CLACKMANNANSHIRE COUNCIL

Report To Resources And Audit Committee

Date Of Meeting: 02 May 2013

Subject: Clackmannanshire Council Data Matching Policy.

Report By: Internal Audit And Fraud Team Leader

1.0 Purpose

1.1. This report presents the Clackmannanshire Council Data Matching Policy to Resources and Audit Committee.

2.0 Recommendations

2.1. The Committee is asked to comment on, challenge and note in principle the Data Matching Policy (Appendix A).

3.0 Considerations

3.1 The National Fraud Initiative (NFI) in Scotland is a counter-fraud exercise led by Audit Scotland, assisted by the Audit Commission (the equivalent organisation in England). It uses computerised techniques to compare information about individuals held by different public bodies, and on different financial systems, to identify circumstances (matches) that might suggest the existence of fraud or error.

3.2 The Data Matching Policy, set out at Appendix A, has been drawn up using the Audit Scotland Code of Data Matching Practice 2010. Clackmannanshire Council, which participates in the data matching exercises must, by law, have regard to the provisions of this Code.

3.3 The purpose of section 1 of this Policy is to help ensure that Clackmannanshire Council and its staff, external auditors and all persons and bodies involved in data matching exercises comply with the law, especially the provisions of the Data Protection Act 1998. The Policy also aims to promote good practice in data matching. It includes guidance on the notification process for letting individuals know why their data is matched and by whom, the standards that apply and where to find further information.

3.4 Clackmannanshire Council will also undertake internal data matching exercises and section 2 of the policy sets out the processes and requirements that will have to be followed.

3.5 Targeted internal data matching, analysis and exception testing may identify more areas for further investigation, or “hits”, than the NFI exercise. This may lead to both investigation work through identifying potential fraud, as well as giving us the chance to develop Systems Assurance work. A further policy is required to cover this work.

THIS PAPER RELATES TO ITEM 07

ON THE AGENDA

95

3.6 Performing a Data Matching and Data Analysis process internally, and informing people that we are performing this process internally, should act as a successful deterrent and enhance the anti-fraud and corruption culture within the Council.

4.0 Sustainability Implications

4.1 There are no sustainability implications.

5.0 Resource Implications

5.1 Financial Details

5.2 Not applicable

6.0 Exempt Reports

6.1 Is this report exempt? Yes (please detail the reasons for exemption below) No

7.0 Declarations The recommendations contained within this report support or implement our Corporate Priorities and Council Policies.

(1) Our Priorities

The area has a positive image and attracts people and businesses Our communities are more cohesive and inclusive People are better skilled, trained and ready for learning and employment Our communities are safer Vulnerable people and families are supported Substance misuse and its effects are reduced Health is improving and health inequalities are reducing The environment is protected and enhanced for all The Council is effective, efficient and recognised for excellence

(2) Council Policies

Financial Regulations.

8.0 Equalities Impact

8.1 Have you undertaken the required equalities impact assessment to ensure that no groups are adversely affected by the recommendations? n/a

9.0 Legality

9.1 It has been confirmed that in adopting the recommendations contained in this report, the Council is acting within its legal powers. Yes

10.0 Appendices

96

10.1 Please list any appendices attached to this report. If there are no appendices, please state "none".

Appendix A - Clackmannanshire Council Data Matching Policy.

11.0 Background Papers

11.1 Have you used other documents to compile your report? (All documents must be kept available by the author for public inspection for four years from the date of meeting at which the report is considered) Yes (please list the documents below) No

Audit Scotland Code of Data Matching Practice 2010.

Author(s)

NAME DESIGNATION TEL NO / EXTENSION

Iain Burns Internal Audit and Fraud Team

226231

Approved by

NAME DESIGNATION SIGNATURE

Julie Burnett Senior Support Services Manager

Signed: J Burnett

Nikki Bridle Director Finance & Corporate Services

Signed: N Bridle

97

98

Appendix A

Date Issued: May 2013

Data Matching Policy

99

100

Page No.

