Guidance

106/24 Action required: GDPR and the responsibilities of ESF beneficiaries in the prevention and detection of fraud in ESF projects

Updated 5 December 2024

Date Issued:  1 December 2024
Review Date: 1 December 2033                                          

1. Who should read

All ESF National and Local Co Financing Organisations (CFOs), Intermediate Bodies (IBs), Beneficiary Organisations, European Social Fund (ESF) Division and Greater London Authority.

2. Purpose

This Action Note provides an update to information provided in Action Note 018/18 and 20/18 and an update to the guidance set out in the Responsibilities of ESF beneficiaries in the prevention and detection of fraud in ESF projects (v1.0) (published on the GOV.UK website).

It includes details on the action to take with regards to data Right of Access Requests (RARs) (formerly known as Subject Access Requests or SARs) and personal data security breaches and the action to take on suspected fraud

3. Background

This is to remind all ESF Beneficiaries of their responsibilities in the event that their organisation experiences a data protection breach, receives an allegation of fraud, or has any suspicion of fraud within their ESF Project

4. Action

• all ESF Beneficiaries should refer to the latest Personal data breaches: a guide (published on the Information Commissioner’s Office website) to understand what constitutes a data breach

• a personal data breach is defined as a security incident that compromises the confidentiality, integrity, or availability of personal data. This includes incidents leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Breaches can result from both accidental and deliberate actions and are not limited to the mere loss of personal data. A personal data breach encompasses any instance where personal data is lost, improperly altered, corrupted, destroyed, or disclosed

Example

Personal data breaches can include:

• access by an unauthorised third party (such as theft)
• deliberate or accidental action (or inaction) by a controller or processor (such as fire, flood, destruction of premises)
• sending personal data to an incorrect recipient
• computing devices containing personal data being lost or stolen
• alteration of personal data without permission
• loss of availability of personal data

This list is not exhaustive.

There will be a personal data breach whenever any personal data is accidentally lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

If your organisation suffers a Data Protection Breach, then under GDPR Article 33(2) you must inform the ESF Managing Authority (MA) without undue delay as soon as you become aware of the breach. ESF MA is the data controller of ESF personal data. CFOs, IBs, Grant Recipients and projects are the data processers.

You must send your data breach notification to the following email address: esf.2014-2020@dwp.gov.uk

Pursuant to Article 325 of the Treaty on the Functioning of the European Union, any instances of suspected fraud detected by the ESF beneficiary relating to ESF and match activity should be notified to the MA immediately.

You must send all fraud allegations to the following email address: esf.2014-2020@dwp.gov.uk

5. Contact

For any queries on this Action Note, please contact: esf.2014-2020@dwp.gov.uk