Important announcement

For opening hours and service changes over the festive period, please visit our Festive Information web page.

Privacy Notice

This privacy notice (also known as a fair processing notice or privacy statement) sets out how we will use personal data that is submitted to Audit Scotland for the purpose of the National Fraud Initiative (NFI) in Scotland and any other data matching exercises conducted by Audit Scotland. Details of the personal data we process are included in Appendix 1.

Audit Scotland data matching exercises

Audit Scotland conducts data matching exercises to assist in the prevention and detection of fraud and other crime. This is one of the ways in which Audit Scotland meets its responsibility of promoting economy, efficiency and effectiveness in the use of public money.

Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified, but the inclusion of personal data within a data matching exercise does not mean that any specific individual is under suspicion. Where a match is found it indicates that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. The exercise can also help bodies to ensure that their records are up to date.

The processing of data by Audit Scotland (in practice the processing is undertaken by the Cabinet Office on Audit Scotland’s behalf) in a data matching exercise is carried out under the powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned under the Data Protection Act 2018.

All bodies participating in Audit Scotland’s data matching exercises receive a report of matches. Bodies should investigate the matches, so as to detect instances of fraud, over or under-payments and other errors, and take remedial action and update their records accordingly.

Since 2006/07, the NFI has led to the detection of fraud and over-payments totalling around £158.5 million in Scotland. Across the UK, since 1996, all such exercises undertaken by the Cabinet Office (and its predecessor, the Audit Commission) have led to the detection of fraud and overpayments over £2.4 billion.

Legal Basis

Under the powers of Part 2A of the Public Finance and Accountability (Scotland) Act 2000, Audit Scotland may carry out data matching exercises for the purpose of assisting in the prevention and detection of fraud or other crime and in the apprehension and prosecution of offenders (the ‘permitted purposes’).

Audit Scotland may require certain persons to provide data for data matching exercises. These persons include all the bodies to which the Auditor General for Scotland (AGS) or the Accounts Commission appoints auditors; licensing boards; and officers, office holders and members of these bodies or boards.

Other persons or bodies may participate in Audit Scotland’s data matching exercises on a voluntary basis. Where they do so, the statute states that there is no breach of confidentiality and generally removes other restrictions in providing the data to Audit Scotland.

The requirements of the current data protection legislation continue to apply.

Audit Scotland may disclose the results of data matching exercises where this assists the purpose of the matching (see paragraph 7), including disclosure to bodies that have provided the data and to the auditors appointed by the AGS and the Accounts Commission.

Audit Scotland may disclose both data provided for data matching and the results of data matching to the AGS, the Accounts Commission, the Cabinet Office, or any of the other UK audit agencies specified in Section 26D of the Public Finance and Accountability (Scotland) Act 2000, for the purposes described above.

Wrongful disclosure of data obtained for the purposes of data matching by any person is a criminal offence.

Audit Scotland may impose reasonable charges on any body participating in a data matching exercise.

Audit Scotland must prepare and publish a Code of Practice with respect to data matching exercises. All bodies conducting or participating in its data matching exercises, including Audit Scotland itself, must have regard to the Code.

Audit Scotland may report publicly on its data matching activities.

Data transferred outside the European Economic Area (EEA)

Audit Scotland does not send personal data collected during the NFI outside the EEA.
Bodies required to provide data for matching

Currently, Audit Scotland requires the following bodies to provide data for the NFI in Scotland:

  • Councils
  • Other specified local government bodies
  • Health bodies
  • Scottish Public Pensions Agency (SPPA)
  • Student Awards Agency for Scotland (SAAS)
  • Other specified central government bodies (CG)
  • Colleges.

Audit Scotland also provides its own and the Accounts Commission's payroll and creditor data.

Access by individuals to data included in data matching

Individuals whose data is included in a data matching exercise have rights under current data protection legislation. The participating body, as part of the Code of Data Matching Practice 2018, will have provided individuals with a privacy notice containing information required by data protection legislation.

