Historic Environment Scotland (HES) has a legal obligation to protect the public funds it administers. It must share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
On behalf of the Auditor General for Scotland, Audit Scotland appoints the auditor to audit the HES Annual Report and Financial Statements. Audit Scotland also assists appointed auditors by conducting a National Fraud Initiative, which is a data matching exercise.
Data matching involves comparing sets of data, such as payroll or pension records, held by one body against other sets of data held by the same or another body to see how far they match.
This includes personal information about our Staff and our Suppliers. Computerised data matching allows potentially fraudulent claims and payments to be identified but the inclusion of personal data within a data matching exercise does not mean that any specific individual is under suspicion. Where a match is found it may indicate that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. The exercise can also help bodies to ensure that their records are up to date.
Audit Scotland currently requires HES to participate in a data matching exercise to assist in the prevention and detection of fraud. HES is required to provide particular sets of data to Audit Scotland for matching for each exercise, and these are set out in Audit Scotland’s Instructions.
The use of data by Audit Scotland in a data matching exercise is carried out with statutory authority, normally under its powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000.
HES does not require the consent of the individuals concerned under the Data Protection Act 2018 to pass the data to Audit Scotland because the lawful basis for processing is legal obligation. The requirements of the Data Protection Act 2018 continue to apply, although the rights of an individual to fully access their data may be limited under exemptions to data protection legislation if disclosure is likely to result in preventing the detection of fraud. You can see more detail about HES’s obligations in managing your data and your rights in our Privacy Notice.
Data matching by Audit Scotland is subject to a Code of Data Matching Practice. The data is processed for Audit Scotland by the Cabinet Office. No data is sent outside of the European Economic Area for processing. Audit Scotland may share data and the results of data matching with the AGS, Cabinet Office and other UK bodies responsible for auditing as specified in the Code of Practice.
Personal data submitted to Audit Scotland (or subsequently the Cabinet Office) will not be kept for longer than necessary and will be destroyed three months after the conclusion of the exercise.
For further information on Audit Scotland’s legal powers and the reasons why it matches particular information, visit the Audit Scotland National Fraud Initiative website.
HES is registered with the Information Commissioner’s Office as a Data Controller: Reference (ZA143443).
If you have any questions about this privacy notice or our data protection policies generally, please contact us:
The Data Protection Officer
Historic Environment Scotland
Room G.50, Longmore House
By email: firstname.lastname@example.org
By phone: 0131 668 8600