Guidance

Internal Fraud Register privacy notice

Updated 1 October 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/internal-fraud-register-privacy-notice/internal-fraud-register-privacy-notice

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the General Data Protection Regulation (GDPR).

Your data

Purposes

The Internal Fraud Hub is owned by the Public Sector Fraud Authority (PSFA), which sits jointly between HMT and the Cabinet Office, and processes the details of employees of participating organisations who have been dismissed for committing acts of internal fraud or dishonesty, or who would have been dismissed had they not resigned.

Employees of participating organisations may consist of civil servants, public servants, and contingent labour engaged by these organisations.

The Cabinet Office receives the details of the individual who has been dismissed for internal fraud (or where a finding has been made that the individual would have been dismissed for internal fraud had they not resigned) from the Civil Service or participating Public Sector organisations. The individual is then added to the Internal Fraud Hub database and banned for 5 years from further employment within the Civil Service and participating Public Sector organisations, or being re-engaged as contingent labour for government departments for a period of 5 years from the date of dismissal.

We process the data received from Government recruitment services (GRS) and SpoC’s (Single Point of Contact) in participating government organisations who carry out their own pre-employment checks using the data on the Internal Fraud Hub to detect instances where known fraudsters are attempting to reapply for roles in the Civil Service or Public Sector. In this way, the government’s policy to ensure a zero tolerance approach towards internal fraud when it is found within government is upheld and the repetition of internal fraud is prevented.

The Cabinet Office may also use Internal Fraud Hub data for research, and to run data sharing and analytics pilots, to assure and develop the policy. The Cabinet Office may also share data with relevant law enforcement and internal intelligence agencies and bodies as appropriate to assist investigations (for example the PSFA intelligence team).

The Data

We process the following personal data:

  • name
  • date of birth [DoB]
  • National Insurance Number [NINO]
  • reason for dismissal (type of fraud)
  • date of dismissal (or resignation where appropriate)
  • whether data subject resigned prior to dismissal (Y/N)

Lawful basis

The legal basis for processing this personal data is because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, such as the exercise of a function of the Crown, a Minister of the Crown, or a government department. In this case, the task is operating a cross-Civil Service and Public Sector register to protect public bodies from fraud.

Where the data we are processing reveals potential criminal activity, we may share data with relevant law enforcement and/or the appropriate bodies to assist such investigations. Where this is the case, our lawful basis for processing will be that there is a legitimate interest to do so. This relates to the legitimate interests of the law enforcement bodies who may require the data to assist in the detection and investigation of criminal offences.

Recipients

The personal data will be shared by us with participating government departments and arms length bodies. Data will also be shared with our data processors who provide data storage and management services under strict controls.

Retention

The personal data will be kept for 5 years.

Where you did not provide your data

The personal data is obtained by us from the participating government departments.

Your rights

You have the right to request information about how your personal data is processed, and to request a copy of that personal data.

You have the right to request that any inaccuracies in your personal data are rectified without delay.

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.

You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.

You have the right to object to the processing of your personal data.

International Transfers

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, reliance on Standard Contractual Clauses or a UK International Data Transfer Agreement.

Appeals

You have the right to appeal.

If you wish to appeal the outcome of the disciplinary process including the decision to dismiss, you must contact the organisation who carried out the HR process. You also have the right to bring an unfair dismissal claim at an Employment Tribunal.     

If you wish to appeal based on being refused employment by virtue of being included on the IFH - this will be handled by the Cabinet Office. If the appeal relates to the original decision of dismissal it will be led by the organisation that carried out the HR process, but if factual, admin error or other, then the Cabinet Office will respond.

If the appeal leads to the findings of unfair dismissal or found that an error has been made, your details will be removed from the IFH.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Email: icocasework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact details

The data controllers for your personal data are the Cabinet Office and participating organisations, who are joint controllers. The contact details for the lead data controller is:

Head of the Internal Fraud Register
Cabinet Office
1 Horse Guards Road
London
SW1A 2HQ

The contact details for the lead data controller’s Data Protection Officer (DPO) at the Cabinet Office are:

Email: dpo@cabinetoffice.gov.uk

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

Back to top