The Scottish Parliamentary Corporate Body (SPCB) is required by law to protect the public funds it administers and have adequate controls in place to prevent and detect fraud and error. Audit Scotland currently requires the SPCB to participate in the biennial National Fraud Initiative (NFI) data matching exercise. This notice sets out how we will use personal data which is submitted as part of this exercise.
This notice applies to the following individuals:
There is an appointed Data Protection Action Officer within Finance and Human Resources, who can assist with any questions relating to the NFI exercise. The contact details are as follows:
For general data protection queries, please refer to the Contact information and further advice section.
In Scotland, the NFI is led by Audit Scotland and overseen by the Cabinet Office for the UK as a whole. Audit Scotland currently requires the SPCB to participate in the NFI data matching exercise to assist in the prevention and detection of fraud and other crime.
The NFI is a data matching exercise which matches electronic data within and between participating bodies. The exercise runs every 2 years and uses computerised techniques to compare information about individuals held by different public bodies, and on different financial systems that might suggest the existence of fraud or error. The Cabinet Office processes the data for NFI in Scotland on behalf of Audit Scotland and provides a secure website and NFI application for participating bodies and auditors in Scotland to use.
The data matching involves comparing sets of data (Standing Creditor Data, Creditor Payment History and Payroll), against other records held by the same or another body to see how far they match. The data is usually personal information. Computerised data matching allows possible fraudulent claims and payments to be identified. However, the inclusion of personal data within a data matching exercise does not mean that any specific individual is under suspicion. Where a match is found, it may indicate that there is an inconsistency that requires further investigation. However, no assumption can be made as to whether there is fraud, error or another explanation until an investigation is carried out.
As a participating body in the NFI data matching exercise, the SPCB receive a report of matches via the NFI web application. The SPCB need to investigate these matches, so as to detect instances of fraud, over- or under-payments and other errors, to take remedial action and update our records accordingly.
Data matching by Audit Scotland and all participants are subject to a Code of Data Matching Practice
The National Fraud Initiative in Scotland 2024 | Audit Scotland
For further information on Audit Scotland’s legal powers and the reasons why it matches particular information, please refer to Audit Scotland’s NFI Privacy Notice and The National Fraud Initiative in Scotland 2024/25 information on their website. In addition, you can also refer to the Cabinet Office’s NFI Privacy Notice and information about the UK NFI exercise on their website.
National Fraud Initiative in Scotland: Privacy notice
The National Fraud Initiative in Scotland 2024 | Audit Scotland
Cabinet Office's NFI Privacy Notice
Further information about the UK National Fraud Initiative exercise
The SPCB is required to provide 3 data sets for the NFI data matching exercises:
Trade Creditors Standing Data:
Normal category personal data is processed which includes: name, address, telephone number, bank or building society details.
Trade Creditors Payment History (3 years):
Personal data is not contained within this data set.
Payroll Data:
Normal category personal data is processed which includes:
Please note, once the above data is extracted from the SPCB’s financial accounting system or the human resources/payroll system and uploaded onto the NFI web application by the required deadline, the data on the NFI web application cannot be altered as it is based on a moment in time. If any errors or updates to the data are identified through the matching exercise, the original source of the information will be updated e.g. the SPCB’s financial accounting system or the human resources/payroll system.
Trade Creditors Standing Data & Trade Creditors Payment History
All data, including personal data, is downloaded directly from the SPCB’s financial accounting system. For further details on the original source of data which is provided to us directly from individuals (data subjects), please refer to the Processing Payment of Invoices and Reimbursement of Fees and Expenses privacy notice.
Processing payment of invoices and reimbursement of fees/expenses privacy notice
Payroll Data
Personal data is downloaded directly from the Human Resources/payroll system. For further details on the original source of data which is provided to us directly from individuals (data subjects), please refer to the relevant privacy notice (HR: Workers, MSP Appointment, MSP Staff Appointment, Chief Executive: Officeholder Appointment).
Privacy notices | Scottish Parliament Website
Data protection law states that we must have a legal basis for handling your personal data in terms of Article 6 of the UK General Data Protection Regulation (UK GDPR).
This data matching exercise is carried out under the powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned under the Data Protection Act 2018. The legal basis for the data sharing in this context is that it is necessary for compliance with a legal obligation that the SPCB is subject to (Article 6(1)(c) UK GDPR).
Data matching by Audit Scotland is subject to a Code of Data Matching Practice.
The National Fraud Initiative in Scotland 2024 | Audit Scotland
Personal data is shared both externally with Audit Scotland and the Cabinet Office, and other bodies participating in the NFI data matching exercise via the NFI web application; and where relevant internally within the SPCB.
Data upload to NFI Application:
Once all data sets have been successfully uploaded onto the secure NFI web application, the extracted data from the SPCB’s financial and human resources/payroll systems which is required for the upload are destroyed. The data stored within the NFI web application will be processed in accordance with Audit Scotland’s NFI Privacy Notice and the Cabinet Office’s NFI Privacy Notice and retention schedule.
Investigation of Data Matches:
After the SPCB has been notified that the data matches are available in the NFI web application, reports can be downloaded from the NFI web application in order to investigate the data matches. Any personal data downloaded from the NFI web application and used for the purpose of carrying out investigations and subsequently for auditing purposes is retained securely in an electronic format, access is limited as appropriate and it is destroyed within two years, in line with the conclusion of the NFI exercise nationally.
In line with the principles underlying the National Guidance for Child Protection in Scotland (2014), published by the Scottish Government, our staff may report a concern to the relevant authorities if they come across an issue during their work which causes them to think that a child may be at risk of abuse or harm.
Data protection legislation sets out the rights which individuals have in relation to personal data held about them by data controllers. Applicable rights are listed below. You can exercise your data subject rights in particular circumstances depending on the purpose for which the data controller is processing the data and the legal basis upon which the processing takes place.
The following rights may apply:
You have the right to request a copy of the personal information about you that we hold.
Further information on how to make a data protection 'subject access request'.
You have the right to ask us to correct the personal data we hold about you. We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
You have the right at any time to require us to stop using your personal information for direct marketing purposes.
The right of erasure and the right to object to processing of personal data do not apply where personal data is processed for the performance of a legal obligation. This will be considered on a case by case basis and depends on what personal data is involved and the risks further processing of that data could pose to you .
In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where there is no longer a basis for using your personal information, but you don't want us to delete the data. Where this right is validly exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
We keep this privacy statement under regular review and will place any updates on this website. Paper copies of the privacy statement may also be obtained using the contact information below.
This privacy statement was last updated on 24 September 2024.
We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint with the Information Commissioner's Office online at: https://ico.org.uk/make-a-complaint.
Or by phone at: 0303 123 1113
If you have any further questions about the way in which we process personal data, or
about how to exercise your rights, please contact the Head of Information Governance
at:
The Scottish Parliament
Edinburgh
EH99 1SP
Telephone: 0131 348 5281
(Calls are welcome through the Text Relay service or in British Sign Language through contactSCOTLAND-BSL.)
Email: [email protected]
Please contact us if you require information in another language or format