Counter fraud

Purposes for which we process your data

NHS England has a team of accredited counter fraud specialists with responsibility for the prevention and detection of fraud, bribery and corruption against the organisation.

We will collect, process and disseminate personal data for:

  • the detection and investigation of potential and actual fraud
  • recovering monies lost to fraud
  • the prevention of fraud, which may include undertaking fraud risk assessments and loss measurement exercises using data to identify errors, assess financial loss and detect fraud

The detection and investigation of potential and actual fraud

Perpetrators of economic crime against NHS England can be anyone associated with the health service, including:

  • patients or their representatives
  • employees
  • primary care contractors (GPs, dentists, opticians, pharmacists)
  • suppliers of any type

When allegations are made suggesting that NHS England has been the victim of an economic crime, the Counter Fraud Team will investigate.

To establish if a criminal offence has occurred, NHS England will gather evidence and analyse any data that we already hold or that we obtain from organisations who hold it, where it is relevant to the allegation.

We may need to obtain witness statements and interview suspects and will request access to personal data where this is necessary.

We will work with and share personal data with integrated care boards (ICBs) and we ask Primary Care Support England (PCSE) Primary Care Support England | PCSE to process personal data on our behalf; this data will also be used where it is necessary for the prevention and detection of fraud, bribery and corruption against NHS England.

If evidence of a crime is found, the suspect may face disciplinary proceedings, (including referral to a professional body), civil sanctions, and/or criminal proceedings.

We work closely with the NHS Counter Fraud Authority (NHSCFA), who will hold case files and have oversight of cases as they progress and in the case of prosecutions, act as a gateway for initial file submissions to the Crown Prosecution Service (CPS) The Crown Prosecution Service | The Crown Prosecution Service.

We will also work with and share data with the National Crime Agency Home – National Crime Agency where we identify that their support is required to achieve our obligations.

Recovering monies lost to fraud

NHS England will seek to recover monies lost to fraud. This can be achieved via the application of a criminal sanction; for example, via a Proceeds of Crime application, or through a conditional caution.

Alternatively, recovery may be via a civil route where a debt recovery process is initiated, and a negotiated settlement reached.

Fraud risk assessment and loss measurement exercises

As part of an annual strategic intelligence assessment prepared by the NHS CFA for the Secretary of State, areas of health service delivery are identified for risk assessment and loss measurement.

NHS England is responsible for investigating fraud concerns in the primary care services that it commissions and requires personal data to be processed and shared to protect NHS resources from fraud, error and financial loss.

NHS England will undertake this work or will ask the NHS CFA to do it on our behalf.

NHS England will ask both the NHS BSA and PCSE to facilitate the secure sharing of identifiable personal data with the NHS CFA so that they can confirm a patient has received the services that have been claimed for and that the patient is eligible for that NHS funded care.

Declarations of Entitlement to NHS funded care

People are asked to declare that they are eligible for NHS funded care where this is a requirement for the delivery of that care.

Opticians, Dentists and Pharmacists are required to obtain a signature from the person requiring the care or their representative as part of that declaration and so that they can make a claim to the NHS for the cost of the care provided.

People are also informed at the point of signature that their entitlement to NHS funded services could be checked.

To enable NHS England to check entitlement, personal data may be provided to or obtained from the following but only where they hold the information that will confirm entitlement.

Primary care contractors are obliged under the Health and Care Act 2022 to provide information to NHS England that is reasonably required in connection with their contract, such as counter fraud activities.

Service Condition 24 of the NHS Standard Contract requires providers to allow counter fraud specialists access to information that is relevant to the detection and investigation of cases of bribery, fraud or corruption.

The controller of your personal data

Under the UK General Data Protection Regulation 2016 (UK GDPR), NHS England is the controller of your personal data where we process it for the prevention and detection of fraud, bribery and corruption against the organisation.

Our legal basis is set out below: 

1. Compliance with an Article 6 condition in the UK GDPR

The processing that we undertake complies with condition 6(1)(e), which applies where processing is necessary for the performance of a task carried out in the public interest.

This task has to be set out in UK domestic law.

The relevant UK law is section 8 of the Data Protection Act 2018 (“DPA 2018”).

This states that the section 6(1)(e) condition is met if the processing of personal data is necessary for the exercise of a “function” given to a public body by legislation.

A function is a task or duty that the legislation says the public body may or must perform.

Further to this, schedule 1, Part 2, paragraph 10, (preventing or detecting unlawful acts), paragraph 14 (preventing fraud) and paragraph 33 (legal proceedings) also apply.

