Internal audit and counter fraud privacy notice
1 Council Contact Details
1.1 North Northamptonshire Council
41 Meadow Road
Tel: 0300 126 3000
2 Information that we hold
2.1 Internal Audit and Counter Fraud is an independent function whose primary objective is to provide assurance to the Council on risk management, control, fraud and governance processes.
The requirement for the Council to have an Internal Audit and Counter Fraud function is set out in legislation: Section 151 of the Local Government Act 1972.
Internal Audit and Counter Fraud will have access to information held by any services area within the Council in order to be able to undertake their work; this may include the following types of personal and special category data:
- Personal, for example name, date of birth, address, sex and marital status
- Employment information, for example national insurance number, details of employer, salary details, employment dates, next of kin, sickness records
- Financial details, for example bank and/or building society account information including transactions and balances, mortgage accounts, insurance policies, pension information, credit history
- Health information gathered to assess eligibility for benefits
- Financial information regarding appraisal of financial standing of potential contractors
- Written statements and recordings of interviews conducted
- Other information gathered during an investigation or proactive exercises.
The data disclosure is responsible for making sure that the Internal Audit and Counter Fraud receive accurate and up to date information and notify us of any incorrect personal information that we hold.
3 How the information is obtained
3.1 The personal information we process is provided to us directly from the council’s service areas, for one of the following reasons:
- During the course of internal audit and governance reviews of council provided services and of services provided to the council
- In conducting an investigation, personal information is gathered from numerous sources such as council records, external organisations, third parties, witnesses and the investigation subject
- From other external parties, such as, the Department for Work and Pensions (DWP)
- Internal Audit and Counter Fraud have access to all information supplied to any department within the Council by individuals including customers, staff, suppliers and any other third parties.
3.2 There are a number of reasons why we need to collect and use your personal information. Generally, we collect and use personal information where:
- It is necessary to meet our legal obligations
- We need it to perform a public task
- We have a contractual obligation.
We may also need to process special category information (e.g. ethnicity, health, medical data, political opinions) and, in addition to the lawful bases above, under UK GDPR Article 9, the lawful basis for this processing will be:
- Reasons of substantial public interest (with a basis in law).
The substantial public interest conditions, set out in Part 2 of Schedule 1 of the Data Protection Act 2018 upon which we rely in order to process this data are:
- Preventing or detecting unlawful acts
- Preventing fraud.
4 What we do with the information
4.1 Internal Audit and Counter Fraud are required to hold, or have access to, information from systems and processes across the Council so that we can:
- Fulfil legal requirements to provide an internal audit and counter fraud function
- Investigate referrals made under the corporate whistleblowing policy
- Ensure the effectiveness of governance processes
- Facilitate the prevention, deterrence and detection of fraud committed against the Council
- Facilitate effective risk management within the Council
- Investigate potential irregularities.
4.2 We will not use your personal data for other purposes other than for what it was collated unless we have obtained your consent or for other lawful purposes (e.g. detection and prevention of fraud). We will share personal information with law enforcement or other authorities if required by applicable law. Any information sharing is undertaken in accordance with UK GDPR and the Data Protection Act 2018. And we have mechanisms in place to share information lawfully and securely.
4.3 We will only share your personal information where permitted by law. We will share your personal information with:
- Other internal Council services to enable the establishment of the effectiveness of corporate systems and processes
- During the course of an investigation or audit, data may be shared with other Council departments such as Human Resources and the Corporate Fraud Team
- Legal practitioners, tribunals and courts where criminal action is taken against an individual
- The Council’s external auditors
- Local Government Ombudsmen as requested as part of any ongoing complaint investigations
- Other Government departments and agencies, for example – Department for Work and Pensions (DWP).
4.4 We do not use automated decision making for internal audit and counter fraud internal purposes. Automated decision-making is where decisions are made about you without any human influence on the outcome. These may affect your legal rights or have an impact on your circumstances, behaviour or choices.
4.5 There is no profiling undertaken in relation to internal audit and counter fraud processing. Profiling is where you analyse parts of an individual’s personality, behaviour, interests and habits to identify their preferences, make predictions or decisions about them.
5 How long we keep your information for and how we securely dispose of it after use
5.1 We keep your personal information for internal audit and counter fraud purposes we will hold your personal information for 6 years plus current year (7 years) in accordance with the Accounts and Audit Regulations. A copy of the retention schedule can be requested through the council’s website.
5.2 We will securely dispose of your information in line with retention periods.
6 How we store your information
6.1 Your information is securely stored on the council’s systems, in which the servers are UK based. If you provided the information as part of a customer contact form, the equality monitoring section is sent straight through to the equalities team and is separated from the main section of the e-form. This means that the data is anonymised.
6.2 We do not transfer any personal information outside of the European Economic Area (EEA).
7 Your data protection rights
7.1 The law gives you a number of rights to control what personal information is used by us and how we can use it. For further information, please see section 15 of the council’s ‘Corporate Privacy Notice’.
7.2 Please be aware that your rights may differ depending on the lawful basis for processing your personal data.
8 Who to contact
8.1 If you would like further information about how we use your personal information, or you wish to exercise one of your data rights or you wish to complain about the use of your personal information please contact the Data Protection Officer.
8.2 If you are still dissatisfied once you have contacted the Data Protection Officer, you have the right to complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
9 Changes to this privacy notice
9.1 Privacy notices are live documents, which will be updated or revised in line with legislation.
Last updated 26 May 2022