Individuals’ usual rights of access to data held about them may be limited as a consequence of exemptions from current data protection legislation, where disclosure would be likely to prejudice the prevention or detection of a crime or the apprehension or prosecution of an offender. This determination should be made on a case-by-case basis by the participating body in receipt of the request for information. This means that individuals may be refused full access to information about them that has been processed in data matching exercises.

Individuals have rights under current data protection legislation if data held about them is inaccurate. They should be able to check the accuracy of their data by contacting the participating body holding the data.

Individuals should not expect to be told about data or data matches concerning any other person unless that person has given consent, as this is likely to amount to a breach of data protection principles.

Information requests under the Freedom of Information (Scotland) Act 2002 may be subject to the law enforcement exemption in Section 35, for example where its disclosure would be likely to prejudice substantially the prevention and detection of a crime or the apprehension or prosecution of an offender, or the personal information exemption under Section 38. These determinations should be made on a case-by-case basis by the participating body in receipt of the request for information.

Individuals who want to know whether their data is to be included in a data matching exercise can check the data specifications for each exercise in Audit Scotland’s instructions. The most up-to-date instructions can be found on Audit Scotland’s website or by contacting Audit Scotland (see paragraph 38 for contact details).

What data is matched and why

For information about which data sets are matched by Audit Scotland and the purpose of each match, please refer to the Scottish guidance available on the Audit Scotland website. The table in Appendix 2 summarises the main match types for each participating organisation.

Retention of data

Personal data will not be kept for longer than is necessary. A Data Deletion Schedule setting out the criteria for retaining and deleting data and matches will be published by the Cabinet Office on GOV.UK. All original data transmitted to Audit Scotland (or the Cabinet Office on its behalf), including data derived or produced from that original data, and including data held by any firm undertaking data matching as the Cabinet Office's data processor, will be destroyed and rendered irrecoverable within three months of the conclusion of the exercise.

Participating bodies and their auditors may decide to retain some data after this period. Data may, for example, be needed as working papers for the purposes of audit, or for the purpose of continuing investigations or prosecutions. Data subjects should refer to their body's privacy notice for retention timescales beyond the conclusion of the NFI exercise.

A single set of reference codes for previous matches, together with any comments made by participants’ investigators, will be retained securely offline by the Cabinet Office for as long as they are relevant. This is solely for the purpose of preventing unnecessary re-investigation of previous matches in any subsequent data matching exercise.

Code of Data Matching Practice

Data matching by Audit Scotland is subject to a Code of Data Matching Practice. You can find this on the Audit Scotland website.

Compliance with the Code of Data Matching Practice

Questions and concerns about non-compliance with the Code should be addressed to the organisation responsible in the first instance (that is to the participating body or, if it concerns Audit Scotland’s compliance, to Audit Scotland), before contacting the Information Commissioner see below.

Where Audit Scotland or an auditor becomes aware that a body has not complied with the requirements of the Code, they should notify the body concerned and seek to ensure that it puts in place adequate measures to meet the Code’s requirements. For example, this might include where a participant has not issued adequate privacy notices or submits data other than via the secure NFI website (and that exception has not been approved by the Cabinet Office).

Role of the Information Commissioner

The Information Commissioner regulates compliance with current data protection legislation. If a complaint or matter is referred to the Information Commissioner, he or she would consider compliance with the Code of Data Matching Practice by participating bodies or Audit Scotland in determining whether or not, in the view of the Information Commissioner, there has been any breach of data protection legislation; and where there has been a breach, whether or not any enforcement action is required and the extent of such action. Guidance on the Information Commissioner’s approach to data breaches and enforcement is available on the Information Commissioner’s website.

Personal data handling arrangements - complaints or queries

Audit Scotland strives to process NFI data lawfully, fairly and in a transparent manner. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring their complaints to our attention if they think our processing of NFI data is unlawful.