2. Compliance with an Article 9 condition in the UK GDPR

As the data used includes special category data a Schedule 9 condition must be complied with.

  1. Article 9 (2) (f), the processing is necessary for the establishment, exercise or defence of legal claims and/or
  2. Article 9 (2) (g), processing is necessary for reasons of substantial public interest

3. Compliance with the common law duty of confidentiality (CLDC)

We rely upon implied consent for the processing of your personal data; it is within the reasonable expectations of anyone receiving NHS funded services that measures will be taken to ensure that public expenditure and public services are not used unlawfully and that personal data will be required to identify, investigate and prosecute those found to be committing fraud, bribery and corruption against NHS England.

Where a person declares their eligibility for NHS funded care at the point of treatment, it is made clear that information regarding that declaration and the services obtained as a result, could be subject to further checks which will involve the processing and sharing of personal data.

We are also permitted to share your personal data under UK GDPR where it is necessary for us to do so.

Categories of personal data processed

To carry out our activities to prevent and detect economic crime we may process the following data:

  • Contact details such as names, addresses, telephone numbers
  • Gender
  • Date of Birth
  • NHS Number
  • Emergency contact(s)
  • Education and training, incl. development reviews (appraisals)
  • Patient data, incl. GP, dental, optical and pharmaceutical records
  • Claims for payment
  • Offences (including alleged offences), criminal proceedings, outcomes and sentences
  • Employment details, (employment contract, salary, position etc.)
  • Information around travel and subsistence; expenses
  • Employment / identity records (including professional membership, qualifications, references and proof of identity and eligibility to work in the UK)
  • Bank details
  • Pay, benefits and Pension details (incl. National Insurance number)

Please note this list is not exhaustive and may change over time.

Where we obtain your personal data from

We will obtain your personal data from organisations that provide you with NHS services and treatment.

We will obtain data from claim forms presented for payment or from clinical records held by those organisations.

We will obtain your personal data from organisations that can verify your eligibility to have NHS services provided to you free of charge (where charges are applicable).

We will obtain personal data from Employers and Professional Membership bodies where this is necessary.

We will obtain personal data relating to financial information from banks, benefit agencies and pension providers.

How we process your data

Data is received in multiple formats including Microsoft Excel, source documentation from primary care contractors (either hard copy or electronic) and data provided by other parts of the NHS and Governmental departments.

Where data is received in hard copy format it is scanned, saved in a secure electronic file and the original hard copy stored in a locked facility in offices with restricted access.

All data is stored securely with access limited to only those individuals required to review it. If we need to email data, this will be in password protected format.

We may add and review your data to linked data provided by other government agencies and other parts of the NHS.  We may contact you to confirm information we hold about you.

Correspondence may be either electronic (for example, email) or hard copy (for example, letter).

Your data may be reviewed and become part of an evidence file created by NHS England in the investigation of fraud, bribery or corruption. This may include onward sharing with the NHS CFA and CPS. 

What else do we use your data for?

As well as being used as potential evidence in a fraud investigation your data may also be required for the prevention and detection of crime.

An example of this is in the development of Fraud Risk Assessments (FRAs). We use FRAs to identify risk in business process and establish/monitor organisational risk appetite.

Data may be used to inform Loss Measurement Exercises (LMEs), either conducted by NHS England, or in conjunction with the NHSCFA. LMEs may inform fraud risk and the direction of future local proactive exercises. 

How long we keep your personal data for?

As per Criminal Procedures and Investigations Act 1996 (CPIA) Section23(1)5. Retention of material: Material must be retained until at least the decision is made whether tp pursue criminal proceedings.

In the event criminal proceedings are conducted; material must be retained until at least the subject(s) has been convicted or acquitted.

In the event of a criminal conviction; material must be retained until at least any sentence has been served or six-month post-conviction, whichever is greatest.

As per the NHS England Records Retention and Disposal Schedule (V.4.0), papers used during a fraud investigation are retained for 6 years from the date of decision. 

Where we store the data

We store and process your personal data within the United Kingdom but where our processors need to process your personal data outside of the UK, we will always ensure that the transfer outside of the UK complies with data protection laws.

Statistical data, which does not allow you to be identified, may be stored and processed outside of the UK. 

The National Data Opt Out

As set out in Part 10 of the National Health Service Act 2006, data processed in relation to the prevention, detection and prosecution of fraud in the NHS is exempt from the National Data Opt Out as the data is required to be processed by law. 

Your rights over your personal data

To read more about the information we collect, our legal basis for collecting this information and what choices and rights you have, see how we look after your health and care information.

Additional transparency information about the data we are the Controller for can be found at: