Some of the language used in privacy notices can be specialised. The Information Commissioner's website provides a useful introduction to key terms and concepts.
What is this notice?
The Scottish Parliamentary Corporate Body (SPCB) is required by law to protect the public funds it administers and have adequate controls in place to prevent and detect fraud and error. Audit Scotland currently requires the SPCB to participate in the biennial National Fraud Initiative (NFI) data matching exercise. This notice sets out how we will use personal data which is submitted as part of this exercise.
Who does this notice apply to?
This notice applies to the following individuals:
- all employees of the SPCB, MSPs, MSP staff, Commissioners and Law Officers
- suppliers (Creditors) including contractors, businesses which are not limited companies including sole traders, recreational groups (e.g. musicians) and individuals (including Advisory Audit Board Members, Visitors, Witnesses, Delegates and Advisors). Note, suppliers can also include employees of the SPCB, MSPs, MSP staff, and Commissioners
Data protection queries relating to the NFI exercise
There is an appointed Data Protection Action Officer within Finance and Human Resources, who can assist with any questions relating to the NFI exercise. The contact details are as follows:
- suppliers (Creditor) queries: [email protected]
- payroll queries: [email protected]
For general data protection queries, please refer to the Contact information and further advice section.
The purposes of the processing
In Scotland, the NFI is led by Audit Scotland and overseen by the Cabinet Office for the UK as a whole. Audit Scotland currently requires the SPCB to participate in the NFI data matching exercise to assist in the prevention and detection of fraud and other crime.
The NFI is a data matching exercise which matches electronic data within and between participating bodies. The exercise runs every 2 years and uses computerised techniques to compare information about individuals held by different public bodies, and on different financial systems that might suggest the existence of fraud or error. The Cabinet Office processes the data for NFI in Scotland on behalf of Audit Scotland and provides a secure website and NFI application for participating bodies and auditors in Scotland to use.
The data matching involves comparing sets of data (Standing Creditor Data, Creditor Payment History and Payroll), against other records held by the same or another body to see how far they match. The data is usually personal information. Computerised data matching allows possible fraudulent claims and payments to be identified. However, the inclusion of personal data within a data matching exercise does not mean that any specific individual is under suspicion. Where a match is found, it may indicate that there is an inconsistency that requires further investigation. However, no assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.
As a participating body in the NFI data matching exercise, the SPCB receive a report of matches via the NFI web application. The SPCB need to investigate these matches, so as to detect instances of fraud, over- or under-payments and other errors, to take remedial action and update our records accordingly.
Data matching by Audit Scotland and all participants are subject to a Code of Data Matching Practice.
For further information on Audit Scotland’s legal powers and the reasons why it matches particular information, please refer to Audit Scotland’s NFI Privacy Notice and also Audit Scotland's NFI in Scotland The National Fraud Initiative in Scotland 2012/13 information on their website. In addition, you can also refer to the Cabinet Office’s NFI Privacy Notice and information about the UK NFI exercise on their website.
Audit Scotland's NFI Privacy Notice
Further information on The National Fraud Initiative in Scotland 2022
Cabinet Office's NFI Privacy Notice
Further information about the UK National Fraud Initiative exercise
Categories of information processed
The SPCB is required to provide 3 data sets for the NFI data matching exercises:
Trade creditors standing data
Normal category personal data is processed which includes: name, address, telephone number, bank or building society details.
Trade creditors payment history (3 years)
Personal data is not contained within this data set.
Payroll data
Normal category personal data is processed which includes:
- name
- address
- telephone number
- email address
- date of birth
- National Insurance number
- start date
- gross pay to date
- bank or building society address and account details
- employment status (full time/part-time including contracted hours).
Please note, once the above data is extracted from the SPCB’s financial accounting system or the human resources/payroll system and uploaded onto the NFI web application by the required deadline, the data on the NFI web application cannot be altered as it is based on a moment in time. If any errors or updates to the data are identified through the matching exercise, the original source of the information will be updated e.g. the SPCB’s financial accounting system or the human resources/payroll system.
Source of the information
Trade creditors standing data and trade creditors payment history
All data, including personal data, is downloaded directly from the SPCB’s financial accounting system. For further details on the original source of data which is provided to us directly from individuals (data subjects), please refer to the Processing Payment of Invoices and Reimbursement of Fees and Expenses privacy notice.
Processing payment of invoices and reimbursement of fees/expenses privacy notice
Payroll data
Personal data is downloaded directly from the Human Resources/payroll system. For further details on the original source of data which is provided to us directly from individuals (data subjects), please refer to the relevant privacy notice (HR: Workers, MSP Appointment, MSP Staff Appointment, Chief Executive: Officeholder Appointment).