1. Introduction 1 2. Governance Arrangements 2 3. Data to be Provided 3 4. Fair Processing Notices 3 5. Quality of the data 4 6. Security of the data 4 7. Supply of data to Audit Scotland 5 8. Access to the results by Clackmannanshire Council 5 9. Following up the results 5 10. Disclosure of data used in data matching 6 11. Access by individuals to data included in data matching 6 12. Role of external auditors 7 13. Retention of data 7

Section One NFI Data Matches

Contents

101

102

NFI Data Matching

1. Introduction 1.1 This Policy has been drawn up using the Audit Scotland Code of Data Matching Practice 2010. Clackmannanshire Council, which participates in the data matching exercises must, by law, have regard to the provisions of this Code. 1.2 The purpose of this Policy is to help ensure that Clackmannanshire Council and its staff, external auditors and all persons and bodies involved in data matching exercises comply with the law, especially the provisions of the Data Protection Act 1998. The Policy also aims to promote good practice in data matching. It includes guidance on the notification process for letting individuals know why their data is matched and by whom, the standards that apply and where to find further information. What is Data Matching? 1.3 The Public Finance and Accountability (Scotland) Act 2000 (the 2000 Act) and complementary legislation applying to other UK public sector audit agencies defines data matching as the comparison of sets of data to determine how far they match. In the 2000 Act, the purpose of data matching is to identify potential inconsistencies that may indicate fraud or assist with the other permitted purposes. 1.4 Where a match is found it indicates that there may be an inconsistency or circumstance that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. The data compared are usually personal data. Personal data may only be obtained and processed in accordance with the Data Protection Act 1998.

103

2. Governance Arrangements Nominated Officer 2.1 Within Clackmannanshire Council the Revenue and Payments Manager acts as the senior responsible officer for the purposes of data matching exercises. The Revenue and Payments Manager will nominate officers responsible for data handling, for follow up investigations and to act as a key contact with Audit Scotland and auditors. Officers will be suitably trained and qualified for this role. 2.2 Clackmannanshire Council data protection officer(s) should be involved at an early stage in the arrangements for data handling, training and providing fair processing notices. Audit Scotland Guidance 2.3 For each data matching exercise, Audit Scotland will issue instructions and guidance to Clackmannanshire Council. This will set out the detailed responsibilities and requirements for participation. The most up-to-date instructions (formerly referred to as handbooks) can be found on Audit Scotland’s website at: http://www.audit-scotland.gov.uk/work/nfi.php 2.4 Instructions and guidance for Clackmannanshire Council will include:

i. a list of the responsibilities of the nominated officers at the Council ii. specifications for each set of data to be included in the data matching

exercise iii. any further requirements and returns concerning the data to be

provided iv. a timetable for processing v. information on how to confirm compliance with data protection

requirements. Secure NFI website 2.5 The Audit Commission has made available to Clackmannanshire Council (and all participants) a secure, password protected and encrypted website for data matching exercises, known as the secure NFI website. This site allows Clackmannanshire Council to transmit data securely to Audit Scotland (in practice to the Audit Commission which matches the data on behalf of Audit Scotland) and for the results of data matching to be made available in secure conditions. Clackmannanshire Council also has access to further guidance material and training modules on this website, including reports on the quality of their data and information on how to interpret matches, and on co-operation with other NFI participants.

104

Notification by data controllers of processing purposes 2.6 The Information Commissioner maintains a public register of data controllers that process data covered by the Data Protection Act 1998. Data controllers determine the purpose and manner in which personal data will be processed. Each register entry includes the name and address of the data controller, the purposes for which data is processed, and specified information in relation to each purpose. Those data controllers that are required to notify, but fail to do so, are committing a criminal offence. It is the responsibility of Clackmannanshire Council to ensure that their notification to the Information Commissioner covers Audit Scotland and auditors as recipients against the appropriate purpose(s), i.e. for most audited bodies, the prevention and detection of fraud but also, when relevant, any other permitted purpose. 3. Data to be Provided 3.1 The data required from Clackmannanshire Council will be the minimum needed to undertake the matching exercise, to enable individuals to be identified accurately and to report results of sufficient quality. This will be set out by Audit Scotland in the form of a data specification for each data set in the instructions for each exercise. 4. Fair Processing Notices 4.1 The Data Protection Act 1998 requires Clackmannanshire Council to inform individuals that their data will be processed. Unless an exemption applies, for data processing to be fair, the first data protection principle requires data controllers to inform individuals whose data is to be processed of:

i. the identity of the data controller ii. the purpose or purposes for which the data may be processed iii. any further information which is necessary to enable the processing to

be fair.

