, says DWP
The DWP maintains its new powers do not amount to surveillance and will not give investigators direct access to bank accounts.
A spokesperson said the measures would be targeted at areas where fraud and error is highest, such as Universal Credit.
“These changes will not allow DWP direct access to bank accounts, but will require third parties to share data signalling fraud with us so it can be considered further,” they added. “It will also help identify people who have made a genuine mistake with their claim, preventing them from potential debts.”
A UK Finance spokesperson told Computer Weekly that tackling fraud is a key priority for banks.
“Any new data sharing measures need to be mindful of protecting potentially vulnerable customers and, as the government notes, take account of privacy concerns,” they said. “The changes will need to be worked through in a consultation process, and ensure they align with the work the financial services industry is already undertaking to tackle fraud.”