This privacy notice was drafted with clarity in mind. If you want to make a complaint about the way we have processed your personal information, you can contact our data protection officer at dataprotection@audit-scotland.gov.uk.

If you are not satisfied with our response to your complaint/query about how we handle your personal data, or if you believe we are not processing it in accordance with the law, you can complain to the Information Commissioner’s Office (ICO).

More details on Audit Scotland’s data matching exercises, including national reports, other publications and guidance, may be found on the Audit Scotland website.

Alternatively, please contact:

Audit Scotland
4th Floor
102 West Port
Edinburgh
EH3 9DN

telephone 0131 625 1500.

Email enquiries should be addressed to info@audit-scotland.gov.uk   quoting ‘National Fraud Initiative’ in the subject line.

More information about the UK National Fraud Initiative is available on the Cabinet Office's web-site.

Appendix 1. Personal data

We process information that you provide when making a claim or applying for:

  • Personal budget
  • Pension
  • Taxi Driver licence
  • Market Trader licence (provided by councils on a voluntary basis)
  • Personal Alcohol licence (provided by councils on a voluntary basis)
  • Social Housing (current tenants and individuals on a housing waiting list)
  • Right to Buy
  • Transport pass and permit
  • Council Tax Reduction Scheme
  • Housing Benefit
  • Other State Benefits
  • Student finance
  • Non-domestic rates relief
  • Covid-19 financial support.

We also process information that you provide:

  • When seeking payment of an invoice from an organisation that takes part in the NFI. This is referred to as trade creditor standing and payment history data
  • When seeking payment for employment from an organisation that takes part in the NFI. This is referred to as payroll data
  • When registering to vote. This is referred to as Electoral Register data
  • In relation to your council tax
  • In relation to your business rates
  • In relation to residents in a private care home supported by an organisation that takes part in the NFI.

Data specifications setting out exactly what data we process in the above areas can be accessed from the Cabinet Office website.

Personal budget and private-supported care home data will not be collected at the current time. The Cabinet Office has put this data collection on hold until further notice due to amendments made to the National Health Service Act 2006 where this data is now classified as patient data. As a result, consideration is being given as to whether a change to data matching powers is required before these matches can be released to local authorities.

We may also carry out data matching pilots for the purpose of assisting in the prevention and detection of fraud or other crimes and in the apprehension and prosecution of offenders. For example, one of these pilots processes information that you provide when applying for Scottish benefits - matching applications to other data sets within the NFI such as council tax data.

Criminal Convictions

Should data matching through the NFI result in a prosecution, then this may also be recorded by participating organisations.
Special categories of personal data “Special categories of personal data” is personal data revealing racial or ethnic origin, political opinions, religious or "philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

The legal basis for processing special categories of personal data is:

  • Processing is necessary for reasons of substantial public interest and for the exercise of official authority vested in the controller [Audit Scotland].

Included in the above are certain categories of special categories of personal data:

  • Housing benefit and student loan data includes an indicator of physical or mental health or condition. This disability flag, which does not identify the specific condition, is required as disability has an impact upon a student’s entitlement to claim housing benefit

  • The personal budget (direct payment), residential care home and social care matches use data relating to individuals who have a specified range of social care needs. While we do hold information on the recipients of these services, we do not hold information on medical conditions or support needs

  • We collect information on blue badge holders (and applicants). While we do not hold information on the medical condition that entitles the individual to a badge, we do know who has a badge

  • We collect prescription exemption claim information on patients. While we do not hold information on the medical condition that resulted in the individual being issued with a prescription, we do know who has applied for an exemption from paying for a prescription

  • We collect information of applications for Scottish benefits. While we do hold information on the recipients of benefits, we do not hold information on any medical conditions or support needs.

Audit Scotland's legal basis for processing your criminal convictions data is sections 6, 10, 11, and 12 of schedule 1 to the Data Protection Act 2018.

