Internal Audit (Central Midlands Audit Partnership) - privacy notice

Who we are?

The Central Midlands Audit Partnership is an Internal Audit partnership which consists of 6 partner organisations – Derby City Council, South Derbyshire District Council, Amber Valley Borough Council, Derby Homes, Derbyshire Fire & Rescue Service and Ashfield District Council. The Partnership is “hosted” by Derby City Council. Our address is The Council House, Corporation Street, Derby, DE1 2FS.

What types of information do we collect from you?

The team will have access to information held by service areas in order to be able to undertake their work; this may include the following types of data:

• personal, for example name, date of birth, address, sex and marital status
• employment information, for example national insurance number, details of employer, salary details, employment dates, next of kin, sickness records
• financial details, for example bank and/or building society account information including transactions & balances, mortgage accounts, insurance policies, pension information, credit history
• health information gathered to assess eligibility for benefits
• financial information regarding appraisal of financial standing of potential contractors
• written statements and recordings of interviews conducted
• other information gathered during the course of an investigation or proactive exercise.

How do we collect this information?

Information is collected in a number of ways. This includes:

• during the course of internal audit and governance reviews of council- provided services and of services provided to the council.
• in conducting an investigation, the investigator will pursue all reasonable lines of inquiry, whether these point towards or away from the suspect so each case will depend on the particular circumstances. Personal information is gathered from numerous sources such as council records, external organisations, third parties, witnesses and the suspect themselves.

How is your information used?

CMAP provides an independent function whose primary objective is to provide assurance to the partner organisations on their risk management, control, fraud and governance processes. The requirement for internal audit function is set out in legislation; Section 151 of the Local Government Act 1972. The requirement for an annual governance statement is defined in the Accounts and Audit Regulations 2015.

The team comprises two main functions:

• internal audit (including IT Audit)
• governance and fraud investigation.

These functions require us to hold or have access to information from systems and processes across the council so that we can undertake our work and in doing so:

• fulfil legal requirements to provide an internal audit function
• investigate referrals made under the corporate whistle blowing policy
• ensure the effectiveness of governance processes
• facilitate the prevention, deterrence and detection of fraud committed against the partner organisations
• investigate potential irregularities.

Where required we may publish and/or shared with key stakeholders (partners) information collected in the course of the audit work/investigation.

COVID-19/Coronavirus

Coronavirus has been added as a notifiable disease under the Health Protection (Notification) Regulations 2010. Under the Public Health (Control of Disease) Act 1984 and associated Regulations; the Council has a legal duty to store, process and share personal information. The information will be stored, processed and shared as part of investigations into COVID-19 cases and outbreaks and issues of non-compliance with the acts and associated regulations. The information will also be used; interrogated and mapped to inform the Councils actions and decision-making processes. Any such storage, processing or sharing of information will be done in the public interest in order to promote health and wellbeing.

During the investigation of cases and/or outbreaks of Coronavirus, information which is gathered may be shared between departments within Derby City Council; with other Councils associated with an outbreak; other health services or with other government bodies associated with the control of the Coronavirus. The Council has a duty to notify national Government bodies, such as the UK Health Security Agency and the relevant local authority where an individual resides (if different), where there are suspected Coronavirus cases. The Council will disclose the information under Article 9(2)(j) of the UK GDPR (processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health), and confidential information may be lawfully disclosed in the public interest, without consent, where the benefits to an individual or to society outweigh both the individual’s and the public interest in maintaining the confidentiality of such data.

The Council may contact staff, service users, residents, patients, businesses and premises with messages relating to Coronavirus by text, phone, letter or email. This contact is not direct marketing; therefore we do not need your Consent before contacting you. There is more information available on the Information Commissioners Office's website.

We may use contact details held in Council systems to ensure that we are able to contact you, and to ensure that we are working from accurate and up to date information. Such information will be accessed and processed where it is necessary to comply with our legal obligations and public tasks arising from the Coronavirus Act 2020, the Health Protection (Notification) Regulations 2010 and the Public Health (Control of Disease) Act 1984, the Care Act 2014 and associated Regulations.

On what grounds do we use the information?

CMAP has a duty to protect the public purse. The following acts and regulations provide the basis on which the officers of the team operate:

• Section 151 of the Local Government Act 1972 requires that authorities ‘make arrangements for the proper administration of their financial affairs’
• The Accounts and Audit Regulations 2015 require that ”a relevant body must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance. Any officer or member of that body must, if the body requires:
  
  a) make available such documents and records (including those in electronic form); and
  b) supply such information and explanation.
  
  as are considered necessary by those conducting the internal audit"
• The Police and Criminal Evidence Act 1984
• Criminal Procedure and Investigations Act 1996
• Local Government Finance Act 1992.

Who has access to your information?

We may share elements of information with other internal services within partner organisations to enable the establishment of the effectiveness or otherwise of corporate systems and processes.

During the course of an investigation data may be shared with other departments within partner organisations such as human resources; with government departments and organisations such as the Cabinet Office (National Fraud Initiative), the police, HM Revenues and Customs, the department for work and pensions, the National Health Service, and the border agency etc.

Information may be shared with legal practitioners, tribunals and courts where criminal or civil action is taken against an individual.

We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.

What are your rights?

• Access – you can request copies of any of your personal information that is held by the Council.
• Rectification – you can ask us to correct any incorrect information.
• Deletion – you can ask us to delete your personal information. The Council can refuse to delete information if we have a lawful reason to keep this.
• Portability – you can ask us to transfer your personal data to different services or to you.
• Right to object or restrict processing – you have the right to object to how your data is being used and how it is going to be used in the future.
• Right to prevent automatic decisions – you have the right to challenge a decision that affects you that has been made automatically without human intervention, for example an online form with an instant decision.

How long will we keep your information for?

CMAP has retention schedules in place that ensure information is only held for as long as it is needed.

The partners’ IT security and confidentiality policies ensure that your information is protected, and available only to staff directly involved in your care. Details of how we keep your information secure are available on the general privacy information page.

Where can I find out more?

If you want to know more about how CMAP uses information, your rights or have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance.

You can contact our Data Protection Officer on 01332 640763 or by email at data.protection@derby.gov.uk.

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO):

• By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
• By phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Alternatively, visit ico.org.uk or email casework@ico.org.uk.

IP addresses

Internet Protocol (IP) addresses are collected when our site is used:

• for statistical or analytical purposes
• to identify any malicious activity.