Skip to main content

Internal Audit and Counter-Fraud Privacy Notice

Who we are and what we do

The Internal Audit service, with responsibility for counter fraud, reports directly to the Section 151 Officer and provides a legally required independent function to provide the council assurance on its internal control, fraud and governance processes. This is set out under Section 151 of the Local Government Act 1972.  These functions require that we hold or have access to information from systems and processes across the council and to prevent, detect, deter and investigate referrals of fraud, bribery and corruption.

Information we hold about you

The Internal Audit service may collect a wide variety of information from a range of sources, including, but not limited to:

  • Personal, such as name, date of birth, address
  • Employment, for example, National Insurance number, employer details and history, next of kin, sickness records
  • Financial details, such as bank account information, mortgage accounts, pensions, credit history
  • Health information gathered to assess eligibility for benefits
  • Information gathered during the course of an investigation or proactive exercise
  • Documentary evidence provided in order to access council services.

Why we need your information and how we use it

  • Information collated as part of a sample to undertake internal audits of council provided services and of services provided to the council
  • Information used for proactive anti-fraud exercises to identify fraud
  • To assist with the investigation of criminal, civil and disciplinary offences
  • To verify that the information you have supplied is correct and accurate
  • For service planning, delivery and improvement.

The lawful basis for the processing

The Internal Audit service has a duty to protect the public purse. The following acts and regulations provide the basis on which the section operates:

  • Section 151 of the Local Government Act 1972 requires that authorities ‘make arrangements for the proper administration of their financial affairs'
  • The Accounts and Audit Regulations 2015 require that ”a relevant body must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance. Any officer or member of that body must if the body requires:
    • a) make available such documents and records (including those in electronic form), and
    • b) supply such information and explanation.

as are considered necessary by those conducting the internal audit”

  • The Police and Criminal Evidence Act 1984
  • Criminal Procedure and Investigations Act 1996
  • Local Government Finance Act 1992
  • Council Tax Reduction Schemes (Detection of Fraud and Enforcement) (England) Regulations 2013
  • Prevention of Social Housing Fraud Act (Power to Require Information) (England) Regulations 2014
  • Regulation of Investigatory Powers Act 2000
  • Criminal Procedures and Investigations Act 1996
  • Public Interest Disclosure Act 1998
  • Local Audit and Accountability Act 2014
  • Fraud Act 2006.

In accordance with the Data Protection Act 2018, we need a "lawful basis" for collecting and using information about you. There are a variety of different lawful bases for processing personal data which are set out in the Data Protection Act (DPA).

Under UK GDPR Article 6, the lawful bases on which we rely to use the information we collect about you for the purposes set out in this notice will be: 

  • A6 (c)  Legal Obligation
  • A6 (e)  Public Task

We may also need to process special category information (e.g. ethnicity, health/medical data, political opinions) and, in addition to the lawful bases above, under UK GDPR Article 9, the lawful basis for this processing will be:

  • A9 (g) – Reasons of substantial public interest (with a basis in law).

The substantial public interest conditions, set out in Part 2 of Schedule 1 of the DPA 2018 upon which we rely in order to process this data are:

  • 10 – Preventing or detecting unlawful acts
  • 14 – Preventing fraud

Who your information will be shared with (if applicable)

Including but not limited to:

  • Other local authorities
  • Registered Social Landlords
  • The Cabinet Office
  • Other Government departments and agencies
  • The police
  • Employers
  • NHS
  • Judicial agencies, e.g. Courts
  • Where information is requested under relevant legislation.

How long we will keep your information

Information obtained in the course of our work will be held in accordance with the retention periods detailed in the corporate retention schedule.

Our Data Protection Officer

Our Data Protection Officer can be contacted at dpo@waverley.gov.uk

Protecting your information

Please see the relevant section of our general privacy notice

Your information choice and rights

Please see the relevant section of our general privacy notice

Complaints and contact details

Please see the relevant section of our general privacy notice

Information Commissioner’s Office

If we’re unable to resolve your complaint to your satisfaction, you can make a complaint to the Information Commissioner's Office (ICO).