Anti-fraud body to further trawl civil servants' bank data

Scheme to be extended from local government to central after success in tracking fraud

Whitehall workers could be subject to the scheme

More than half a million central government civil servants could be forced to hand over their bank details to the Audit Commission as part of a nationwide fraud prevention scheme.

It is already compulsory for local authority, police and fire service workers to provide their bank details to be checked against fraud databases. But now the Audit Commission, which runs the scheme called the National Fraud Initiative (NFI), has been granted powers to extend the initiative to central government workers.

Many public sector employees are not keen on the initiative and claim that it prejudges them as criminals.

But the Audit Commission has defended the plan, claiming that in 2006/07 it led to £140m of fraud and overpayments being detected and that all details are held securely.

“It is an excellent way to help the organisations we audit and inspect to save taxpayers’ money by identifying potential overpayments as well as fraudsters,” said a spokeswoman.

One of the key concerns of public sector staff is the security of their information, given the recent publicity over government data losses.

When the NFI began, local authorities sent discs containing the details through the post, but now information is uploaded through a secure online portal.

The portal is run by a third-party contractor called Synetic Solutions, based in Newcastle-under-Lyme, which also operates the servers holding the information.

A freedom of information request to the Audit Commission by Computing revealed the security practices in place.

“The web site that is utilised for both the data submissions and accessing the results uses an encrypted connection between the participating bodies’ browser and NFI secure servers,” said the response.

“The encryption used is standard 128-bit SSL (Secure Sockets Layer). This is the standard encryption available on the internet and is used for all secure sites including banking and online shopping.”

Employees do not input the information themselves, it is entered by the authority they work for.

The NFI matching processes convert bank details such as sort code and account number to “flags” that are checked against other data sets for instances of fraud. The details are destroyed within six months.

The Audit Commission said personnel involved in the NFI project have been security cleared and none has permission to access the data of an individual.

The Audit Commission is currently considering whether to apply an exemption under section 31 of the Freedom of Information Act to determine if it can reveal the specific security systems used to protect the information. It feels that to discuss such details may give criminals a helping hand in compromising the database.

But many public sector employees say they would feel reassured if they knew how their information is protected.

“Given the government’s record on this type of thing, I have no confidence at all in them handling my details unless I know exactly how they are doing it,” said one local government civil servant who did not want to be named.

Information is collected through the scheme once every two years.

An NFI work programme document from September this year talks about expanding the initiative into “non-fraud areas”.

The Audit Commission said this did not mean further cross-checking of employee details, and insisted there were no plans to collect personal information other than bank details.

“Non-fraud areas are not yet sanctioned and require a Secretary of State Order for them to commence. When they do, it will not relate to staff but will focus on issues such as unpaid arrears of council tax and rents,” said the spokeswoman.

The Audit Commission was keen to emphasise that security procedures and data mining techniques have been audited and cleared by privacy watchdog the Information Commissioner’s Office.

A recently published Code of Data Matching aims to ensure such exercises comply with the law, especially the provisions of the Data Protection Act 1998.

The code includes guidance on the notification process for letting individuals know why their data is matched and by whom.

The timescale for extending audits to central government workers has not yet been published.