Social security: independent analyst's report on consultation on the investigation of offences regulations

Chapter 1 - Powers to Investigate and Safeguards

The first part of the consultation relates to Chapter 1 of the Code of Practice and sets out the offences that will be investigated, the principles and legislation that govern investigation and the range of information gathering powers that counter fraud officers of Social Security Scotland will have available to them as tools in their investigation. It also details the rights and responsibilities of those who the agency may request information from in relation to investigations and how such information would be sought.

Powers for Authorised Persons to Obtain Information

Regulation 4 of the Investigation of Offences regulations specifically sets out the power to request information from any individual or organisation thought to have information relevant to one or more of the matters under investigation (including visiting premises to obtain information). This is a departure from existing DWP powers which are limited to a prescribed list of organisations. The need for this more flexible approach is linked to the fact that the new agency is still evolving and the full list of organisations from whom information may be required is not yet known. Having a more flexible arrangement is likely to cover a wider range of eventualities once the agency is in full operation, negating the need to revise or revisit the regulations on multiple occasions in the future.

Q1. Do you agree with our approach to requesting information in regulation 4 of the Investigation of Offences regulations? If not, please explain why.

	Number of Respondents	% of Respondents
Yes	7	38%
No	10	56%
No response	1	6%
Total	18	100%

Just over half of respondents indicated that they did not agree with this approach.

While respondents generally seemed to welcome maintaining flexibility for the expansion of devolved benefits, some indicated that they felt the regulations were too broad as specified and that a more definitive list of persons or organisations who were in or out of scope should be provided. It was suggested that a non-prescribed list may risk undermining the discrete nature of investigations, and extensive discretion was inconsistent with a rights-based approach. Another organisation suggested that the flexibility was disproportionate to the issue of possible fraudulent claims within the Scottish Social Security system.

Several of the support organisations who provided a response stressed concerns about the impact of the regulations on their ability to offer client confidentiality:

"We have very deep concerns about the extension of investigatory powers to compel any and all agencies and individuals to comply with requests for information in relation to possible social security related offences. We believe that this would make it impossible for Third Sector Agencies, and their employees, who provide services to their clients on a confidential basis to continue to offer such services on that basis in the future."

Two organisations noted that, while they welcomed the exemption for legal privilege for solicitors, regulation 4 did not support the function of non-government organisations (NGOs) and third sector agencies. Similar provisions should be in place to protect these relationships too, it was suggested. Another stressed that independent advocacy organisations needed to be considered more in the regulations since to compel such organisations to provide information would negatively impact confidentiality and client trust. A third organisation stressed that this, in turn, would lead to clients disengaging with services and being left without the support that they need:

"Confidentiality is a key principle of independent advocacy and is crucial to building a trusting relationship with advocacy partners. Any potential compromise of confidentiality will have a negative impact on the relationship between an independent advocate and their advocacy partner. We believe this does not fit with a rights-based approach."

One organisation stressed that they already had strict criteria in place to allow disclosure of confidential information in a finite set of cases, where it was absolutely necessary. They felt that the proposed regulations could not be justified on the grounds of providing any additional safeguards. Others too felt that the regulations, as specified, would conflict or breach existing confidentiality governance such as that which applies to counselling services^[2]. Again, it was stressed that organisations' ability to offer client confidentiality would be undermined and this would impact negatively on the support which could be offered (i.e. clients may be less willing to disclose and so support/advice could not be tailored appropriately). The same organisation suggested that the draft regulations could be modified or strengthened to allow exemptions for specific named organisations as well as removing any possibility of the powers being used speculatively. They also suggested retaining the existing DWP approach of having a prescribed list of organisations from whom information could be sought.

One organisation specifically commented that there was insufficient justification set out in the consultation for the departure from DWP rules and again indicated that broad discretion was inconsistent with a rights-based approach. Examples of why existing powers were thought to be insufficient would be welcomed and it was suggested bringing additional organisations within the regulations should be scrutinised further by Parliament ahead of additional powers being introduced.

One organisation indicated that they supported the clear statutory basis for this power and welcomed that only information which was relevant to the investigation would be required. The same organisation, however, urged that the exceptions in regulation 4(7) (i.e. spouses and legal clients) be clearly stated in any notices given to individuals/organisations to provide information.

A final specific concern (mentioned by two individuals) was the assumption that notices to provide information would always be received by the intended individuals/organisation. Notices sent may not be received and there may be a requirement to have a process in place which provides proof of delivery or receipt, it was suggested, otherwise there would be insufficient evidence to demonstrate non-compliance.

