National Fraud Initiative - Privacy Notice

This privacy notice describes how Creative Scotland collects and processes personal data -meaning any information relating to an identifiable person (“Personal data”) that is processed under our legal obligations regarding the National Fraud Initiative (NFI).

About the NFI

Public bodies spend billions of pounds of taxpayers’ money for the benefit of the British population. Public spending systems are complex and mistakes can happen. Some people also seek to exploit the systems and fraudulently obtain services and benefits to which they are not entitled. Fraud does not recognise organisational or geographic boundaries. Sharing data allows organisations to match data held in different systems in their own organisation and held in other organisations.

The National Fraud Initiative (NFI) exercises significantly contribute to the security and transparency of public sector finances. Public bodies’ participation in the NFI helps confirm that services are provided to the correct people and helps reduce fraud and error.

Audit Scotland, working closely with public bodies, auditors and the Cabinet Office, commences NFI data sharing and matching exercises every 2 years. The NFI is run in collaboration with The Auditor General for Scotland, the Accounts Commission and Audit Scotland who work together to deliver public audit in Scotland:

  • The Auditor General for Scotland is an independent Crown appointment, made on the recommendation of the Scottish Parliament, to audit the Scottish Government, NHS and other bodies and report to Parliament on their financial health and performance.
  • The Accounts Commission is an independent public body appointed by Scottish ministers to hold local government to account. The Controller of Audit is an independent post established by statute, with powers to report directly to the Commission on the audit of local government.
  • Audit Scotland is governed by a board, consisting of the Auditor General, the chair of the Accounts Commission, a non-executive board chair, and two non-executive members appointed by the Scottish Commission for Public Audit, a commission of the Scottish Parliament.

This notice applies to Personal data we process as follows, which is subsequently shared with the NFI every 2 years:

  • Payments made in relation to our suppliers (trade creditors).

We collect and process your personal data as above for the purposes of ensuring payment of invoices and other costs and these processes are identified within our published corporate privacy notices. This notice is to specifically outline how we then subsequently process some of that data under the NFI.

Further information on the NFI can be found at:

When we collect data

Supplier data is collected from purchase orders, invoices and correspondence, and is sourced from information provided by the supplier.

Supplier data is updated by Creative Scotland based on information or requests received from the suppliers.

Types of personal data submitted:

  • Supplier reference numbers
  • Supplier Name
  • Address
  • Telephone numbers
  • Email addresses
  • Bank details (including sort code, account number, building society roll number)
  • Invoice numbers
  • Invoice dates
  • Payment dates
  • Amount paid
  • Method of payments

Why we submit data

We are obliged to provide information to Audit Scotland under section 26D of the Public Finances and Accountability (Scotland) Act 2000 (as amended). The Act provides Creative Scotland with a lawful basis of processing but does not affect the requirement for us to comply with data protection laws. Therefore, we will only disclose personal data in accordance with data protection laws –in this case only if it is to assist in the prevention and detection of fraud or another permitted purpose, to investigate and prosecute an offence, for the purpose of disclosure to an auditor or otherwise as required by statute.

We do not require data subjects to consent.

We will be regarded as the data controller and Audit Scotland will be a data processor.

All data is password protected and uploaded via a secure encrypted website.

Who can access the data

The information contained within the NFI system is covered by the Data Protection Act 2018, the Code of Data Matching Practice and HM Government Security Policy. Only authorised users are permitted to access the system and users must ensure that they use the system appropriately and in accordance with the guidance supplied to them. Any information accessed, downloaded or printed from the system must be handled in line with the Data Protection Act 2018 and the Cabinet Office Security Policy Framework (SPF). Users and authorities must ensure that any information exported from the system is handled in line with HMG requirements for handling Personal and Protectively Marked information.

Creative Scotland ensures all access to Personal data within our systems is restricted to the appropriate people where relevant to their job (Finance and HR). Our external auditors, Audit Scotland, are granted read only access to the system.

How we process the data

Data sets are prepared using our payroll and HR systems, and uploaded to the NFI via the secure portal.

Any data matches are reviewed initially by the Finance Manager, and may be referred to other colleagues (such as HR, directors), as appropriate.

Who we share data with

Requested data as outlined within this notice is shared via the secure portal for the specific purposes of the NFI matching exercise. It is shared internally within Creative Scotland to only approved individuals. The results of data matching are subsequently shared with other participating organisations for investigation via the NFI exercise and some additional data exchanges may take place during investigations for mis-matches with those organisations and Creative Scotland.

Creative Scotland will never disclose any of the data or matching results with any other organisation not participating within the NFI or who have been identified as part of the matching process.

How long data is kept for

We aim to retain Personal data only for as long as we need it for the purpose it was provided.

We aim to retain the data related to the NFI exercise for2 years until the next exercise is complete.

The NFI remove all data from their portal & destroy after 3 months on the closure of the exercise.

Transfer of data out with the European Economic Area (EEA)

We will not share with any third party that is not within a member state of the EEA.

Your rights

Individuals to whom data relates are called “data subjects” and have rights that include:

  • to request from us a copy of any Personal data we hold about you;
  • to fix Personal data that is not accurate; and
  • to remove Personal data in certain circumstances, where this this does not breach any legal, regulatory, safety, security or core operational requirement.


Queries on the NFI process-

Information on Creative Scotland’s privacy policy and how to make a complaint-