Privacy Notice for the PSFA Enforcement Unit
Published 12 March 2024
© Crown copyright 2024
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/privacy-notice-for-the-psfa-enforcement-unit/privacy-notice-for-the-psfa-enforcement-unit
This notice sets out how the Public Sector Fraud Authority Enforcement Unit (the “Enforcement Unit”, which is part of the Cabinet Office), will use your personal data, and your rights in relation to that data.
The Data Protection Act 2018 (the DPA, which is UK’s implementation of the General Data Protection Regulation) sets out eight principles for the fair and lawful obtaining, recording, use and security of personal information. The act works in two ways;
- it gives you, as an individual, certain rights
- it ensures that we, as an organisation, are open about how the information is stored and used.
Purpose of processing your personal data
We collect and use personal data so that we can carry out our legal and official functions. There is no other reasonable and less intrusive way to achieve this purpose. Personal data has the same meaning as that set out by the Information Commissioner’s Office guidance on Data Protection - it is any information relating to an identified or identifiable living individual.
The actions the Enforcement Unit may take will vary between cases and will depend upon the legal powers available to the Enforcement Unit. Actions could include investigation, recovery, sanctions, penalties and prosecution, and working with other departments, public sector bodies and law enforcement to undertake these and related actions.
All personal data we hold will ultimately be for law enforcement purposes, regardless of whether or not cases are disposed of in a civil or criminal manner.
Types of personal data processed
Personal data Items include but are not limited to:
- Full name
- Postal address
- Telephone number
- Date of Birth
- IP Address
- Email address
- Bank Account information
- Credit risk data
- Asset data
- Contract information
- Identification documents (e.g. Passport and driving licence)
- Data hosted on publicly accessible social media
- Company directorships
- Director disqualifications
- Previous prosecutions
- National Insurance Number
- Known associates
- Criminal records data
Data on third parties (family, known associates): The Enforcement Unit will seek any evidence of complicity in the offence, or in the dispersal of assets from the offence, both of which are criminal offences.
We will also process any other personal data relevant to the investigation of an offence or enforcement action taken against suspected fraud.
Sensitive personal data is required in order to produce successful investigative outcomes and enforcement action, regardless of whether or not the fraud is pursued as a civil or criminal matter. Sensitive data will only be processed when it is relevant to a fraud investigation.
Lawful basis for processing
The legal basis under section 35 of the Data Protection Act 2018 for processing this personal data is because processing is necessary for the performance of a task carried out for law enforcement purposes by a competent authority. The Cabinet Office is a Competent Authority as defined in S1. of Schedule 7 of the DPA 2018, and the Enforcement Unit exercises these functions as part of the Cabinet Office.
Under section 35 of the Data Protection Act 2018, our basis for “sensitive processing” is:
- the processing is strictly necessary for the law enforcement purpose
- the processing meets at least one of the conditions in Schedule 8
- an appropriate policy document in place
The schedule 8 condition relied upon by the Enforcement Unit is para 1:
“Statutory etc purposes
The processing is necessary for the exercise of a function conferred on a person by an enactment or rule of law, and is necessary for reasons of substantial public interest.”
Our sources of personal data
Personal data are obtained by us from a variety of sources, including government departments and public sector bodies as well as other sources including commercial entities, and publicly available information.
The Enforcement Unit may observe, monitor, record and retain data on the internet which is available to anyone. This is known as ‘Open Source’ material and includes news report internet sites, commercial databases, Companies House and Land Registry records, blogs and social networking sites where no privacy settings have been applied.
When the Enforcement Unit undertakes Open Source research it may be regarded as ‘overt’. A directed surveillance authorisation (DSA) is not required for overt checks. If the Enforcement Unit were to intentionally conceal that checks are being made, such checks would be covert and may require a DSA under the Regulation of Investigatory Powers Act 2000 (RIPA). Whether checks are overt or covert, whenever private information is obtained, all actions will be both reasonable and proportionate and any legal duties will be discharged prior to collecting the information.
Recipients of personal data
We may give information to agents or contractors so that they can provide the services we need. In such cases, legally binding contracts covering the use and security of your information will be put in place. We will share personal information only when it is lawful to do so and when your rights have been fully considered.
As personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email, and document management and storage services.
Retention of personal data
If the data is connected to a suspected fraud we anticipate holding it for up to five years following the resolution of the action for which it was collected.
If we determine the data is not connected to a suspected fraud, it will be held for a period of up to two years prior to deletion.
Your rights
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is done through a Subject Access Request (SAR).
Information on the right to access data is available from the Information Commissioner’s Office. A request to provide the information may be refused if an exemption or restriction applies, or if the request is manifestly unfounded or excessive. The Enforcement Unit will treat each SAR on its own merits.
You have the right to request that any inaccuracies in your personal data are rectified without delay. If you believe the information we hold is inaccurate or misleading, please contact us. We will then check and correct if appropriate, or inform you of the source of that information in order for you to contact the relevant party.
You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
International transfers
As personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the United Kingdom. Where that is the case it will be necessary for law enforcement purposes and the destination territory benefits from a UK adequacy decision, or a legal instrument containing appropriate safeguards for the protection of personal data binds the intended recipient of the data, or the transfer is required for special circumstances as set out in section 76 of the Data Protection Act 2018.
Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113 Email: icocasework@ico.org.uk
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
Contact details
The data controller for your personal data is the Cabinet Office.
Cabinet Office
1st Floor, 10 Great George Street
London
SW1 3AE
The contact details for the Data Protection Officer (DPO) at the Cabinet Office are: dpo@cabinetoffice.gov.uk
The Data Protection Officer provides independent advice and monitoring of the Cabinet Office’s use of personal information.