Electronic Records

In addition to the more general information gathering powers proposed above, the draft regulations make provision for authorised officers to obtain information that may be held electronically. This power is only to be used to investigate an offence under the Social Security (Scotland) Act 2018 and only authorised Social Security Scotland officers may use it.

Q2. Do you agree with our approach to obtaining electronic information under regulation 5? If not, please explain why.

	Number of Respondents	% of Respondents
Yes	8	44%
No	8	44%
No response	2	12%
Total	18	100%

There was a clear split in views in relation to this question, with half of those who gave a response offering agreement and half disagreeing with the approach set out.

Given that much information is stored electronically by organisations, some reiterated earlier comments about client confidentiality, suggesting that the same principles and basis for their objections would apply:

"As stated above even a single instance of breach of confidentiality because an agency was compelled to provide information and/or electronic records could destroy the absolutely essential trust that such agencies must foster with their, often highly vulnerable, client groups. If the intent is not to use such powers to compel NGOs to breach confidentiality then this should be clearly stated on the face of the regulations."

One organisation which broadly supported requesting information per se (in line with regulation 4) offered strong views against regulation 5 on the basis that it presented the opportunity for "significant intrusion into people's privacy". A more thorough assessment of risks and impacts associated with allowing access to electronic records was urged^[3]:

"We question the necessity and proportionality of these authorised officers having access to entire sets of electronic records when they will already have powers to require the same information under regulation 4. A thorough assessment of the data protection and human rights impacts should be undertaken on this proposal before introducing the Regulations to the Scottish Parliament."

Indeed, several comments were made that the regulations around electronic records seemed disproportionate and unnecessary and some stressed that they were unjustified - "No examples of why the current powers are felt to be inadequate have been provided". Greater clarity around why this was deemed necessary would be welcomed. One organisation questioned why separate regulations were required for electronic information, and why this had not been considered as part of wider regulations around access to information.

One organisation stressed that they may face a conflict between needing to meet both the requirements set out in the Investigations of Offences regulations and their responsibilities under the General Data Protection Regulation (GDPR). Breaching either may result in a fine, it was perceived, leaving organisations in a no-win situation. Another pointed out that support organisations often use electronic case management systems to securely manage and store personal confidential data in accordance with GDPR requirements and that being compelled to provide access to this was unacceptable.

One other organisation questioned regulation 5(3)(c) around requirements restricting the disclosure of information and noted that the Scottish Ministers would need to be mindful that any such restrictions on disclosure needed to be compatible with both data protection law and freedom of information law, as appropriate.

Finally, one individual stressed that "a person" was not clearly defined, and one individual raised concern about whether electronic data could be certified as required under the Criminal Procedure (Scotland Act 1995, S179, Schedule 8 Act of Adjournal (Criminal Procedure Rules) 1996.

Visiting and Searching Premises

Regulation 6 proposes a move away from DWP powers which currently allow authorised officers to visit premises to search them for the purposes of examination and inquiry in connection with the prevention, detection and securing evidence of social security benefit fraud. While DWP's policy is that officers can only enter premises with consent, the Scottish Government proposals would allow authorised officers to do this subject to specified restrictions and only with the permission of the owner or occupier. Similarly to regulation 4, a person cannot be made to provide information that is self-incriminating to them or their spouse/civil partner or that would be subject to legal privilege.

Q3. Do you agree with our approach to entry and search of premises for the purposes of a fraud investigation under regulation 6? If not, please explain why.

	Number of Respondents	% of Respondents
Yes	6	33%
No	8	44%
Agree in part	1	6%
No response	3	17%
Total	18	100%

Again, almost half of respondents indicated that they did not agree with this proposal.

While some welcomed that the regulations specified that an authorised officer could only enter premises with the permission of the owner or occupier, some stressed that it was not clear whether consent was required from both the owner and occupier where this was not the same person. In such cases, permission should be sought from both parties, it was suggested, and this should be made clear in the regulations:

"…we would recommend that the regulations be adapted to require the permission of the occupier in all circumstances."

Many organisations were concerned that premises could be searched without the consent of an occupier in the case of landlord arrangements:

"The problem with the regulations as currently worded is that the authorised officer need only obtain the consent of the landlord (owner) to search premises used by the "occupier" who might well be a Third Sector agency (the regulations state the authorised officer must obtain the permission of the "owner or occupier" and not both)."

This particular issue may be problematic for third sector support organisations or NGOs occupying rented premises (from commercial or local authority landlords), where permission to enter and search premises granted by the landlord may mean that agency staff could search records stored by support organisations on site, without any permissions being sought from the organisation in question.

On a related note, one organisation indicated that the searching of premises by agency staff, even if consent is gained, may lead to the inadvertent access to data linked to persons other than the individual under investigation. It was suggested that the data management systems used by different organisations may mean that this is inevitable and would be an unjustified breach of confidence.

