Statutory guidance

National Fraud Initiative privacy notice

Updated 28 October 2024

This notice sets out how we will use your personal data, and your rights. It is made under Article 14 of the UK General Data Protection Regulation (GDPR).

Your data

The data

We process information that you provide when making a claim or applying for:

  • pension
  • taxi driver licence
  • market trader licence - voluntary
  • personal alcohol licence - voluntary
  • social housing (current tenants and individuals on a housing waiting list)
  • Right to Buy (completed and in progress)
  • transport pass and permit
  • Council Tax Reduction Scheme
  • Council Tax Single Person Discount
  • Universal Credit
  • Housing Benefit
  • other state benefits
  • COVID-19 financial support
  • help with NHS health costs

In addition to the above we also process information in relation to:

  • payment of an invoice from an organisation that takes part in the NFI. This is referred to as trade creditor standing and payment history data.
  • payment for employment from an organisation that takes part in the NFI. This is referred to as payroll data.
  • registering to vote. This is referred to as Electoral Register data.
  • business rates.
  • A grant operated by a local authority. This is referred to as the Landlord Incentive Scheme
  • Protection of deposits paid by home renters. This is referred to as the Deposit Protection Service.
  • Properties advertised and let for short periods. This is referred to as Short term rental of housing data

Data specifications setting out exactly what data we process in the above areas can be found on the National Fraud Initiative: public sector data specifications page

Criminal convictions

Should data matching through the NFI result in a prosecution, then this may also be recorded by participating organisations. This information is for recording outcomes purposes only and the data won’t be shared further.

Special categories of personal information (Article 9 of UK GDPR & Chapter 2 Section 10 of the DPA 2018).

Included in the above are certain special categories of personal information:

Housing and other benefit and student loan data includes an indicator of physical or mental health or condition. This disability flag, which does not identify the specific condition, is required as disability has an impact upon a student’s entitlement to claim housing benefit.

We collect information on blue badge holders (and applicants). While we do not hold information on the medical condition that entitles the individual to a badge we do know who has a badge.

Purpose

The purposes for which we are processing your personal data are:

The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud. This is one of the ways in which the Minister for the Cabinet Office takes responsibility within government for public sector efficiency and reform.

The NFI also conducts regular data sharing and analytics pilots to evaluate and improve data matching methodology. In this way the NFI can continue to help detect and prevent fraud in the most efficient and effective way possible.

Automated decision making

Your personal data will not be subject to  automated decision making or profiling as defined by Article 22 UK GDPR. 

Data Matching

Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body to see how far they match. This is done as an automated process with no decisions made as part of that process. The data is usually personal information. 

The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency that requires further investigation. All bodies participating in the Cabinet Office’s data matching exercises receive a report of matches that they should investigate, so as to detect instances of fraud, over or under payments and other errors, to take remedial action and update their records accordingly. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.This requires human intervention and decision making.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the UK GDPR.

The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller (Article 6(1)(e) UK GDPR). The National Fraud Initiative is conducted using the data matching powers bestowed on the Minister for the Cabinet Office by Part 6 of the Local Audit and Accountability Act 2014 (LAAA).

Under the LAAA legislation:

  1. The Cabinet Office may carry out data matching exercises for the purpose of assisting in the prevention and detection of fraud.
  2. The Cabinet Office may require certain bodies (as set out in the Act) to provide data for data matching exercises
  3. Bodies may participate in its data matching exercises on a voluntary basis where the Cabinet Office considers it appropriate. Where they do so, the Act states that there is no breach of confidentiality and generally removes other restrictions in providing the data to the Cabinet Office. The requirements of the data protection legislation, however, continue to apply, so data cannot be voluntarily provided if to do so would be a breach of data protection legislation. In addition, sharing of patient data on a voluntary basis is prohibited.
  4. The Cabinet Office may disclose the results of data matching exercises where this assists in the prevention and detection of fraud, including disclosure to bodies that have provided the data and to auditors that it appoints as well as in pursuance of a duty under an enactment.
  5. The Cabinet Office may disclose both data provided for data matching and the results of data matching to the Auditor General for Wales, the Comptroller and Auditor General for Northern Ireland, the Auditor General for Scotland, the Accounts Commission for Scotland and Audit Scotland, for the purposes of preventing and detecting fraud.
  6. Wrongful disclosure of data obtained for the purposes of data matching by any person is a criminal offence. A person found guilty of the offence is liable on summary conviction to a fine not exceeding level 5 on the standard scale.
  7. The Cabinet Office may charge a fee to a body participating in a data matching exercise and must set a scale of fees for bodies required to participate.
  8. The Cabinet Office must prepare and publish a ​Code of Practice​. All bodies conducting or participating in its data matching exercises, including the Cabinet Office itself, must have regard to the Code.
  9. The Cabinet Office may report publicly on its data matching activities.

