Guidance

Cabinet Office Counter Fraud Privacy Notice

Published 26 September 2024

© Crown copyright 2024

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/cabinet-office-counter-fraud-privacy-notice/cabinet-office-counter-fraud-privacy-notice

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR)

1. Your data

The purposes for which we are processing your personal data are:

  • Cabinet Office will participate in the National Fraud Initiative (NFI) exercises that matches data between public and private sector bodies to detect and prevent instances of fraud. 
  • Data is processed for the purpose of Cabinet Office detecting, investigating and preventing fraud. 

The department is developing its counter fraud capability to implement a robust response to allegations of fraud, bribery and corruption (collectively referred to as fraud from here) against the Cabinet Office. 

2. The data 

We will process the following personal data during the course of a fraud investigation. Data items include but are not limited to: 

  • Employee Reference Number 
  • Email address (if it identifies a person)
  • Title 
  • Gender
  • Surname
  • Forenames
  • Address
  • Postcode  
  • Date of Birth
  • Home Telephone Number 
  • Mobile Telephone Number 
  • Date started 
  • Date left 
  • National Insurance Number 
  • Standard Hours per week 
  • Date Last Paid 
  • Tax code
  • Pay
  • Expenses
  • Government Procurement Card Transactions
  • Contract and its terms
  • Overtime claims
  • Flexi time
  • HR records
  • Pass/ building access data
  • Government device data including log on/ log off data
  • Other relevant details for the purpose of fraud investigations
  • trade union representative / membership
  • Health data where relevant to a fraud allegation
  • Work travel bookings 
  • Internet action on business it systems
  • Email communication on business IT systems

We will process the following personal data of the person reporting concerns (whether an employee or non-employee):

  • Name
  • Contact details
  • Nature of the complaint including any documents of data.

We also share the following data on employees with the National Fraud Initiative. This is used for NFI payroll matching to detect employment-related fraud. The following data items are shared: 

  • Employee reference number
  • Title
  • Gender
  • Surname
  • Forename(s)
  • Middle name(s) or middle initial(s)
  • Address
  • Postcode
  • Date of birth
  • Home telephone number
  • Mobile telephone number
  • Work email address
  • Date started
  • Date left
  • Leaver indicator
  • National Insurance Number
  • Full-time/part-time flag
  • Gross pay to date
  • Standard hours per week
  • Date last paid
  • Sort code
  • Bank account
  • Building society roll number

We will receive back from NFI data on any matches against this data to assist us in detecting fraud. NFI will also share all of the above payroll data with other public and private sector organisations that participate in the NFI. 

The legal basis for processing your personal data is:

  • It is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. In this case those are our legitimate interests in the identification and reduction of fraud. 
  • Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. 

The legal basis for processing your sensitive personal data, and criminal convictions data, is:

  • The processing is necessary for the purposes of the prevention or detection of an unlawful act, it must be carried out without the consent of the data subject so as not to prejudice those purposes, and is necessary for reasons of substantial public interest (para 10, sch.1, DPA 2018). Until we investigate we do not know if it reaches a criminal threshold or not. 

4. Recipients 

When an allegation of fraud is received a triage is required to determine the appropriate response. The outcome of the triage will result in one of the following:

  • Referral to the Government Internal Audit Agency fraud investigation services (or other third party) for further triage or investigation
  • CO counter fraud to conduct an further investigation
  • Referral to another government department if a joint investigation is required or if a transfer is required. This could also happen via the PSFA as the government’s functional centre for counter fraud
  • Referral to HR, security or other areas of CO
  • No further action

Your personal data may also be shared by us with HMRC, other third party investigations services and other government departments if required to progress fraud investigations. If a fraud investigation meets the threshold of criminality, your personal data will be shared with the police through Action Fraud.

The outcome of a fraud report will be shared with the appropriate Human Resources team to take forward any consequential disciplinary procedures. Following the outcome of a fraud investigation, if upheld, then the details could be shared with PSFA for inclusion in the cross-government internal fraud register or with the police via action fraud.

Your personal data will be shared by us with Synectics Solutions who carries out the National Fraud Initiative data matching on behalf of the Cabinet Office. You can read more about how your personal data is processed by the NFI in their privacy notice 

As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email, and document management and storage services.

5. Retention 

Your personal data will be kept by us for five years if the data is connected to a suspected fraud. We anticipate holding it up for up to this period following the resolution of the action for which it was collected. 

If we determine the data is not connected to a suspected fraud, it will be held for a period of up to two years prior to deletion. 

Personal data used for the purposes of NFI will be stored for up to 1 Month to allow upload into the NFI portal before deletion.

If you did not provide your personal data

Your personal data was obtained by us from the individual reporting a concern, a witness, your employer, the National Fraud Initiative or a public body.

6. Your rights 

You have the right to request information about how your personal data are processed, and to request a copy of that personal data. 

You have the right to request that any inaccuracies in your personal data are rectified without delay. 

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement. 

You have the right to request that your personal data are erased if there is no longer a justification for them to be processed. 

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted. 

You have the right to object to the processing of your personal data.

7. International transfers

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, or reliance on a UK International Data Transfer Agreement.

8. Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator.  The Information Commissioner can be contacted at: 

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

or 0303 123 1113, or icocasework@ico.org.uk.  Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

9. Contact details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller are:

Cabinet Office
70 Whitehall
London
SW1A 2AS

or 0207 276 1234, or Contact the Cabinet Office 

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk

Where we engage in a joint investigation with another organisation, Cabinet Office and that organisation will be acting as joint data controllers. In these scenarios Cabinet Office is the lead data controller and point of contact as above.

Back to top