As with comments made in relation to access to information, one organisation questioned the legal basis of the regulations, and suggested that leniency was being afforded to authorised officers which was disproportionate to other organisations, such as the police:

"We are also concerned about the fact that the investigatory power regulations appear not to require reasonable grounds of suspicion, that there is no judicial oversight for exercise of powers of entering and searching premises or requiring information from third parties, to ensure that there are reasonable grounds for use of these powers. We believe that there are human rights implications here which give more powers and latitude to the Social Security Agency than would be available to the police."

One individual also questioned if warrants could be obtained, where necessary, if consent had not been provided (and another pointed out that to enter and search premises the police are required to obtain a warrant from the court - no such requirement seemed to be in place for 'authorised officers'). The same respondent also questioned if it would be an offence for persons within premises not to provide their personal details. Greater clarity was needed, it was felt.

One specific type of premises where application of this rule was seen as particularly inappropriate was refuges that house women and children fleeing abuse - the need to keep such premises secure and maintain users' confidence that they were a place of safety and security was emphasised.

Overall, the justification for the move away from DWP rules was not clear, it was suggested, and greater clarity around the rationale for regulation 6 was encouraged.

Deliberate Obstruction or Delay of an Investigation

Regulation 7 sets out proposals for penalties to be in place in cases where an authorised officer is deliberately hampered in their attempts to carry out an investigation. A number of offences were proposed to cover cases where an individual or organisation fails without justification to comply with a request, deliberately provides false information or does anything else deliberately to delay or obstruct an authorised officer in carrying out their duties under the regulations. Such offences may incur a penalty in the form of a fine of up to £1,000.

Q4. Do you agree with our proposal for new offences relating to delay or obstruction of an investigation? If not, please explain why.

	Number of Respondents	% of Respondents
Yes	7	39%
No	7	39%
Agree in part	1	6%
No response	3	16%
Total	18	100%

There was an equal split in the number of respondents who provided support for and against this proposal.

Some support organisations disagreed on the basis that the protection of client confidentiality may be perceived as legitimate obstruction:

"Given our concerns outlined in the previous two answers - around the potential breach of confidential relationships that third sector organisations hold with the people they work with - we cannot agree with the proposal for new offences relating to delay or obstruction of an investigation. As it stands, third sector organisations could be at risk of a fine of £1,000 if they sought to protect confidential relationships with the people they support in the event of fraud investigations being undertaken."

One organisation suggested that many agencies would simply be unable to afford such fees and would feel compelled to provide information even though it undermined their service provision. Others would potentially incur fines and legal costs which would also take money away from vital front-line service provision:

"…the proposed regulations are a dangerous extension of investigatory powers into areas which could, and would over time, undermine the Third Sector's ability to provide confidential services to vulnerable individuals and groups."

The draft regulations note that offences would only be penalised if an individual or organisation failed to comply "without reasonable excuse". Two organisations commented that the notion of reasonable excuse needed to be more clearly defined and another noted that the term 'deliberately' (i.e. that a person must be perceived to deliberately delay or obstruct investigations) needed to be operationalised. One noted that client confidentiality should be included as a permissible reasonable excuse not to comply with investigations:

"While the regulations make provision for individuals to not comply with requirements if there is a "reasonable excuse", what is deemed to be a "reasonable excuse" is left to the Agency to determine. We…recommend that the regulations and Code of Practice are amended to explicitly state that the maintenance of confidential relationships are permissible reasonable excuses."

One organisation suggested that this regulation appeared contradictory to the provisions in regulation 6, i.e. if an owner does not provide permission to access a premises, would that be considered an obstruction offence? Another organisation also questioned what would happen if an offence was committed, and a fine was paid, but information or access was still sought in relation to the investigation. A further organisation noted that the appeals process was also unclear.

On a related note, the proposed fine may not be considered a sufficient deterrent by some and this may mean that compliance with investigations would still be refused:

"Section should also address what happens if an organisation fails to provide required information, is prosecuted and fined, but SSS still requires information from them. Can a fresh request be made, leading to a second prosecution? This would be good, as for some business a single fine of £1000 might be inconsequential and of little deterrent value to other potentially non-compliant businesses."

In contrast, concerns also included that some vulnerable adults (including those with mental health issues or learning disabilities) may not fully understand the gravity of non-compliance, therefore placing them at greater risk of being penalised than others, and that these groups might also be perceived as being obstructive, whereas the true reason for non-compliance may be lack of understanding. Clearly differentiating between wilful non-compliance and unintentional non-compliance may add clarity to the regulations.

