National Fraud Initiative 2010/11 – Frequently Asked Questions
General:
Is data being transmitted electronically or delivered in person?
Data for NFI is transferred directly from the Board’s computers to the Audit Commission
via a secure NFI website which is password protected and encrypted to 128 bit SSL
standards, both for the transmission of the initial data to the Audit Commission in
October 2010 and for the subsequent return of data matching results from the Audit
Commission to the Board in January 2011. This secure, electronic Data File Upload is
the only acceptable method to transfer NFI data; data will not be transferred by post or
delivered in person. The Audit Commission’s policy is to inform the Director of Finance if
data is received by any other means that puts it at risk.
If electronically transmitted, what specific measures are in place in WELB to
ensure security in the handling, storage and transmission of the data from the
Board to the NFI website?
The authority to submit NFI data on behalf of the WELB is restricted to two senior
managers (one Finance manager and one ICT manager) who are both acutely aware of
the Board’s obligations to ensure the security of personal data. These two managers
only are issued with passwords by the Audit Commission to gain access to the secure
NFI website and these two managers, acting jointly, will follow exactly the procedures
described by the Audit Commission in order to submit data via the secure, electronic
Data File Upload. Both managers have received training using the Audit Commission’s
on-line interactive training modules. No printed report will be produced by the Board of
the data submitted to the NFI website and access to the electronic files will be restricted
to the Board’s two nominated officers only.
The Board has complied with the guidance as published by the NI Audit Office in both
‘National Fraud Initiative in Northern Ireland 2010/11 – Instructions’ and ‘The Code of
Data Matching Practice of the C & AG for Northern Ireland’.
Once the data has been passed to NFI/NI Audit Office what timescales apply to
the retention of data by the WELB?
The Audit Commission recommends that ‘in case the data supplied proves unreadable,
copies of any intermediate files should be retained so that the data may be re-supplied’
(reference Appendix 4, NFI in Northern Ireland 2010/11 – Instructions). The WELB
proposes to retain a copy of its electronic NFI files until after the Audit Commission
reports on 28 January 2011 on the outcomes of the data matching process. The Board
would expect to erase and render irrecoverable the NFI data in February 2011, unless
there is a compelling reason for retaining the data for longer.
What measures are in place for the destruction of the data and all back-ups?
The Board will erase and render irrecoverable the electronic copy of its NFI files from its
computer database, including any back-up security copies. The Board has not made,
nor is it planning to make, a printed copy of its initial NFI data.
How many staff are involved in the data collection exercise?
In the case of the WELB only two members of staff (one senior Finance manager and
one senior ICT manager) are authorised, and have been issued with passwords, to
submit NFI information to the Audit Commission.
Once data has been obtained by the NFI/NIAO, what timescale will apply to the
retention of data ‘for no longer than necessary’? How is ‘no longer than
necessary’ defined?
All original data as submitted in October 2010 to the Comptroller and Auditor General or
his agent will be destroyed and rendered irrecoverable by the C & AG or his agent
within six months of submission by the WELB. All data that are derived or produced
from that original data, including data held by any body or firm undertaking data
matching as the C & AG’s agent, will be destroyed and rendered irrecoverable within
three months of the conclusion of the exercise.
Access by the Board to the results of data matching on the secure NFI website will not
be possible after a minimum reasonable period of time necessary to follow up matches
and the C & AG will notify the Board of the end date of this period. The Board and its
auditors may decide to retain some data after this period e.g. data may be needed as
working papers for the purpose of audit or for the purpose of continuing an investigation
or prosecution. However, there is a presumption that data no longer required, including
any data taken from a secure website, will be destroyed promptly and rendered
irrecoverable.
The use of data:
Why are the bank account and sort code required?
The two pieces of information must go in tandem to be useful – the sort code is required
to identify the branch location of a particular bank and then the account number to
identify the account at that particular branch. One is of no value for NFI data matching
purposes without the other.
What information will be obtained?
At no point will the Board, the NI Audit Office or its agents be able to access an
individual’s bank account details. Data matching will only reveal whether bank account
reference numbers are the same or different, no actual bank account details will be
obtained or disclosed.
What will the data be used for?
Bank account information will be used to assist investigators to prioritise data matches
e.g. in the case of housing benefit, matching bank details is a piece of intelligence that
helps investigators to determine if information relating to other income (e.g. in an
undisclosed bank account) has been withheld. A match by bank account will be made
between payroll and trade creditors to target potential fraud through the trade creditors’
system. This was identified as a risk by an audited body in Great Britain that was
defrauded in this way.
Does an individual have a right to be informed their data is being passed on and
for what purpose?
The Data Protection Act 1998 normally requires participants (the WELB) to inform
individuals of the purpose or purposes for which their data may be processed and any
further information that is necessary to enable the processing to be fair. The provision of
this information is known as a fair processing notice and, in the case of the NFI, it
enables people to know that their data is being used in order to prevent or detect fraud
and to take appropriate steps if they consider the use unjustified or unlawful in their
particular case.
The WELB believes it has fulfilled its obligations, as far as is practicable, to provide fair
processing notices to employees by means of the issue of notices to staff via e-mail and
circulars, the inclusion of a message on payslips, an article in the in-house magazine
‘On Board’ and posting information on the Board’s website. In the case of trade creditors
an explanatory note has been added to remittance advice notes and an appropriate
clause has been added to the standard from of contract.
Do they have a right to object?
The processing of data by the Comptroller and Auditor General in a data matching
exercise is carried out with statutory authority. It does not require the consent of the
individuals concerned under the Data Protection Act 1998.
What limits are in place for the use of this data – e.g. can transactions be
observed, can details of account balances be viewed? Who can do this and what
powers do they have?
At no point will the Board, the NI Audit Office or its agents be able to access an
individual’s bank account details. It is not possible to view account balances or to
observe transactions going through a bank account.
Is there a time limit on any monitoring of accounts that take place?
Bank accounts will not be monitored – see answers above.
Public consultation:
When did the public consultation take place? How long did the consultation last?
Geographically, where was the consultation exercise carried out?
The consultation draft of the Code of Data Matching Practice was issued by the NI Audit
Office on 12 March 2008, with responses invited by 4 June 2008. On the basis of
experiences in England, where the NFI has operated since 1996, the consultation was
in the context of expanding the NFI to Northern Ireland.
Who participated?
The document was issued directly to some 185 organisations, including the Information
Commissioner’s Office; all organisations audited by the Comptroller and Auditor General
and local government auditors, relevant NI Assembly Committees, local political parties
and regulatory, professional and other bodies.
How was the public consultation publicised?
The NI Audit Office issued a press release on the consultation exercise and an article
featured in the Belfast Telegraph on 12 March 2008. The consultation draft was also
made available on the NI Audit Office website. In May 2008 the NI Assembly Public
Accounts Committee published a Report on NFI, following a presentation to the
Committee by the NI Audit Office and the Audit Commission on the introduction of NFI
in Northern Ireland.
What were the results of the consultation?
Comments on the proposal were made directly to the NI Audit Office and the NIAO has
confirmed that all comments received were given full consideration in finalising the
Code. The Information Commissioner provided a Foreword for inclusion in the published
Code. In its response to the consultation the WELB welcomed the opportunity to have
the Board involved in an initiative to identify any fraud or overpayments.
Were they published, and if so, where?
The Comptroller and Auditor General published and laid before the Northern Ireland
Assembly on 25 July 2008, the final Code of Data Matching Practice for Northern
Ireland.
This version of FAQs was updated on 18 August 2010.