Guidance

Privacy Notice for The Public Sector Fraud Authority Intelligence Hub

Published 12 September 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/privacy-notice-for-the-public-sector-fraud-authority-intelligence-hub/privacy-notice-for-the-public-sector-fraud-authority-intelligence-hub

This notice sets out how we will use your personal data, and your rights. It is made under Article 14 of the General Data Protection Regulation (GDPR).

1. Your Data

1.1 Purpose

The Public Sector Fraud Authority (PSFA)  Intelligence Hub will serve as a central repository for Intelligence on fraud against the public sector, supporting departments and public bodies lacking dedicated intelligence capability. 

The processing of personal and non-public information by the PSFA Intelligence Unit relates to a variety of individuals, known associates and organisations, depending on the source and nature of the information. Reports on public sector fraud are received from both the public and other Government Departments and may concern individuals, known associates or organisations suspected of involvement in public sector fraud. In this case a known associate would be someone closely associated with the primary individual or organisation the PSFA has received an allegation against. 

Personal data will be developed  into intelligence in line with the National Intelligence Model (NIM). Development of intelligence reporting to assist in improving the quality and relevance of the initial information received to prove or disprove the report.

This enables a clearer understanding of specific instances of fraud and analysing the public sector fraud landscape, closing intelligence gaps, and informing operational and strategic decision-making. 

This aligns directly with the PSFA’s mandate and statutory functions, while also meeting the expectations set out in the Economic Crime Plan 2023-2026 to enhance the government’s response to public sector fraud through intelligence gathering, analysis, investigation, and prosecution.

For public sector organisations, these measures safeguard public funds by reducing losses and ensuring that resources are used for their intended purpose, delivering direct benefits to individuals and communities. 

They also strengthen organisational capability through collaboration with enforcement bodies and other partners, enhancing the collective response to fraud. The collection and analysis of data generates valuable intelligence on emerging threats and fraud methods, guiding the development of effective countermeasures and informing government strategy. 

Intelligence will be accessible to relevant competent authorities - including PSFA enforcement team, other Government Departments, Arms Length Bodies, Local Authorities and wider Law Enforcement strengthening the collective response to public sector fraud. 

1.2 The data

As part of a fraud allegation review and intelligence activities the PSFA will process the following data items

  • Nature of offence 
  • Full name, 
  • Postal address, 
  • Telephone number, 
  • Date of Birth, 
  • Company names 
  • Email addresses, 
  • Bank Account information 
  • Asset data
  • Contract information
  • Data hosted on publicly accessible social media by way of embedded images. Due to the nature of the image it could include information from posts or social media handles.  
  • Data from open source news sites/blogs/web pages 
  • Company directorships
  • Director disqualifications
  • Previous prosecutions
  • Allegations of a criminal offence
  • Criminal conviction data
  • National Insurance Number

There may also be additional information may be provided that falls within special category data:

  • Racial or ethnic origin
  • Health (including disability and dietary requirements)
  • Data concerning sex life or sexual orientation

The legal basis for processing your personal data is it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 

The legal basis for processing your sensitive personal data is:

The processing is necessary for reasons of substantial public interest

Schedule 1 condition relied upon for processing special category data and offence data is paragraph 6   Statutory etc and government purposes:

Schedule 1 condition relied upon for processing your  special category data and offence data for intelligence purposes is paragraph 10  that processing is necessary for the performance of a task carried out for preventing or detecting unlawful acts  by a competent authority. 

The Cabinet Office is a Competent Authority as defined in Section 1 of Schedule 7 of the DPA 2018

1.4 Recipients

Dissemination of Intelligence reports to competent authorities (such as Police, National Crime Agency - NCA, HMRC or other public bodies - as defined in Schedule 7 of the Data Protection Act 2018) is undertaken under the National Intelligence Model (NIM) protocols

As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide case management services, and document management and storage services. Your personal data will also be shared with the data processor contracted to provide email and file exchange services.

Specified Government Departments will have the ability to request limited searches of the Case Management System in relation to Intelligence received and ongoing investigations. No information will be released without a formal request.

1.5 Retention

Data connected to a suspected fraud: Where information is assessed as being relevant to suspected or confirmed fraud, it will be retained in an identifiable format for up to five years following the resolution of the action for which it was received or until the conclusion of any related investigation, whichever is later.

Data not connected to suspected fraud: Where information is reviewed and determined not to be connected to suspected fraud, it will be retained for a maximum of 30 days prior to deletion.

These retention periods apply to core intelligence data. Other categories of data (e.g., administrative records, system logs) may be subject to different retention rules in accordance with Cabinet Office  policies. 

1.6 Where personal data have not been obtained from you

PSFA Intelligence Unit may obtain personal data from third parties to support intelligence development and enrichment. These third-party sources include, but are not limited to:

Government Departments and other public sector organisations, including arm’s length bodies, provide information on individuals or organisations as part of allegation reporting, investigations, or operational intelligence sharing. 

Local Authorities, where relevant to allegations or intelligence relating to public sector fraud or wider criminality. 

Counter Fraud Reporting Site (CFRS): Information may also be obtained from members of the public, including reports submitted via the CFRS webpage.

Limited, one off open source checks may be conducted using publicly accessible sources including general internet, social media and other publicly available and relevant website searches, where relevant information may be identified.

2. Your Rights

You have the right to request information about how your personal data are processed, and to request a copy of that personal data.

You have the right to request that any inaccuracies in your personal data are rectified without delay.

You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.

You may have the right to request that your personal data are erased if there is no longer a justification for them to be processed.

You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.

You have the right to object to the processing of your personal data.

3. International Transfers

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through an adequacy decision or the use of Standard Contractual Clauses or a UK International Data Transfer Agreement.

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the UK. Where that is the case it will be subject to equivalent legal protection through the use of the UK Adequacy decision. 

4. Contact Details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller are: Cabinet Office, 70 Whitehall, London, SW1A 2AS, or 0207 276 1234, or Contact the Cabinet Office.

The contact details for the data controller’s Data Protection Officer are: dpo@cabinetoffice.gov.uk.

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.

5. Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

or 0303 123 1113, or icocasework@ico.org.uk. Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Back to top