Internal Audit Privacy Notice
Privacy Notice for Internal Audit (a joint service with Sevenoaks District Council)
Our primary objective as an Internal Audit function is to provide independent assurance over the Council’s systems of internal control, governance and risk management.
Internal Audit is a required service under Regulation 5 of the Accounts and Audit Regulations 2015. We are required to work in accordance with the Public Sector Internal Audit Standards.
Processing activity - In general terms, we process personal information relating to:
- referrals made under the Whistleblowing Policy
- the prevention, deterrence and detection of fraud committed against the Council
- the investigation of potential irregularities in the Council’s systems and/or processes
Information requirements - In the course of providing the service, we collect such evidence necessary for us to form an opinion over the effectiveness of the systems, processes, policies, and procedures we are auditing. This will include any existing personal data held by the Council in carrying out its functions. This may include:
- full name, date of birth, address, email address, telephone number, sex and marital status
- employment information, for example national insurance number, details of employer, salary details, employment dates, next of kin, sickness records
- financial details, for example bank and/or building society account information including transactions & balances, mortgage accounts, insurance policies, pension information, credit history
- health information gathered to assess eligibility for benefits
- financial information regarding appraisal of financial standing of potential contractors
- written statements and recordings of interviews conducted
- other information gathered during the course of an investigation or proactive exercise
Lawful bases1 - our lawful bases for processing your personal information are:
- our legal obligation(s) under section 151 of the Local Government Act 1972
- our legal obligation(s) under the Police and Criminal Evidence Act 1984
- our legal obligations(s) under the Local Government Finance Act 1992 (as amended)
- our legal obligation(s) under the Social Security Administration Act 1992
- our legal obligation(s) under the Criminal Procedure and Investigations Act 1996
- our legal obligation(s) under the Fraud Act 2006
- our legal obligation(s) under the Bribery Act 2010
- our legal obligation(s) for the administration of council tax under the Local Government Finance Act 2012
- our legal obligation(s) under Part 6 of the Local Audit and Accountability Act 2014
- our legal obligation(s) under the Accounts and Audit Regulations 2015
- where needed for the performance of a task carried out in the public interest (under the above legislation)
- the exercise of official authority vested in us under the Serious Crime Act 2007 (where needed to disclose information to prevent fraud)
Reasons for processing - some of the information that is collected and shared is classified as:
- special category personal data;
- criminal convictions and offences (including alleged offences).
This is processed for reasons of substantial public interest under the laws that apply to us where this helps to meet our broader social obligations such as where it is necessary for us to fulfil our legal obligations and regulatory requirements. We have a Data Protection Policy that sets out how this information will be handled.
Joint Data Controller- the administration of the internal audit function is undertaken by us jointly with Sevenoaks District Council under a collaborative partnership arrangement. We decide together all the purposes for using the personal information that we share and we decide together the broad ways in which that personal information will be used.On occasion, in accordance with section 6(2) of the Data Protection Act 2018, we may be prevented from sharing and/or delegating the exercise of our functions, thereby requiring us to exercise our functions as a sole data controller.
Data sharing - we may share and receive information from:
- our department(s) including Electoral Registration
- other local authorities
- government agencies
- Land Registry
- Border Force
- Department for Work and Pensions
- Cabinet Office (as part of the National Fraud Initiative)
- National Audit Office
- credit reference agencies
- health and social care organisations
We may also rely on a number of exemptions, which allow us to share information without needing to comply with all the rights and obligations under the Data Protection Act 2018. Please refer to the Kent & Medway Information Agreement for further details on our sharing arrangements.
Retention period - we keep your personal information for the minimum period necessary. The information outlined in this Privacy Notice will be kept in accordance with the retention periods referred to in our Asset Information Register. All information will be held securely and disposed of confidentially.
Anonymisation - your personal information may be converted ('anonymised') into statistical or aggregated data in such a way that ensures that you cannot be identified from it. Aggregated data cannot, by definition, be linked back to you as an individual and may be used to conduct research and analysis, including the preparation of statistics for use in our reports.
Right to object - where processing your personal information is required for the performance of a public interest task (see our lawful bases above), you have the right to object on ‘grounds relating to your particular situation’. We will have to demonstrate why it is appropriate for us to continue to use your personal data.
Changes to this Privacy Notice - we review this Privacy Notice regularly and will place updates on our website.
Please refer to our Corporate Privacy Notice for further details of how we process your personal information.
1 Note that we may process your personal information on more than one lawful basis depending on the specific purpose for which we are using your information
GDPR Internal Audit (Joint Service with Sevenoaks District Council) Privacy Notice