National Fraud Initiative

 

Background

  1. South Eastern Regional College (SERC/’the College’) is required by law to protect the public funds it administers. The Comptroller and Auditor General (C&AG) of the Northern Ireland Audit Office requires the College to participate in a data matching exercise to assist in the prevention and detection of fraud. The data matching exercise is called the National Fraud Initiative (NFI).

 

Introduction

  1. The Comptroller and Auditor General (C&AG) conducts data matching exercises to assist in the prevention and detection of fraud. This is one of the ways in which the C&AG fulfils his responsibility for promoting economy, efficiency and effectiveness in the use of public money. The main vehicle by which he exercises his powers is the National Fraud Initiative (NFI).
  2. Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body, to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
  3. The processing of data by the C&AG (in practice the processing is undertaken by the Cabinet Office on the C&AG’s behalf) in a data matching exercise is carried out with statutory authority under his powers in Articles 4A to 4G of the Audit and Accountability (Northern Ireland) Order 2003. It does not require the consent of the individuals concerned under data protection legislation or the General Data Protection Regulation (GDPR).
  4. The College will receive a report of matches that we should investigate in order to detect instances of fraud, over or underpayments and other errors, take remedial action and update their records accordingly.

 

Legal Basis

  1. South Eastern Regional College shares data for the NFI exercise with the C&AG under the legislative powers included in the Audit and Accountability (Northern Ireland) Order 2003.
  2. The C&AG conducts data matching exercises under his statutory powers in the Audit and Accountability (Northern Ireland) Order 2003. Under the powers:
    • The C&AG may carry out data matching exercises for the purpose of assisting in the prevention and detection of fraud, as part of an audit or otherwise.
    • The C&AG may require certain bodies to provide data for data matching exercises. Currently these are all the bodies whose accounts are required to be audited by the C&AG (with the exception of those audited by virtue of section 55 of the Northern Ireland Act 1998 (which includes North/South Implementation Bodies)), or by a local government auditor.
    • Other bodies and persons may participate in his data matching exercises on a voluntary basis where the C&AG considers it appropriate. Where they do so, the statute states that there is no breach of confidentiality and generally removes other restrictions in providing the data to the C&AG.
    • The requirements of data protection legislation continue to apply so data cannot be voluntarily provided if to do so would be a breach of data protection legislation. In addition, sharing of patient data on a voluntary basis is prohibited.
    • The C&AG may disclose the results of data matching exercises where this assists in the prevention and detection of fraud, including disclosure to bodies that have provided the data, and to local government auditors, as appropriate, as well as in pursuance of a duty imposed by, or under, a statutory provision.
    • The C&AG may disclose both data provided for data matching and the results of data matching to the Cabinet Office, the Auditor General for Wales, the Auditor General for Scotland, the Accounts Commission for Scotland and Audit Scotland, for the purposes of preventing and detecting fraud.
    • Wrongful disclosure of data obtained for the purposes of data matching by any person is a criminal offence. A person found guilty of the offence is liable on conviction on indictment to imprisonment for a term not exceeding two years, to a fine or to both; or on summary conviction, to imprisonment for a term not exceeding six months, to a fine not exceeding the statutory maximum, or both.
    • The C&AG may charge a fee to any body participating in a data matching exercise, subject to obtaining the consent of the Department of Finance in the case of a body whose functions are discharged on behalf of the Crown.
    • The C&AG must prepare and publish a Code of Practice. All bodies conducting or participating in his data matching exercises, including the C&AG himself, must have regard to the Code.
    • The C&AG may report publicly on his data matching activities.
  3. Under the GDPR (article 6(1)) and the Data Protection Act 2018 (section 8), the legal basis for processing personal data under the NFI is that it is necessary for the performance of a task carried out in the public interest or in exercise of the data controller’s official authority.
  4. South Eastern Regional College share data for this exercise with the C&AG under legislative powers included in the Audit and Accountability (NI) Order 2003, articles 4A to 4H.

 

The data that is matched and the reason for matching it

  1. Details of the data that is matched is available on the Northern Ireland Audit Office website at https://www.niauditoffice.gov.uk/national-fraud-initative. Details are also included in Appendix 1 of this Privacy Notice.
  2. Data is matched for the purpose of assisting in the prevention and detection of fraud.
  3. Data matching by the C&AG is subject to a Code of Data Matching Practice, available at https://www.niauditoffice.gov.uk/national-fraud-initative

 

Retention of Data

  1. Personal data will not be kept for longer than necessary. Data retention under the NFI will be in accordance with a data deletion schedule to be published on the Cabinet Officer’s NFI web page at: https://www.gov.uk/government/collections/national-fraud-initiative.
  2. The College and our auditors may retain some data for a longer period, for the purposes of audit, continuing investigations or prosecutions. Data subjects should refer to the College privacy notice for further details on retention periods at https://www.serc.ac.uk/customer-privacy

 

Role of the Information Commissioner

  1. The Information Commissioner regulates compliance with current data protection legislation. If a matter is referred to the Information Commissioner, he or she would consider compliance with the Code of Data Matching Practice in determining whether or not, in the view of the Information Commissioner, there has been any breach of data protection legislation and, if so, whether or not any enforcement action is required and the extent of such action. For more information, see the Information Commissioner’s website at https://ico.org.uk.

 

Complaints

  1. South Eastern Regional College aims to process personal data lawfully, fairly and in a transparent manner. If you wish to complain about how your personal data has been processed, please contact the Data Protection Officer at sharvey@serc.ac.uk.
  2. If you remain dissatisfied, you can make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at https://ico.org.uk/make-a-complaint.

 

Further Information

  1. Further information about the C&AG’s data matching exercises; reports on completed exercises; legal powers and the reasons why he matches particular information, may be found at https://www.niauditoffice.gov.uk/national-fraud-initative.
  2. For further information on data matching or concerns about non-compliance with the Code at South Eastern Regional College please contact David McCullough, Financial Controller, via e-mail at dwmccullough@serc.ac.uk.

 

Appendix 1

Data that is matched

Payroll Data

  • Staff Number
  • Title
  • Gender
  • Surname
  • Forename
  • Middle Name or Middle Initials
  • Address
  • Date of Birth
  • Telephone Number Mobile
  • Telephone Number
  • Email Address
  • Date Started
  • Date Left (if applicable)
  • National Insurance Number
  • Status: Full Time / Part Time
  • Gross Pay
  • Standard Hours per Week
  • Bank Sort Code
  • Bank Account Number
  • Building Society Roll Number

Trade Creditor Information

  • Creditor Name
  • Address
  • Telephone Number
  • Bank Sort Code
  • Bank Account Number
  • Building Society Roll Number
  • Creditor Type
  • Invoice Number(s)
  • Invoice Date(s)
  • Payment Date(s)
  • Invoice Amount(s)
  • VAT Amount(s)
  • Method of Payment