Dumfries & Galloway College (the College) is providing you with this information to comply with data protection law to ensure that you are fully informed and that we are transparent in how we collect and use your personal data.
Your privacy and trust are very important to us and this Privacy Notice provides essential information about how the College handles your personal data and the rights you have in relation to how we use your data. The College is committed to complying with all applicable Data Protection legislation, this includes the Data Protection Act 2018 and the General Data Protection Regulation (GDPR).
Who are we?
Dumfries & Galloway College is the “Controller” and is responsible for looking after the personal data that you provide.
Dumfries & Galloway College
For any queries or concerns about how your personal data is being processed you can contact the Data Protection Officer (DPO) at email@example.com
This privacy notice relates to the following process:
Sharing Data with Audit Scotland: National Fraud Initiative
Purpose for processing – why do we collect information about you?
The College is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
On behalf of the Auditor General for Scotland, Audit Scotland appoints the auditor to audit the accounts of the College. It is also responsible for carrying out data matching exercises under the National Fraud Initiative.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This will include personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified but the inclusion of personal data within a data matching exercise does not mean that any specific individual is under suspicion. Where a match is found it indicates that there may be an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. The exercise can also help bodies to ensure that their records are up to date.
Dumfries & Galloway College is required to provide specific sets of data to Audit Scotland for matching purposes. Information on the data sets can be found at:
Our lawful basis (reason) for processing your information is / are:
- Article 6(1)(e) Use is necessary for performing a task in the public interest or under official authority vested in us.
- Article 6(1)(c) Use is necessary for us to comply with a legal obligation.
The data being used includes special category (sensitive) data.
Our legal reason for using this sensitive data is/are:
- The legal basis for processing your special category and criminal convictions data is Article 9 (2) (g) substantial public interest, and sections 6, 10, 11, and 12 of schedule 1 to the Data Protection Act 2018.
The use of data by Audit Scotland in a data matching exercise is carried out under their statutory authority, normally under its powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned under the Data Protection Act 2018. Data matching by Audit Scotland is subject to a Code of Practice.
This may also be found at: National Fraud Initiative
What information do we collect about you?
As part of your employment with the College we collect a range of relevant information about you – this is detailed in the Staff Privacy Notice.
When you do business with us, we also collect specific data for procurement and payment purposes.
For the purposes of the NFI, data shared between the College and Audit Scotland is defined in the NFI data sets:
- Payroll data
- Trade creditors standing data
- Trade creditors history
How do we collect it?
Your personal information is collected when you complete our application process and from your personal files as your employment continues.
We also collect personal information when you enter into a business arrangement with us, for example to supply goods or services.
Who do we share your information with?
For the purposes of the NFI your data is shared, via a secure portal, with Audit Scotland.
Details of data transfers to any third countries or international organisations
Your information will not be shared outside of the European Economic Area.
How do we look after your information and how long do we keep it for?
We will take all reasonable steps to prevent the loss, misuse or alteration of information you give us. Your personal information will be stored securely and will only be accessed by authorised staff, agents, contractors and other organisations who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality and must comply with data protection law.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Your employment data will be kept for 6 full years plus current year when you leave employment in line with the College’s data retention schedule for staff records and then will be destroyed confidentially.
Data extracted from existing systems for upload to the NFI portal is securely stored after it is uploaded for the purposes of audit queries received from the NFI exercise.
Automated decision making processes, including profiling
Automated decision making is not used as part of this process.
Under the GDPR you have certain rights in relation to how the College manages and uses your personal information:
- The right to be informed (this is the Privacy Notice)
- The right to access your personal data
- The right to rectification if the personal data we hold about you is incorrect
- The right to restrict processing of your personal data
In addition, the following rights apply only in certain circumstances:
- The right to withdraw consent at any time (if consent is our lawful basis for processing your data)
- The right to object to our processing of your personal data
- The right to request erasure (deletion) of your personal data
- The right to data portability
For more information about your rights please see https://ico.org.uk/your-data-matters
For further information on how data matching at the College works, please contact: Karen Hunter
If you have any questions about your information rights or the way the College has handled your personal information, please contact our Data Protection Officer: firstname.lastname@example.org
Telephone: 01387 734364
Complaints to UK Information Commissioner’s Office (ICO)
You can also contact the Information Commissioner’s Office if you think that your data is not being processed in accordance with Data Protection legislation. You can find more information on their website https://ico.org.uk/make-a-complaint/
The ICO helpline is 0303 123 1113