This privacy notice describes how Creative Scotland collects and processes personal data -meaning any information relating to an identifiable person (“Personal data”) that is processed under our legal obligations regarding the National Fraud Initiative (NFI).
Public bodies spend billions of pounds of taxpayers’ money for the benefit of the British population. Public spending systems are complex and mistakes can happen. Some people also seek to exploit the systems and fraudulently obtain services and benefits to which they are not entitled. Fraud does not recognise organisational or geographic boundaries. Sharing data allows organisations to match data held in different systems in their own organisation and held in other organisations.
The National Fraud Initiative (NFI) exercises significantly contribute to the security and transparency of public sector finances. Public bodies’ participation in the NFI helps confirm that services are provided to the correct people and helps reduce fraud and error.
Audit Scotland, working closely with public bodies, auditors and the Cabinet Office, commences NFI data sharing and matching exercises every 2 years. The NFI is run in collaboration with The Auditor General for Scotland, the Accounts Commission and Audit Scotland who work together to deliver public audit in Scotland:
This notice applies to Personal data we process as follows, which is subsequently shared with the NFI every 2 years:
We collect and process your personal data as above for the purposes of ensuring payment of invoices and other costs and these processes are identified within our published corporate privacy notices. This notice is to specifically outline how we then subsequently process some of that data under the NFI.
Further information on the NFI can be found on Audit Scotland's website.
Supplier data is collected from purchase orders, invoices and correspondence, and is sourced from information provided by the supplier.
Supplier data is updated by Creative Scotland based on information or requests received from the suppliers.
Types of personal data submitted:
We are obliged to provide information to Audit Scotland under section 26D of the Public Finances and Accountability (Scotland) Act 2000 (as amended). The Act provides Creative Scotland with a lawful basis of processing but does not affect the requirement for us to comply with data protection laws. Therefore, we will only disclose personal data in accordance with data protection laws –in this case only if it is to assist in the prevention and detection of fraud or another permitted purpose, to investigate and prosecute an offence, for the purpose of disclosure to an auditor or otherwise as required by statute.
We do not require data subjects to consent.
We will be regarded as the data controller and Audit Scotland will be a data processor.
All data is password protected and uploaded via a secure encrypted website.
The information contained within the NFI system is covered by the Data Protection Act 2018, the Code of Data Matching Practice and HM Government Security Policy. Only authorised users are permitted to access the system and users must ensure that they use the system appropriately and in accordance with the guidance supplied to them. Any information accessed, downloaded or printed from the system must be handled in line with the Data Protection Act 2018 and the Cabinet Office Security Policy Framework (SPF). Users and authorities must ensure that any information exported from the system is handled in line with HMG requirements for handling Personal and Protectively Marked information.
Creative Scotland ensures all access to Personal data within our systems is restricted to the appropriate people where relevant to their job (Finance and HR). Our external auditors, Audit Scotland, are granted read only access to the system.
Data sets are prepared using our payroll and HR systems, and uploaded to the NFI via the secure portal.
Any data matches are reviewed initially by the Finance Manager, and may be referred to other colleagues (such as HR, directors), as appropriate.
Requested data as outlined within this notice is shared via the secure portal for the specific purposes of the NFI matching exercise. It is shared internally within Creative Scotland to only approved individuals. The results of data matching are subsequently shared with other participating organisations for investigation via the NFI exercise and some additional data exchanges may take place during investigations for mis-matches with those organisations and Creative Scotland.
Creative Scotland will never disclose any of the data or matching results with any other organisation not participating within the NFI or who have been identified as part of the matching process.
We aim to retain Personal data only for as long as we need it for the purpose it was provided.
We aim to retain the data related to the NFI exercise for 2 years until the next exercise is complete.
The NFI remove all data from their portal & destroy after 3 months on the closure of the exercise.
We will not share with any third party that is not within a member state of the EEA.
Individuals to whom data relates are called “data subjects” and have rights that include:
Queries on the NFI process - stephen.vallely@creativescotland.com
Information on Creative Scotland’s privacy policy and how to make a complaint- https://www.creativescotland.com/privacy-policy