Internal Fraud Register privacy notice
Updated 11 December 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/internal-fraud-register-privacy-notice/internal-fraud-register-privacy-notice
This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the General Data Protection Regulation (GDPR).
Your data
Purposes
The Internal Fraud Hub is owned by the Public Sector Fraud Authority (PSFA), which sits jointly between HMT and the Cabinet Office, and processes details of civil servants who have been dismissed for committing internal fraud, or who would have been dismissed had they not resigned.
The Cabinet Office receives the details from participating government organisations of civil servants who have been dismissed, or who would have been dismissed had they not resigned, for internal fraud. In instances such as this, civil servants are then banned for 5 years from further employment in the civil service, within participating organisations.
We process the data received from Government recruitment services (GRS) and SpoC’s (Single Point of Contact) in participating government organisations who carry out their own pre-employment checks using the data on the Internal Fraud Hub to detect instances where known fraudsters are attempting to reapply for roles in the civil service. In this way, government’s policy to ensure a zero tolerance approach towards internal fraud when it is found within government is upheld and the repetition of internal fraud is prevented.
The Cabinet Office may also use Internal Fraud Hub data for research, and to run data sharing and analytics pilots, to assure and develop the policy. The Cabinet Office may also share data with relevant law enforcement and internal intelligence agencies and bodies as appropriate to assist investigations (for example the PSFA intelligence team).
The Data
We process the following personal data:
- name
- date of birth [DoB]
- National Insurance Number [NINO]
- reason for dismissal (type of fraud)
- date of dismissal (or resignation where appropriate)
- whether data subject resigned prior to dismissal (Y/N)
Lawful basis
The legal basis for processing this personal data is because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, such as the exercise of a function of the Crown, a Minister of the Crown, or a government department. In this case, the task is operating a cross-Civil Service register to protect public bodies from fraud.
Where the data we are processing reveals potential criminal activity, we may share data with relevant law enforcement and/or the appropriate bodies to assist such investigations. Where this is the case, our lawful basis for processing will be that there is a legitimate interest to do so. This relates to the legitimate interests of the law enforcement bodies who may require the data to assist in the detection and investigation of criminal offences.
Recipients
The personal data will be shared by us with participating government departments and arms length bodies. Data will also be shared with our data processors who provide data storage and management services under strict controls.
Retention
The personal data will be kept for 5 years.
Where you did not provide your data
The personal data are obtained by us from the participating government departments and Arms Length Bodies.
Your rights
You have the right to request information about how your personal data are processed, and to request a copy of that personal data.
You have the right to request that any inaccuracies in your personal data are rectified without delay.
You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
You have the right to object to the processing of your personal data.
International Transfers
As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision, reliance on Standard Contractual Clauses or a UK International Data Transfer Agreement.
Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Email: icocasework@ico.org.uk
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
Contact details
The data controllers for your personal data are the Cabinet Office and participating organisations, who are joint controllers. The contact details for the lead data controller is:
Head of the Internal Fraud Register
Cabinet Office
1 Horse Guards Road
London
SW1A 2HQ
The contact details for the lead data controller’s Data Protection Officer (DPO) at the Cabinet Office are:
Email: dpo@cabinetoffice.gov.uk
The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.