Internal Audit privacy notice

This privacy notice tells you what information Audit Services collects and uses for Data Matching and the NFI, and your rights regarding your information.

General Information

The Internal Audit Service is responsible for providing independent and objective assurance in relation to the Council’s internal control, governance and risk management arrangements.

The processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), collectively referred to as data protection law.

We are required by law to protect the public funds we administer. We may share information provided to us with other bodies responsible for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

This privacy notice explains what information the Internal Audit Service collects and uses for data matching and participation in the Cabinet Office National Fraud Initiative (NFI) and how we protect your privacy.

Suffolk County Council is the controller for the personal information that is being processed. If you have any queries about how the Internal Audit Service is collecting or using your personal data, you can contact the service by:

Email: audit.enquiries@suffolk.gov.uk

Write to us: Internal Audit Service, Endeavour House, 8 Russell Road, Ipswich, Suffolk, IP1 2BX

Contact details for the council’s Data Protection Officer and Compliance Manager can be found in the council’s corporate privacy notice, which is available on the council’s website.

What is personal data?

Personal data includes information about you, which can be used to identify you as an individual. Examples include:

  • Your name
  • Your date of birth
  • Your contact details
  • Your image

Special category data is the most sensitive type of personal data and includes:

  • Information about your health or any social care services that you may use
  • Information that could identify your racial or ethnic origins
  • Information that could identify your political beliefs
  • Information that could identify your religious or philosophical beliefs
  • Information that could identify your trade union membership
  • Genetic data
  • Biometric data (where used to identify you, e.g. use of fingerprints to access online services)
  • Information about your sex life, or sexual orientation

The types of personal data that we process and where it comes from

The personal and special category data that is collected includes:

  • Name
  • Date of birth
  • Address
  • Contact details
  • Bank details
  • National Insurance numbers and other identifiers
  • Job/profession and other information about employment history and current employment
  • Blue Badge and information contained in other documents

We also collect financial information such as:

  • Payments made to suppliers by SCC
  • Payroll amounts and hours worked
  • Pension amounts
  • Social care payments to individuals (Direct Payments)

This information is collected from data held by various services within SCC and schools.

Why do we process your personal data?

We use your personal information for:

  • the prevention and detection of crime / fraud
  • audit delivery and improvement

In addition, we collect and share data with the Cabinet Office, who is responsible for carrying out data matching exercises for the prevention and detection of fraud.

As a Local Authority we are a mandatory participant in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. This involves the provision of particular sets of data to the Minister for the Cabinet Office for matching, for each exercise, as detailed on the National Fraud Initiative page from GOV.UK.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information.

Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation.

No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

Our legal basis for processing your information

Personal data

Under data protection law, the Internal Audit Service can only process your personal data if it is lawful to do so. Please see the details below of the lawful bases that we rely on for processing different types of personal data.

For processing personal data, we rely on the following lawful basis:

  • UK GDPR Article 6(1)(e) – where processing is necessary for us to perform a task which is in the public interest (public task), with a basis in law.

Special category data

When we process special category data, we rely on the following additional lawful basis:

  • UK GDPR Article 9(2)(f) – where processing is necessary to establish, carry out or defend legal claims
  • UK GDPR Article 9(2)(g) – where processing is necessary for reasons of substantial public interest, specifically:
  • for statutory and government purposes (Schedule 1, Part 2, section 6, DPA 2018)
  • for the administration of justice (Schedule 1, Part 2, section 7, DPA 2018)
  • for preventing or detecting unlawful acts (Schedule 1, Part 2, section 10, DPA 2018)
  • to protect the public against dishonesty (Schedule 1, Part 2, section 11, DPA 2018)
  • for preventing fraud (Schedule 1, Part 2, section 14, DPA 2018)

You can find out more about the data collection requirements placed on us by the Cabinet Office.

The Cabinet Office has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data.

Data matching by the Cabinet Office is subject to a Code of Practice.

Criminal offence data – general processing

The Internal Audit Service also processes criminal offence data which may include:

  • Information about any criminal record or criminal history
  • Allegations of criminal behaviour, including unproven allegations
  • Absences of convictions, for example the results of DBS checks, or Police National Computer checks
  • Personal data of victims and/or witnesses
  • Personal data about criminal penalties that may have been awarded

In addition to the lawful bases that we have identified under “Personal data” above, we process criminal offence data under the following condition(s) of Schedule 1 of the DPA 2018:

  • where processing is necessary for statutory and government purposes (Schedule 1, Part 2, section 6, DPA 2018)
  • where processing is necessary for the administration of justice and for parliamentary purposes (Schedule 1, Part 2, section 7, DPA 2018)
  • where processing is necessary for preventing and detecting unlawful acts (Schedule 1, Part 2, section 10, DPA 2018)
  • where processing is necessary for protecting the public against dishonesty (Schedule 1, Part 2, section 11, DPA 2018)
  • where processing is necessary for preventing fraud (Schedule 1, Part 2, section 14, DPA 2018)
  • where processing is necessary for legal claims (Schedule 1, Part 3, section 33, DPA 2018)

Sharing your information

We share the data we have collected in line with our duties to comply with Part 6 of the Local Audit and Accountability Act 2014.

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.

View further information on the Cabinet Office’s legal powers, the reasons why it matches particular information and who it shares this information with on the National Fraud Initiative privacy notice from GOV.UK.

Whether we intend to transfer your information to another country

We do not transfer any personal data to any countries or international organisations outside of the EU, the EEA (European Economic Area), or any other country that does not have an equivalent level of data protection to the UK.

How long we keep your information

We keep personal data for as long as we need it to fulfil the purpose that it was collected for, and in line with any statutory or locally determined retention periods.

The Internal Audit Service will keep your personal data in relation to the National Fraud Initiative for 6 years from the date of it being submitted to the Cabinet Office.

The Cabinet Office will keep your personal data in accordance with their Data Deletion Schedule which can be found on their Privacy Notice.

Automated decision-making and profiling

The Internal Audit Service does not use automated decision-making processes or profiling in respect of your information.

Your rights under data protection law

Under data protection law, you have the right to request access to the information that we hold about you. If you would like to make a request to access your personal information, please contact data.protection@suffolk.gov.uk.

You also have other rights regarding your personal data. You can find out more information about these rights by looking at the council’s corporate privacy notice.

Your right to independent advice

If you would like independent advice on this privacy notice or other matters about how Suffolk County Council processes your personal data, including how to make a complaint, you can contact the Information Commissioner's Office at:

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Telephone: 0303 123 1113

Email: casework@ico.org.uk