Special category data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The legal basis for processing your special category personal data is:

  • processing is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department; the exercise of a function conferred on a person by an enactment (paragraph 6, schedule 1, Data Protection Act 2018)

The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud. The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014.

Our legal basis for processing your criminal convictions data is paragraphs 6 and 10 of ​schedule 1​ to the Data Protection Act 2018

Recipients

Your personal data will be shared by us as necessary for the purposes of preventing and detecting fraud with:

  • The Auditor General for Wales
  • The Comptroller and Auditor General for Northern Ireland
  • The Auditor General for Scotland
  • The Accounts Commission for Scotland
  • Audit Scotland

And with mandatory participants who include:

  • district and county councils
  • London and metropolitan boroughs
  • unitary authorities
  • combined authorities
  • police authorities
  • fire and rescue authorities
  • pension authorities
  • NHS Trusts
  • Foundation Trusts
  • Integrated Care Boards
  • passenger transport authorities
  • passenger transport executives
  • waste authorities
  • Greater London Authority and its functional bodies

In addition, the following bodies provide data to the NFI for matching on a voluntary basis:

  • private sector pension schemes (various)
  • Metropolitan Police – Operation Amberhill
  • Special health authorities
  • housing associations and other social housing providers
  • probation authorities
  • national park authorities
  • central government pensions schemes
  • Insurance Fraud Bureau
  • central government departments
  • Social Security Scotland
  • Synectics Solutions Limited SIRA
  • LexisNexis Risk Solutions Ltd
  • AirBnB
  • Tenancy Deposit Protection Scheme
  • Credit reference agencies
  • other private organisations/companies

We will share records containing personal data with HMRC. These will be matched against HMRC records and additional HMRC information appended and fed back to the NFI. The HMRC matching will seek to identify persons at the address provided and relevant income-related information. Data matching services are then provided to the NFI by the Department for Work and Pensions, and by our IT Supplier using only UK Data Centres.

We also share NFI data with Synectics Solutions Limited SIRA and LexisNexis Risk Solutions Ltd for them to use in their anti-fraud data matching services. Where your personal data is used for these purposes, Synectics Solutions Ltd and LexisNexis Risk Solutions Ltd are the responsible data controllers. Their privacy notices are available here:

https://risk.lexisnexis.com/corporate/data-privacy

https://www.synectics-solutions.com/privacy-policy

The data that is matched and the reasons for matching it is for fraud prevention and detection:

For information summarising the various match types for each particular type of participating organisation and the purpose of the matching please refer to the document​ ​NFI match types per participating body​. We also provide the following services:

ReCheck

ReCheck is a flexible data matching service which complements the national exercise. This service allows NFI participant bodies to re-perform existing data matching, at a time that suits them, by uploading their organisation’s datasets for internal matching.

AppCheck

NFI participants can use this service at the point of application to check against NFI data to help verify people’s identity or if they have left out relevant information that might affect their entitlement to a benefit, service or employment.

FraudHub

Allows NFI participant bodies, who want to work together, to regularly and effectively screen their collective data in order to prevent errors in processing payments and to reduce fraud.

Retention

Your personal data will be kept by us for the periods set out in our Data Deletion Schedule .

Where personal data has not been obtained from you

Your personal data was obtained by us from:

Mandatory participants:

  • district and county councils
  • London and metropolitan boroughs
  • unitary authorities
  • Combined Authorities
  • police authorities
  • fire and rescue authorities
  • pension authorities
  • NHS Trusts
  • Foundation Trusts
  • Integrated Care Boards
  • passenger transport authorities
  • passenger transport executives
  • waste authorities
  • Greater London Authority and its functional bodies

Voluntary participants may include:

  • private sector pension schemes (various)
  • Metropolitan Police – Operation Amberhill
  • special health authorities
  • housing associations and other social housing providers
  • probation authorities
  • national park authorities
  • central government pensions schemes
  • Insurance Fraud Bureau
  • other central government departments
  • Social Security Scotland
  • Synectics Solutions Limited SIRA
  • LexisNexis Risk Solutions Ltd
  • AirBnB
  • Tenancy Deposit Protection Scheme
  • Credit reference agencies
  • other private organisations/companies

Your rights

You have the right to:

  • request information about how your personal data is processed, and to request a copy of that personal data
  • request that any inaccuracies in your personal data is rectified without delay
  • request that any incomplete personal data is completed, including by means of a supplementary statement
  • request that your personal data is erased if there is no longer a justification for it to be processed.
  • in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
  • Object to the processing of your personal data

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner’s Office Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Telephone: 0303 123 1113

Email: icocasework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller is:

Email: nfiqueries@cabinetoffice.gov.uk

The contact details for the Data Protection Officer (DPO) of the data controller are:

Email: dpo@cabinetoffice.gov.uk

The Data Protection Officer provides independent advice and monitoring of Cabinet Office’s use of personal information.