Internal Audit privacy notice

This privacy notice tells you what information Audit Services collects and uses for Data Matching and the NFI, and your rights regarding your information.

Suffolk County Council (SCC) is required by law to protect the public funds it administers.

It may use and/or share information provided to it with other bodies responsible for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

The categories of information that we collect and share include:

  • personal information (such as name, date of birth, address, bank details)
  • financial information (such as payments made to suppliers by SCC, payroll amounts, pension amounts)

Why we collect and share this information

We use your personal information for:

  • the prevention and detection of crime / fraud
  • audit delivery and improvement

In addition, we collect and share data with the Cabinet Office, who is responsible for carrying out data matching exercises.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information.

Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation.

No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The lawful basis on which we use this information

Our lawful basis for collecting and sharing your information is under the public task basis, Article 6 of the GDPR.

We will share personal information with law enforcement or other authorities if required by applicable law such as:

  • the police
  • judicial agencies e.g. Courts
  • district/ borough councils
  • other local authorities
  • department of Work and Pensions
  • employers
  • HMRC
  • government agencies

As a Local Authority we are required to participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. This involves the provision of particular sets of data to the Minister for the Cabinet Office for matching, for each exercise, as detailed on the National Fraud Initiative page from GOV.UK.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 2018.

View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information on the National Fraud Initiative privacy notice from GOV.UK.

Storing this information

We will hold your personal information for 6 years where personal data relates to the allegation, investigation or sanction of a crime. We may be required to keep personal data for longer where we have a statutory duty to do so, for example to aid debt recovery or to comply with criminal justice retention periods.

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

Why we share this information

We share the data we have collected in line with our duties to comply with Part 6 of the Local Audit and Accountability Act 2014.

Data collection requirements

You can find out more about the data collection requirements placed on us by the Cabinet Office.

The Cabinet Office has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data.

Data matching by the Cabinet Office is subject to a Code of Practice.

Requesting access to your personal data

You have several rights regarding your personal data. Find more information about your rights on our privacy and data protection page.

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance by contacting

Alternatively, you can contact the Information Commissioner’s Office.

Further information

You can read SCC’s corporate privacy notice.

If you would like further information contact:

  • Peter Frost, Head of Internal Audit, on 01473 264247
  • or Christos Constantinou, Counter Fraud Manager, on 01473 265887.