0 Shortlist Search
Enter your keyword, course, subject or interest
EC Default Banner

National Fraud Initiative Privacy Notice

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk.

Why are we collecting it, and what are we doing with it (Purpose)?

Sharing Data with Audit Scotland: National Fraud Initiative

This College is required by law to protect the public funds it administers. It may share information it receives with other bodies responsible for auditing or administering public funds to prevent and detect fraud.

On behalf of the Auditor General for Scotland, Audit Scotland appoints the auditor to audit the accounts of the College. It is also responsible for conducting data-matching exercises under the National Fraud Initiative.

Data matching involves comparing computer records held by one body against those of the same or another body to determine how closely they match. This will include personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Still, the inclusion of personal data in a data-matching exercise does not mean that any specific individual is under suspicion. Where a match is found, it indicates a potential inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. The exercise can also help ensure that the bodies' records are up to date.

Audit Scotland currently requires Edinburgh College to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to Audit Scotland for matching. The exact nature of the data supplied is set out in Audit Scotland’s instructions.

Audit Scotland's use of data in a data-matching exercise is carried out under its statutory authority, typically under its powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned under the Data Protection Act 2018. Data matching by Audit Scotland is subject to a Code of Practice.

For further information on Audit Scotland’s legal powers and the reasons why it matches particular information, explore the full text privacy notice.

The lawful basis for the processing

Our legal reason for processing the data is that use is necessary for the performance of a task in the public interest. Article 6, (1), (e)

Special category (sensitive) data: Processing is necessary for reasons of substantial public interest and is authorised by domestic law proportionate to the aim pursued. The legal basis for processing your special category and criminal convictions data is Article 9 (2) (g), substantial public interest, and sections 6, 10, 11, and 12 of Schedule 1 to the Data Protection Act 2018.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights; some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice), right of access, right of rectification, right of erasure (commonly known as the right to be forgotten), right to restrict processing, right to object, right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing, and the College would be required to process your request within one month.

The rights that apply to this particular processing are:

  • Right to be Informed – i.e. a privacy notice.
  • Right of Access – this means you have the right to access your personal information.
  • Right to Rectification – this means you have the right to correct inaccurate or incomplete personal information.
  • Right to Erasure – commonly known as the Right to be Forgotten (RTBF) – this means you can request that your personal data be deleted.
  • Right to Data Portability – this means you have the right to request your information in a machine-readable format (e.g. a .csv file) to be provided to you or transferred in that format to another organisation.
  • Right to Restriction – this means you can restrict the processing of your information and links with some of the other rights.
  • Right to Object – this means you can object to how your data is used.
  • Right to be informed of automated individual decision-making (including profiling) – we do not use this for OH purposes, and therefore this does not apply.

Some of the rights above have caveats and only apply in certain circumstances. You can exercise your rights at any time, and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to the UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance, please contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk. If you are not satisfied with the outcome, then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO guides on the ICO website.

You can email them at casework@ico.org.uk, call them on 0303-123-113, or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF