Counter Fraud Services Privacy Notice

Personal data includes information about you, which can be used to identify you as an individual. Examples include:

• Your name
• Your date of birth
• Your contact details
• Your image.

Special category data is the most sensitive type of personal data and includes:

• Information about your health or any social care services that you may use
• Information that could identify your racial or ethnic origins
• Information that could identify your political beliefs
• Information that could identify your religious or philosophical beliefs
• Information that could identify your trade union membership
• Genetic data
• Biometric data (where used to identify you, e.g. use of fingerprints to access online services)
• Information about your sex life, or sexual orientation.

The personal and special category data that is collected by Counter Fraud Services includes:

• Date of birth/age
• Gender
• Marital status
• Children
• Place of birth
• Contact details and preferred contact method
• National Insurance Number and other identifiers
• Job/profession and other information about employment history and current employment
• Professional qualifications
• Photographs, audio and video records
• Income and other financial information
• Services or products provided to individuals and information about the services or products
• Devices and technology used
• Blue Badge, Passport and information contained in other documents
• Information from the Electoral Register
• Social relationships and emergency contacts
• Personal and social history
• Racial or ethnic origin
• Trade union membership
• Health including disabilities.

We also collect information concerning criminal convictions and offences.

As well as information that you provide to us, we also collect information from:

• Other members of the public
• Police
• Other enforcers or regulators, including HMRC, DWP
• Other businesses or employers
• Judicial agencies – courts, bailiffs, lawyers and the Crown Prosecution Service
• Government Departments
• Other local authorities
• Voluntary organisations and charities
• Witnesses, including expert witnesses.

Information is used to receive and investigate referrals of fraud and other criminal offences and to research, analyse and report intelligence requirements.

We respond to referrals/allegations from members of staff, service users, members of the public, other Local Authorities, third party agencies and contractors to prevent and detect fraud and other criminal offences, and to ensure service delivery, planning and improvement.

We may also use information in other ways compatible with the above purposes to enable us to deliver our service for the residents of Suffolk.

Personal data

Under data protection law, the Counter Fraud Service can only process your personal data if it is lawful to do so. Please see the details below of the lawful bases that we rely on for processing different types of personal data.

For processing personal data, we rely on the following lawful basis:

• UK GDPR Article 6(1)(e) – where processing is necessary for us to perform a task which is in the public interest (public task), with a basis in law.

Special category data

When we process special category data we rely on the following additional lawful basis(es):

• UK GDPR Article 9(2)(f) – where processing is necessary to establish, carry out or defend legal claims
• UK GDPR Article 9(2)(g) – where processing is necessary for reasons of substantial public interest, specifically:

• for statutory and government purposes (Schedule 1, Part 2, section 6, DPA 2018)
• for the administration of justice (Schedule 1, Part 2, section 7, DPA 2018)
• for preventing or detecting unlawful acts (Schedule 1, Part 2, section 10, DPA 2018)
• to protect the public against dishonesty (Schedule 1, Part 2, section 11, DPA 2018)
• for preventing fraud (Schedule 1, Part 2, section 14, DPA 2018)
• for the safeguarding of children and of individuals at risk (Schedule 1, Part 2, section 18, DPA 2018).

Criminal offence data – general processing

The UK GDPR gives extra protection to the processing of criminal offence data. Counter Fraud Services also processes criminal offence data which may include:

• Information about any criminal record or criminal history
• Allegations of criminal behaviour, including unproven allegations
• Absences of convictions, for example the results of DBS checks
• Personal data of witnesses
• Personal data about criminal penalties that may have been awarded.

In addition to the lawful bases that we have identified under “Personal data” above, we process criminal offence data under the following condition(s) of Schedule 1 of the DPA 2018:

• where processing is necessary for statutory and government purposes (Schedule 1, Part 2, section 6, DPA 2018)
• where processing is necessary for the administration of justice (Schedule 1, Part 2, section 7, DPA 2018)
• where processing is necessary for preventing and detecting unlawful acts (Schedule 1, Part 2, section 10, DPA 2018)
• where processing is necessary for protecting the public against dishonesty (Schedule 1, Part 2, section 11, DPA 2018)
• where processing is necessary for preventing fraud (Schedule 1, Part 2, section 14, DPA 2018)
• where processing is necessary for the safeguarding of children and individuals at risk (Schedule 1, Part 2, section 18, DPA 2018)
• where processing is necessary for legal claims (Schedule 1, Part 3, section 33, DPA 2018).

Counter Fraud Services is a competent authority for the purposes of Part 3 of the DPA 2018 and we process personal data so that we can prevent, investigate, and prosecute criminal activities, or exercise criminal penalties.

This means that we can process personal data for law enforcement purposes when there is a basis in law for personal data to be processed and:

• When processing is necessary to enable us to perform a task that is being carried out for law enforcement purposes.

In addition to the above, we undertake sensitive processing for law enforcement purposes when:

• When processing is strictly necessary and cannot be achieved in any other way and meets the following conditions from Schedule 8 of the DPA 2018:

• Where processing is necessary for statutory purposes (Schedule 8, section 1, DPA 2018)
• Where processing is necessary for the administration of justice (Schedule 8, section 2, DPA 2018)
• Where processing is necessary for the safeguarding of children and individuals at risk (Schedule 8, section 4, DPA 2018)
• Where processing is necessary to establish, carry out or defend legal claims (Schedule 8, section 6, DPA 2018)
• Where processing is necessary to prevent fraud (Schedule 8, section 8, DPA 2018).

We share your personal information with:

• Other enforcers or regulators, including HMRC, Department of Work and Pensions
• Other local authorities inside and outside of Suffolk
• Other local authority departments within the Council
• Government Departments/agencies
• Police
• Judicial agencies – courts, bailiffs, lawyers and the Crown Prosecution Service
• Witnesses, including expert witnesses.

Any information which is shared will be shared securely, with appropriate individuals and only the minimum information needed will be shared.

We do not transfer any personal data to any countries or international organisations outside of the EU, the EEA (European Economic Area), or any other country that does not have an equivalent level of data protection to the UK.

Your information is securely stored electronically on the County Council’s network.

We will stop using your data after 7 years from the conclusion of the matter for which it was collected, or where is it necessary and permitted for a longer specified period in accordance with our retention policy. Your data will be securely and permanently deleted one year after we stop using it.

The Counter Fraud service does not use automated decision-making processes or profiling in respect of your information.

Under data protection law, you have the right to request access to the information that we hold about you. If you would like to make a request to access your personal information, please contact data.protection@suffolk.gov.uk.

You also have other rights regarding your personal data. You can find out more information about these rights by looking at the council’s corporate privacy notice.

If you would like independent advice on this privacy notice or other matters about how Suffolk County Council processes your personal data, including how to make a complaint, you can contact the Information Commissioner's Office at:

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Email: casework@ico.org.uk