Finally, the one respondent who agreed 'in part' noted that the regulations seemed appropriate for those who knowingly and wilfully obstruct an investigation^[4], but the inclusion of support organisations within the remit (and the associated problems around confidentiality discussed above) meant that they did not accept the proposals in full.

Other Comments

In addition to the specific questions above, more general comments were also invited on the proposed powers to investigate and safeguards, as set out in Chapter 1 of the Code of Practice.

Q5. Do you have any other comments about Chapter 1 of the Code of Practice for Investigations?

Nine respondents provided additional comments and their concerns were quite disparate.

Four organisations expressed concern about the suggestion of giving powers of covert surveillance to social security fraud investigators, which they believed was disproportionate and overly intrusive. The need for counter fraud officers to always act in a way that was "proportionate" was also open to wide variation, it was suggested, and was not adequately formalised or operationalised within the draft regulations:

"We are unable to identify where this principle is enshrined in the draft regulations or indeed what limits are set by the draft regulations on the exercise of wide, discretionary powers."

One respondent perceived that the Regulation of Investigatory Powers (Scotland) Act 2000 was intended for use in counter-terrorism and national security matters, rather than in social security policy, where they perceived fraud was rare.

One organisation also highlighted that 'surveillance' was also often a feature of abusive relationships (i.e. ex-partners covertly watching the behavior patterns of females, in particular) and suggested that the surveillance of benefit claimants in the way proposed may replicate this activity and add to the stresses experienced by victims of domestic abuse. On a similar note, one support organisation noted that ex-partners can often have demonstrated financial abuse or controlling of partners' incomes and that ex-partners could sometimes provide wrong information or report non-intentional fraud as a means of prompting investigations against their ex-partner (hence continuing financial abuse against them):

"Multiple investigations by the DWP could be seen as another form of abuse and continuation of financial abuse. We hope this will be avoided in the devolved social security system and that there will be consideration of the impact of domestic and financial abuse which can result in the fear of retribution from an ex-partner."

Another organisation indicated that surveillance was especially inappropriate for dealing with cases of disability benefit fraud because it may inadvertently dissuade people living with disabilities from living 'freely':

"… disabled people are becoming increasingly frightened of engaging in any social activity…because they fear that their benefits will be taken away from them as a consequence."

Two organisations urged greater clarity throughout Chapter 1 in relation to data protection. One organisation stressed that authorised officers wishing to use publicly available information for their investigation as described in the Code of Practice would still require to comply with the data protection law and this was perhaps not made explicitly clear in the Code, as worded^[5].

Greater clarity was also advised around how data controllers (including support service providers who store client data) would determine if an exemption from the normal rules preventing disclosure of information was valid, not least when regulations had yet to be published. This rule may be subject to differential interpretation (especially with regard to the way that 'sensitive information' is defined) and could, in some cases, result in organisations being penalised for their decisions:

"The information gathering powers which are to be set out in the Investigation of Offences regulations are not yet available. Therefore, we have no idea of what will be the 'defined circumstances' in which these very wide powers - including entry of premises and seizure of information - will be exercised. In other words, we are being asked to endorse the granting of very wide powers with no idea of the circumstances in which they might be used. This is simply not acceptable especially given that the exercise of the powers might lead to breaches in confidentiality and trust between Third Sector agencies and their clients and the imposition of fines on those who try to uphold duties of trust and confidentiality."

Another organisation also indicated that the Scottish Government and its agencies should consider carefully any assumption around exemptions:

"The exemptions in schedule 2 of the DPA only allow certain rights and/or data protection principles to be restricted. They do not provide a lawful basis for processing the personal data in any way, and do not exempt a data controller from requiring a lawful basis for processing."

Agency staff should receive data protection compliance training specific to their role on a regular basis, it was suggested (a point that was stressed again in response to the proposed standards for counter fraud officers, discussed in the following chapter below).

One local authority respondent suggested that Chapter 1 of the Code could give consideration to data sharing in cases where local authorities need to work alongside the Social Security Agency or where their own independent investigations may benefit from access to the data gathered by the agency.

Some specific points of clarification were also suggested by one public body, including:

• at paragraph 5 of the Code, use is made of the term 'whistle-blowing' which has a specific legal status^[6] and replacing this with an alternative, such as 'allegation hotline' may help to avoid confusion;
• at paragraph 11, the words "and by whom" should be added to reflect that a fundamental aim of an investigation is to establish who has committed an offence;
• at paragraphs 37 and 38, reference to "directed surveillance" should be replaced with "authorised directed covert surveillance" and this term should be used consistently in both paragraphs; and
• at paragraph 40, clarity is required that only public authorities named in the Act can conduct joint investigations, and not all public authorities.