4.2 Clackmannanshire Council uses fair processing notices, by including details on relevant forms, to enable people to know that their data is being used for one of the permitted purposes (e.g., the prevention and detection of fraud) and to take appropriate steps if they consider the use is unjustified, or unlawful in their particular case. 4.3 Clackmannanshire Council should, so far as practicable, ensure that fair processing notices are actively provided, or at least made readily available to the individuals about whom they are sharing information. The notice should clearly set out an explanation that their data may be disclosed for the purpose of preventing and detecting fraud (or other permitted purpose, as appropriate). The notice should state that the data will be provided to Audit Scotland for this purpose. The notice should also contain details of how individuals can find out more information about the processing in question.

105

4.4 Communication with individuals whose data is to be matched should be clear, prominent and timely. It is good practice for reminder notices to be issued before each round of data matching exercises. When providing data to Audit Scotland, Clackmannanshire Council should submit a declaration, using the facility available on the NFI secure website, confirming compliance with the privacy notification requirements. 4.5 For collection of new data Clackmannanshire Council should provide fair processing notices at the point of collecting personal data where practicable. It is sometimes not practicable to provide fair processing notices at the time of the original collection of the data. In such cases, Clackmannanshire Council should provide retrospective fair processing notices at the earliest reasonable opportunity, and before disclosure to Audit Scotland. Where this is impracticable Clackmannanshire Council should maintain a record of the reasons. 5. Quality of the data 5.1 Clackmannanshire Council should ensure that the data it provides for data matching is of good quality (i.e., accurate and complete). Processing of inaccurate data could mean that Clackmannanshire Council is in breach of data protection law. 5.2 Before providing data for matching, Clackmannanshire Council should ensure that the data is as accurate and up to date as possible. Errors identified from previous data matching exercises should be rectified, and action taken to address any issues identified in data quality reports supplied to Clackmannanshire Council on the secure NFI website. 6. Security of the data 6.1 Clackmannanshire Council must put in place security arrangements for handling and storing data in data matching exercises. 6.2 These arrangements should ensure that:

i. specific responsibilities for security of data have been allocated to one or more managers

ii. security measures take appropriate account of the physical environment in which data is held, including the security of premises and storage facilities

iii. there are physical and logical controls to restrict access to data held electronically, so that only those named individuals who need to access the data for the purpose of data matching exercises can do so

iv. all staff with access to data are given training that is sufficient to enable them to appreciate why and how they need to protect the data. Participants should refer to the training modules on the secure NFI website

v. if a breach of security occurs, or is suspected, authorised users are given new passwords or are required to change their passwords as

106

soon as possible. Clackmannanshire Council should consider what further steps it should take in the light of the Information Commissioner’s guidance on management of security breaches.

6.3 Appropriate audit trails should be maintained, where practicable, to evidence that such arrangements are being complied with. 6.4 All persons handling data as part of the data matching exercise should be made aware of their data protection, confidentiality and security obligations. Such staff should be subject to strict access authorisation procedures. Breach of authorisation procedures should attract appropriate disciplinary sanctions. 7. Supply of data to Audit Scotland 7.1 Clackmannanshire Council should normally only submit data to Audit Scotland via the Audit Commission’s secure NFI website or, in future, an approved alternative that has also been accredited against HM government security standards. 7.2 In exceptional cases, data may be submitted by an alternative method provided this satisfies the security requirements of the Policy and is approved by the Audit Commission. 8. Access to the results by Clackmannanshire Council 8.1 All results from data matching exercises will normally be made available to Clackmannanshire Council via the Audit Commission’s secure NFI website. The results comprise the computer data file of reported matches and other relevant information arising from processing the data. In exceptional cases, matches may be made available by an alternative method provided this satisfies the security requirements of this Policy and is approved by the Audit Commission. 8.2 The Revenues and Payments Manager should ensure that the results of a data matching exercise are disclosed only to named officers for each type of result. The secure NFI website is designed for that purpose. 8.3 All results from data matching exercises held by Clackmannanshire Council other than on the secure NFI website should be held on an equally secure, password protected and encrypted computer system. Any printed results should be kept in locked storage in a secure environment and should only be accessible to named individuals as referred to in 6.2 (iii). 9. Following up the results 9.1 The detailed steps taken by Clackmannanshire Council to investigate the results of data matching are beyond the scope of this Policy. However, it is important to recognise that matches are not necessarily evidence of fraud or any other outcome related to the purpose for which the matching was undertaken. Clackmannanshire Council should review the results to eliminate

