Our primary objective as an Internal Audit function is to provide independent assurance over our systems of internal control, governance and risk management.  

Section 151 of the Local Government Act 1972 requires us, to arrange for the proper administration of our financial affairs. Our Internal Audit service is governed by reg.5 of the Accounts and Audit Regulations 2015.

We are required to comply with the Public Sector Internal Audit Standards (PSIAS), to ensure we promote improvement in the professionalism, quality, consistency and effectiveness of the Internal Audit service.

Processing activity - In general terms, we process personal information relating to:

  • referrals made under the Whistleblowing Policy
  • the prevention, deterrence and detection of fraud committed against the Council (Counterfraud and Corruption Strategy)
  • the investigation of potential irregularities in the Council’s systems and/or processes

Information requirements - In the course of providing the service, we collect such evidence necessary for us to form an opinion over the effectiveness of the systems, processes, policies, and procedures we are auditing. This will include any existing personal data held by the Council in carrying out its functions. This may include:

  • full name, date of birth, address, email address, telephone number, sex and marital status
  • employment information, for example national insurance number, details of employer, salary details, employment dates, next of kin, sickness records
  • financial details, for example bank and/or building society account information including transactions & balances, mortgage accounts, insurance policies, pension information, credit history
  • health information gathered to assess eligibility for benefits
  • financial information regarding appraisal of financial standing of potential contractors
  • written statements and recordings of interviews conducted
  • other information gathered during the course of an investigation or proactive exercise


Lawful bases1 - our lawful bases for processing your personal information are:

UK GDPR Article 6(1)(c) - our legal obligation(s) under:

  1. section 151 of the Local Government Act 1972
  2. Police and Criminal Evidence Act 1984
  3. Local Government Finance Act 1992 (as amended)
  4. Social Security Administration Act 1992
  5. Criminal Procedure and Investigations Act 1996
  6. Public Interest Disclosure Act 1998
  7. Regulation of Investigatory Powers Act 2000
  8. Fraud Act 2006
  9. Serious Crime Act 2007
  10. Bribery Act 2010
  11. Local Government Finance Act 2012 (administration of council tax)
  12. Council Tax Reduction Schemes (Detection of Fraud and Enforcement) (England) Regulations 2013
  13. Prevention of Social Housing Fraud Act (Power to Require Information) (England) Regulations 2014
  14. Part 6 of the Local Audit and Accountability Act 2014
  15. Accounts and Audit Regulations 2015

UK GDPR Article 6(1)(e) and s8(c) DPA 2018 - where needed for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (under the above legislation)

UK GDPR Article 9(2)(g) and DPA 2018, Schedule 1, paras.6(1) & (2)(a) and 20 - special category personal data - where processing is necessary for the reasons of substantial public interest (under the above legislation)        

UK GDPR Article 10 as supplemented by DPA 2018 section 10(5) & Schedule 1, Part 2, paras. 6(1) and (2)(a), paras.10, 12, 14 and Part 3, para. 33 - criminal convictions and offences - where processing is necessary for reasons of substantial public interest (under the above legislation)

We have a Data Protection Policy that sets out how this information will be handled.

Joint Data Controller- the administration of the internal audit function is undertaken by us jointly with Sevenoaks District Council under a collaborative partnership arrangement. We decide together all the purposes for using the personal information that we share and we decide together the broad ways in which that personal information will be used.On occasion, in accordance with section 6(2) of the Data Protection Act 2018, we may be prevented from sharing and/or delegating the exercise of our functions, thereby requiring us to exercise our functions as a sole data controller.

Data sharing - we may share and receive information from:

  • our department(s) including Electoral Registration
  • other local authorities
  • government agencies
  • courts/tribunals
  • Land Registry
  • HMRC
  • Registered Social Landlords
  • Border Force
  • Department for Work and Pensions
  • employers
  • Cabinet Office (as part of the National Fraud Initiative)
  • National Audit Office
  • Police
  • NHS
  • credit reference agencies
  • health and social care organisations
  • our service providers (we may from time to commission third parties to undertake audits of our systems against the PSIAS).

We may also rely on a number of exemptions, which allow us to share information without needing to comply with all the rights and obligations under the Data Protection Act 2018. Please refer to the Kent and Medway Information Agreement for further details on our sharing arrangements.

Retention period - we keep your personal information for the minimum period necessary. The information outlined in this Privacy Notice will be kept in accordance with the retention periods referred to in our Information Asset Information Register. All information will be held securely and disposed of confidentially.

Anonymisation - your personal information may be converted ('anonymised') into statistical or aggregated data in such a way that ensures that you cannot be identified from it. Aggregated data cannot, by definition, be linked back to you as an individual and may be used to conduct research and analysis, including the preparation of statistics for use in our reports.

Right to object - where processing your personal information is required for the performance of a public interest task (see our lawful bases above), you have the right to object on ‘grounds relating to your particular situation’. We will have to demonstrate why it is appropriate for us to continue to use your personal data.

Changes to this Privacy Notice - we review this Privacy Notice regularly and will place updates on our website.

Please refer to our Corporate Privacy Notice for further details of how we process your personal information.


1 Note that we may process your personal information on more than one lawful basis depending on the specific purpose for which we are using your information

GDPR Internal Audit (Joint Service with Sevenoaks District Council) Privacy Notice