National Fraud Initiative: fair processing
NFI participants must tell individuals that their data will be processed. View guidance and examples of fair processing notices.
This page contains guidance and good practice examples based on the Code of Data Matching Practice 2008. Such notices will help to deter fraud as well as informing applicants about the use of data in data matching.
For data processing to be fair, data controllers should give individuals whose data will be processed:
- the identity of the data controller
- the purpose or purposes for which the data may be processed
- any further information which is necessary to enable the processing to be fair
This lets people know that their data is being used in order to prevent or detect fraud. They can then take appropriate steps if they consider the use is unjustified or unlawful in their particular case.
If certain exemptions within the Data Protection Act 1998 apply, data controllers are not required to provide fair processing information. An example is the section 34 exemption, where there is a statutory requirement to make personal information available to the public.
Participants should decide the content and means of issue of fair processing notices for themselves, but notices should:
- clearly set out an explanation that data may be disclosed for the purpose of preventing and detecting fraud
- state that the data will be provided to the Cabinet Office for this purpose
- contain details of how individuals can find out more information about the processing of their data
The Information Commissioner recommends a layered approach to fair processing notices. Usually there are 3 layers: summary notice, condensed text and the full text. Taken together, the 3 layers make up the fair processing notice. The benefit of this approach is to give the appropriate level of information to different audiences: individuals who want a short explanation can read the summary but more detailed information is available for others.