107

coincidental matches, and will want to concentrate on cases that are potentially fraudulent or otherwise indicative of the outcome for which the matching was undertaken. In the process, the Council will need to identify and correct those cases where errors have occurred. 9.2 No decision should be made as a result of a data match until the circumstances have been considered by an investigator at Clackmannanshire Council. Investigating officers will find it helpful to refer to the guidelines on how to interpret matches and cooperation between bodies prepared by the Audit Commission, which are available to participants on its secure NFI website. 9.3 A data match between two (or more) NFI participants may require the participants to share other information about the individual who is the subject of the match, before it would be possible to determine whether or not a crime (including fraud) has occurred. Section 29(1) of the Data Protection Act 1998 permits such disclosure, for example, where the prevention or detection of crime would otherwise be likely to be prejudiced. 9.4 Clackmannanshire Council should consider whether any corrections to personal data found to contain errors as a result of data matching are substantial enough to warrant notification to the persons concerned. 10. Disclosure of data used in data matching 10.1 Clackmannanshire Council may only disclose data matching results received from Audit Scotland if it is to assist in the prevention and detection of fraud or another permitted purpose, to investigate and prosecute an offence, for the purpose of disclosure to an external auditor or otherwise as required by statute. The legal basis of these rules is Section 26D of the Public Finance and Accountability (Scotland) Act 2000. Any disclosure by Audit Scotland, Clackmannanshire Council or any person in breach of Section 26D is a criminal offence. 11. Access by individuals to data included in data matching 11.1 Individuals whose data is included in a data matching exercise may have rights of access to information under the Data Protection Act 1998 or Freedom of Information legislation. These should be dealt with in accordance with Clackmannanshire Council's general arrangements for responding to requests for information. 11.2 Individuals’ usual rights of access to data held about them may be limited as a consequence of Section 29 of the Data Protection Act 1998, where disclosure would be likely to prejudice the prevention or detection of a crime or the apprehension or prosecution of an offender. This determination should be made on a case-by-case basis by Clackmannanshire Council in receipt of the request for information. This means that individuals may be

108

refused full access to information about them that has been processed in data matching exercises. 11.3 Individuals have rights under the Data Protection Act 1998 if data held about them is inaccurate. They should be able to check the accuracy of their data by contacting Clackmannanshire Council. Individuals should not expect to be told about data or data matches concerning any other person unless that person has given consent, as this is likely to amount to a breach of data protection principles. 11.4 Information requests under the Freedom of Information (Scotland) Act 2002 may be subject to the law enforcement exemption in Section 35, for example where its disclosure would be likely to prejudice substantially the prevention and detection of a crime or the apprehension or prosecution of an offender, or the personal information exemption under Section 38. These determinations should be made on a case by case basis by Clackmannanshire Council. 11.5 Clackmannanshire Council should have arrangements in place for dealing with complaints from individuals about their role in a data matching exercise. If the Council receives a complaint and Audit Scotland is best placed to deal with it, the complaint should be passed on promptly to Audit Scotland. 12. Role of external auditors 12.1 Clackmannanshire Council's external auditor will be concerned, among other things, to assess the arrangements that the body has in place to:

i. prevent and detect fraud generally ii. follow up and investigate NFI matches and act upon instances of fraud

and error. 13. Retention of data 13.1 Personal data should not be kept for longer than is necessary. Access to the results of a data matching exercise on the secure NFI website will not be possible after a minimum reasonable period necessary for Clackmannanshire Council to follow up matches. Audit Scotland (or the Audit Commission on its behalf) will notify the end date of this period to participants. 13.2 Clackmannanshire Council and their external auditors may decide to retain some data after this period. Data may, for example, be needed as working papers for the purposes of audit, or for the purpose of continuing investigation or prosecution. The Council should consider what to retain in their individual circumstances in the light of any particular obligations imposed on them. The Council should discuss with their auditor what should be retained for the purposes of audit. 13.3 Clackmannanshire Council should ensure that data no longer required, including any data taken from the secure NFI website, are destroyed promptly

109

and rendered irrecoverable. Data retained will be subject to the requirements of the Data Protection Act 1998.

110

Page No.