Scottish Parliament privacy notices
Legal basis for processing
Data protection law states that we must have a legal basis for handling your personal data in terms of Article 6 of the UK General Data Protection Regulation (UK GDPR).
This data matching exercise is carried out under the powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned under the Data Protection Act 2018. The legal basis for the data sharing in this context is that it is necessary for compliance with a legal obligation that the SPCB is subject to (Article 6(1)(c) UK GDPR).
Automated decision making
Data matching by Audit Scotland is subject to a Code of Data Matching Practice.
Further information can be found on the Audit Scotland website
Data sharing
Personal data is shared both externally with Audit Scotland and the Cabinet Office, and other bodies participating in the NFI data-matching exercise via the NFI web application; and where relevant internally within the SPCB.
- The SPCB follows the procedures provided by Audit Scotland and the Cabinet Office to ensure personal data is securely extracted from the financial and human resources/payroll systems and then uploaded onto the NFI web application. Note, the data which is extracted is password protected, and held securely on the SPCB’s servers. This data and access to the NFI web application is restricted to authorised users within the Finance and Human Resources office.
- Personal data may be shared with other participating bodies in data matching exercises. The SPCB may be in contact with other organisations to confirm or clarify any information relating to the data matches. A list of participating bodies can be found in Audit Scotland’s NFI Privacy Notice.
- Personal data may be shared internally with relevant business areas in order to investigate any data matches, and where relevant, recover any duplicate payments or take any other appropriate action. Personal data is restricted to Finance, Human Resources, and the relevant business areas. Any data which is downloaded from the NFI web application is securely stored electronically, with restricted access.
Retention of data
Data upload to NFI application
Once all data sets have been successfully uploaded onto the secure NFI web application, the extracted data from the SPCB’s financial and human resources/payroll systems which is required for the upload are destroyed. The data stored within the NFI web application will be processed in accordance with Audit Scotland’s NFI Privacy Notice and the Cabinet Office’s NFI Privacy Notice and retention schedule.
Investigation of data matches
After the SPCB has been notified that the data matches are available in the NFI web application, reports can be downloaded from the NFI web application in order to investigate the data matches. Any personal data downloaded from the NFI web application and used for the purpose of carrying out investigations and subsequently for auditing purposes is retained securely in an electronic format, access is limited as appropriate and it is destroyed within two years, in line with the conclusion of the NFI exercise nationally.
Children and young people safeguarding and child protection
In line with the principles underlying the National Guidance for Child Protection in Scotland (2014), published by the Scottish Government, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.
Your rights
Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below. You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.
The following rights may apply:
Access to your information
You have the right to request a copy of the personal information about you that we hold.
Further information on how to make a data protection 'subject access request'.
Correcting your information
You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
Objecting to how we may use your information
You have the right at any time to require us to stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
- please note that the right to object to the processing of personal data does not apply where the data subject has consented to the processing, subject to the right to withdraw consent
- the right to object to the processing of personal data for the purposes of a public interest task is restricted if there are legitimate grounds for the processing which override the interest of the data subject
- the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you
Deletion of your information
You have the right to ask us to delete personal information about you where:
- you consider that we no longer require the information for the purposes for which it was obtained
- we are using that information with your consent and you have withdrawn your consent – see Withdrawing consent to using your information below
- you have validly objected to our use of your personal information – see Objecting to how we may use your information above
- our use of your personal information is contrary to law or our other legal obligations
- please note that the right allowing for deletion or erasure of personal data (right to be forgotten) does not apply in cases where personal data is processed for the purposes of the performance of a task carried out in the public interest
- the right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you
Restricting how we may use your information
In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
Withdrawing consent to using your information
Where we use your personal information with your consent, you may withdraw that consent at any time and we will stop using your personal information for the purposes for which consent was given.
Please contact us in any of the ways set out below if you wish to exercise any of these rights.
Changes to our privacy statement
We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below.
This privacy statement was last updated on 6 September 2022.
Complaints
We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner's Office online at: https://ico.org.uk/make-a-complaint.
Or by phone at: 0303 123 1113
Contact information and further advice
If you have any further questions about the way in which we process personal data, or
about how to exercise your rights, please contact the Head of Information Governance
at:
The Scottish Parliament
Edinburgh
EH99 1SP
Telephone: 0131 348 5281
(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)
Email: [email protected]
Please contact us if you require information in another language or format