NFI Privacy Notice 2022
Privacy Notice for Comptroller and Auditor General's data matching exercises
This notice is made under Article 14 of the UK General Data Protection Regulation (GDPR). It sets out how we will use personal data that is submitted to the Comptroller and Auditor General (C&AG) for the purpose of the National Fraud Initiative (NFI) in Northern Ireland and any other data matching exercises conducted by the C&AG.
Under the GDPR (article 6(1)) and the Data Protection Act (DPA) 2018 (section 8), the legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. The C&AG conducts data matching exercises under statutory powers in the Audit and Accountability (Northern Ireland) Order 2003.
We process information that you provide when making a claim or applying for:
- social housing (current tenants and individuals on a housing waiting list);
- right to buy;
- rates and rate relief;
- transport pass and permit;
- housing benefit;
- other state benefits; and
- taxi driver licences.
We also process information that you provide:
- when seeking payment of an invoice from an organisation that takes part in the NFI. This is referred to as trade creditor standing data and payment history data;
- when seeking payment for employment from an organisation that takes part in the NFI. This is known as payroll data;
- when registering to vote. This is known as electoral register data; and
- in relation to residents in a private care home who are supported by an organisation that takes part in the NFI.
Data specifications setting out exactly what data we process in the above areas are in the NFI Instructions on the NFI page of the NIAO’s website.
We also carry out data matching pilots for the purpose of assisting in the prevention and detection of fraud. These may include claims for COVID-19 grant support.
Should data matching through the NFI result in a prosecution, then this may also be recorded by participating organisations. This information is for recording outcomes purposes only and the data won’t be shared further.
Special categories of personal data (Article 9 of UK GDPR and Chapter 2, Section 10, of the DPA 2018)
Included in the data processed for the NFI are certain special categories of personal data. Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Housing benefit and student loans data includes an indicator of physical or mental health or condition. This disability flag, which does not identify the specific condition, is required because disability has an impact upon a student’s entitlement to claim housing benefit.
We collect information on blue badge holders and applicants. While we do not hold information on the medical condition that entitles the individual to a badge, we do know who has a badge.
Purpose of processing
The Comptroller and Auditor General (C&AG) conducts data matching exercises to assist in the prevention and detection of fraud. This is one of the ways in which the C&AG fulfils their responsibility for promoting economy, efficiency and effectiveness in the use of public money. The main vehicle used to exercise those powers is the National Fraud Initiative (NFI).
The NFI also conducts regular data sharing and analytics pilots to evaluate and improve data matching methodology. In this way, the NFI can continue to help detect and prevent fraud in the most efficient and effective way possible.
Your personal data will be subject to the following automated profiling, as defined in Article 4, paragraph 4 of the UK GDPR, in the form of data matching.
Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body, to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
The processing of data by the C&AG in NFI data matching exercises (in practice, the processing is undertaken by the Cabinet Office on the C&AG’s behalf) is carried out with statutory authority under powers in Articles 4A to 4G of the Audit and Accountability (Northern Ireland) Order 2003. It does not require the consent of the individuals concerned, under data protection legislation or the UK GDPR.
All bodies participating in the C&AG's data matching exercises receive a report of matches that they should investigate in order to detect instances of fraud, over or underpayments and other errors, take remedial action and update their records accordingly.
Under the GDPR (article 6(1)) and the Data Protection Act (DPA) 2018 (section 8), the legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. The C&AG conducts data matching exercises under statutory powers in the Audit and Accountability (Northern Ireland) Order 2003. Under the powers:
a) The C&AG may carry out data matching exercises for the purpose of assisting in the prevention and detection of fraud, as part of an audit or otherwise.
b) The C&AG may require certain bodies to provide data for data matching exercises. Currently these are all the bodies whose accounts are required to be audited by the C&AG (with the exception of those audited by virtue of section 55 of the Northern Ireland Act 1998 (which includes North/South Implementation Bodies)), or by a local government auditor.
c) Other bodies and persons may participate in his data matching exercises on a voluntary basis where the C&AG considers it appropriate. Where they do so, the statute states that there is no breach of confidentiality and generally removes other restrictions in providing the data to the C&AG.
d) The requirements of data protection legislation continue to apply so data cannot be voluntarily provided if to do so would be a breach of data protection legislation. In addition, sharing of patient data on a voluntary basis is prohibited.
e) The C&AG may disclose the results of data matching exercises where this assists in the prevention and detection of fraud, including disclosure to bodies that have provided the data, and to local government auditors, as appropriate, as well as in pursuance of a duty imposed by, or under, a statutory provision.
f) The C&AG may disclose both data provided for data matching and the results of data matching to the Cabinet Office, the Auditor General for Wales, the Auditor General for Scotland, the Accounts Commission for Scotland and Audit Scotland, for the purposes of preventing and detecting fraud.