Special categories of data may be included both in bulk data matching as well as matching at point of application to help prevent application fraud.

Appendix 2. The main match types and the organisations to which they apply (NFI 2020/21)

Pensions to :

Pensions to:
Match type Councils Other

Deceased Persons

Y

Y

Payroll

Y

Y

Housing Benefits

Y

Y

Injury benefits

Y

Police & Fire only

Amberhill*

*Amberhill is a system used by the Metropolitan Police to authenticate documents presented for identity verification.

Y

Y

Deferred pensions to deceased persons 

Y

Y

Housing Benefits to:

Housing Benefits to:

Housing Benefits to:
Match type Councils Other

Student loans

Y

Housing Benefits Housing tenants

Y

Right to buy

Y

Licences

Y

Deceased persons

Y

Amberhill

Y

HM Revenue and Customs (earnings employment, and household composition data) 

Y

Payroll to:

Payroll to:

Payroll to:
Match type Councils Other

Payroll

Y

Y

Pensions

Y

Y

Amberhill

Y

Y

Housing tenants to:

Housing tenants to

Match type Councils Other

Housing tenants

Y

Housing benefits

Y

Right to buy

Y

Amberhill

Y

HM Revenue and Customs (household composition and property ownership data)

Y

Housing waiting list to:

Housing waiting list to:

Housing waiting list to:
Match type Council Other

Waiting list

Y

Housing benefit

Y

Housing tenants

Y

Right to buy

Y

Deceased Persons

Y

Amberhill

Y

Personal Budgets (Direct Payments) to:

Personal Budgets (Direct Payments) to:

Personal Budgets (Direct Payments) to:
Match type Councils Other

Personal budgets

Y

Pensions

Y

Housing benefits

Y

Deceased persons

Y

Amberhill

Y

Student Loans to:

Student Loans to:

Student Loans to:
Match type Councils Other

Deceased persons

SAAS only

Amberhill

SAAS only

Creditors to:

Creditors to:

Creditors to:
Match type Councils Other

Creditors

Y

Y

Payroll

Y

Y

Private Residential Care Homes to:

Private Residential Care Homes to:

Private Residential Care Homes to:
Match type Councils Other

Deceased persons

Y

Amberhill

Y

Parking Permits to:

Parking Permits to:

Parking Permits to:
Match type Councils Other

Deceased persons

Y

Amberhill

Y

Blue badges to:

Blue badges to:

Blue badges to:
Match type Councils Other

Deceased persons

Y

Amberhill

Y

Concessionary travel permits to:

Concessionary travel permits to:

Concessionary travel permits to:
Match type Councils Other

Deceased persons

Y

Council tax to:

Council tax to:

Council tax to:
Match type Councils Other

Electoral register

Y

HM Revenue and Customs (household composition data) 

Y

Council tax reduction to:

Council tax reduction to:

Council tax reduction to:
Match type Councils Other

Council tax reduction

Y

Payroll

Y

Pensions payroll

Y

Housing benefits

Y

Housing tenants

Y

Right to buy

Y

Licences

Y

Deceased persons

Y

Amberhill

Y

HM Revenue and Customs (earnings, employment, and household composition data) 

Y

Licences to Amberhill

Y

Covid-19 financial support to:

Covid-19 financial support to:

Covid-19 financial support to:
Match type Councils Other

Covid-19 financial support

Y

Companies House

Y

Non-domestic rates

Y

Proven fraud ‘watchlist’ data

Y

Non-domestic rates to:

Non-domestic rates to:

Non-domestic rates to:
Match type Councils Other

Non-domestic rates 

Y

Non-domestic rates relief

Y

Companies House

Y

Audit Scotland details

Audit Scotland details

Audit Scotland details
Address Telephone Email Website

Audit Scotland
4th Floor
102 West Port
Edinburgh
EH3 9DN

0131 625 1500

 info@audit-scotland.gov.ukAudit Scotland

Audit Scotland website