1. Introduction 10 2. Scope of Data Matching 10 3. Legal Basis for Data Matching 10 4. Approach to Data Matching 11 5. Retention of Data 11 6. Storage of Data 12 7. Links to Audit Controls and Risk Registers 12 8. Management Action 12

Section Two Internal Data Matches

Contents

111

112

1. Introduction 1.1 Clackmannanshire Council is committed to the prevention, detection and investigation of all forms of fraud and corruption. Continuous Auditing will act as a pro-active approach to identifying and where possible preventing fraud and corruption. 1.2 The benefits of data matching can be seen through initiatives such as “The National Fraud Initiative”, which is the Audit Commission’s Data Matching exercise that is setup to tackle numerous fraud activities within the public sector. Data Matching under the National Fraud Initiative is a legal requirement. 1.3 Targeted internal data matching, analysis and exception testing may identify more areas for further investigation, or “hits”, than the NFI exercise. This may lead to both investigation work through identifying potential fraud, as well as giving us the chance to develop Systems Assurance work.

1.4 Performing a Data Matching and Data Analysis process internally, and informing people that we are performing this process internally, should act as a successful deterrent and enhance the anti-fraud and corruption culture within the Council.

1.5 Data Matching is the computerised comparison of two or more data sets which relate to the same individual or element. Data Analysis is the process of transforming data in the aim to extract some useful information and conclusions. Continuous Auditing is the method that is used to perform control and risk assessments in an automated manner on a more frequent schedule.

2. Scope of Data Matching 2.1 Data analysis and matching may be performed on any system within Clackmannanshire Council. Looking forward, we may develop this strategy to incorporate matching and analysis of data between authorities and other organisations.

2.2 Data matching will be performed routinely, following development of a data matching plan, and also on an ad-hoc basis. Ad-hoc data matches may be required for scenarios when the routine data matching would not be appropriate. This could also include extractions to aid the audit of large information systems. 3. Legal Basis for Data Matching 3.1 In order for Clackmannanshire Council to pursue our proposed Data Matching /Continuous Auditing process it is essential that we work within the relevant legislative framework. We will actively work with the Governance Manager and Legal Service to ensure we set up the correct legal procedures to drive improvement within the Council.

113

3.2 For all new legislation or amendments to existing legislation, we will seek the relevant legal advice and advice of the Governance Manager to ensure we are working with the correct legislative framework.

3.3 We will adhere to the Data Protection Act by ensuring there are the relevant fair processing notices in place to inform the data subjects that this exercise is necessary to help detect and identify fraud.

4. Approach to Data Matching 4.1 A risk assessment will be performed to help us target areas with a high risk profile. This process will allow us to formulate an annual data matching plan. Our plan will cover both routine data matches, whilst leaving the plan flexible enough to include ad-hoc data matches where necessary.

4.2 For all our proposed data matches and exception tests a justification process will be conducted with the Governance Manager and relevant System Owners. This involves specifying our data requirements and field definitions, and creating a justified key objective that details what the test may identify.

4.3 All future proposals of Data Matches and Exception Testing will follow the same justification process.

4.4 The overall approach to Data Matching involves an extraction of data from any system or data warehouse within the Council, and then subsequently cross matching or exception testing this data to another data set to help identify potential errors, irregularities or suspect matches. 5. Retention of Data 5.1 We will ensure that data is not kept for longer than necessary in order to perform our specified analysis. Retention and archiving periods will be considered in line with on going Document Retention Schedules.

5.2 Data matches, analysis and testing that indicate potential fraud or areas for further investigation will be retained in line with investigation procedures.

5.3 We will retain only two generations of each data extraction, to prevent duplication of work investigating a discrepancy which was reported in the last cycle of extractions and which was resolved in the past. Our planned data extraction frequency means that existing data extractions will replace previous extractions. Where a new extraction has been conducted to replace existing data extractions, the previous data will be securely deleted and replaced by the new extraction.

114

6. Storage of Data 6.1 Data that is created from extractions, analysis, testing and cross matching is held in secure files with restricted access.

6.2 Data that does not indicate a match or does not need to be retained for further investigation will be securely removed.

6.3 We have no existing plans to match paper based records. In exceptional circumstances where this in necessary, we will ensure manual records are stored in securely in locked cabinets with restricted access.

7. Links to Audit Controls and Risk Registers 7.1 Where significant fraudulent activities have occurred through poor system controls, the details will be:

• entered into the relevant risk register, and

• included in a follow-up framework

7.2 This will allow the measures taken in response to be assessed as to their effectiveness. The follow-up may be carried out as part of the next timetabled audit or may be given greater priority, depending on the nature of the activities. In either case, the follow-up would take place as a separate exercise to the data-matching process. 8. Management Action 8.1 The Internal Audit and Fraud Team Leader will make arrangements for follow-up of all positive data matches where a fraud has occurred but no action has been taken against the perpetrator(s) of the fraud.

115

116