g) Wrongful disclosure of data obtained for the purposes of data matching by any person is a criminal offence. A person found guilty of the offence is liable on conviction on indictment to imprisonment for a term not exceeding two years, to a fine or to both; or on summary conviction, to imprisonment for a term not exceeding six months, to a fine not exceeding the statutory maximum, or both.
h) The C&AG may charge a fee to any body participating in a data matching exercise, subject to obtaining the consent of the Department of Finance in the case of a body whose functions are discharged on behalf of the Crown.
i) The C&AG must prepare and publish a Code of Practice. All bodies conducting or participating in the data matching exercises, including the C&AG, must have regard to the Code.
j) The C&AG may report publicly on the data matching activities.
The legal basis for processing your criminal convictions data is paragraphs 6 and 10 of Schedule 1 of the DPA 2018.
The legal basis for processing your special category personal data is Article 9(g) of the UK GDPR, that processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law, which shall be: proportionate to the aim pursued; respect the essence of the right to data protection; and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Bodies which provide data for matching
Currently, the C&AG may require the following bodies to provide data:
a) bodies whose accounts are required to be audited by the C&AG, except for North/South Implementation Bodies; and
b) bodies whose accounts are required to be audited by a local government auditor.
In addition, a number of organisations submit their data on a voluntary basis for data matching, including the Northern Ireland Audit Office.
Your personal data will be shared by us as necessary, for the purposes of preventing and detecting fraud, with:
- The Cabinet Office;
- The Auditor General for Wales;
- The Auditor General for Scotland;
- The Accounts Commission for Scotland; and
- Audit Scotland.
In addition, your personal data will be shared by us as necessary, for the purposes of preventing and detecting fraud, with mandatory participants, which include:
- government departments;
- non-departmental public bodies;
- health bodies; and
- local councils.
It may also be shared with bodies which provide data to the NFI on a voluntary basis.
The data that is matched and the reason for matching it
For information summarising NFI data matching by type of participating organisation, please refer to the document ‘NFI matching by type of participant’.
Data is matched for the purpose of assisting in the prevention and detection of fraud.
Where personal data has not been obtained from you
Your personal data is obtained by us from participating organisations which include government departments, non-departmental public bodies, health bodies and local councils.
Individuals whose data is included in data matching exercises have rights under data protection legislation. To comply with the C&AG’s Code of Data Matching Practice, participating organisations must provide individuals with a privacy notice containing information about their rights.
You have the right to:
- request information about how your personal data are processed, and to request a copy of that personal data
- request that any inaccuracies in your personal data are rectified without delay
- request that any incomplete personal data are completed, including by means of a supplementary statement
- request that your personal data are erased if there is no longer a justification for them to be processed.
- in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
Individuals’ usual rights of access to data held about them may be limited as a consequence of exemptions in the data protection legislation (as set out in Schedule 2 of the Data Protection Act 2018). Exemptions will apply in relation to the processing of personal data for the prevention and detection of crime.
Retention of Data
Personal data will not be kept for longer than is necessary. Data retention under the NFI will be in accordance with a data deletion schedule to be published on the Cabinet Office’s NFI web page .
Participating organisations and their auditors may retain some data for a longer period, for the purposes of audit, continuing investigations or prosecutions. Data subjects should refer to individual organisations’ privacy notices for further details.
Code of Data Matching Practice
Data matching by the Comptroller and Auditor General is subject to a Code of Data Matching Practice, available on the NFI page of the NIAO’s website.
Concerns about non-compliance with the Code should be addressed to the relevant organisation (i.e. the participating organisation or, in the case of non-compliance by the C&AG, the Northern Ireland Audit Office) before contacting the Information Commissioner.
Where the C&AG becomes aware that a participating organisation has not complied with the requirements of the Code, they will contact the organisation concerned and seek to ensure that it implements appropriate measures to meet the Code’s requirements.
Role of the Information Commissioner
The Information Commissioner regulates compliance with current data protection legislation. If a matter is referred to the Information Commissioner, he or she would consider compliance with the Code of Data Matching Practice in determining whether or not, in the view of the Information Commissioner, there has been any breach of data protection legislation and, if so, whether or not any enforcement action is required and the extent of such action. For more information, see the Information Commissioner’s website.
The C&AG aims to process personal data lawfully, fairly and in a transparent manner. If you wish to complain about how your personal data has been processed, please contact the C&AG via email@example.com .
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner's Office
Telephone: 0303 123 1113
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
Further information about the Comptroller and Auditor General's data matching exercises, including reports on completed exercises, may be found on the NFI page of the NIAO’s website. Alternatively, please contact the NFI Coordinator, Northern Ireland Audit Office, 106 University Street, Belfast, BT7 1EU, or email firstname.lastname@example.org .