The Belfast Trust is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
This notice sets out how personal data that is submitted to the Comptroller and Auditor General (C&AG) for the purpose of the National Fraud Initiative (NFI) in Northern Ireland will be used.
The C&AG conduct data matching exercises to assist in the prevention and detection of fraud.
Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body, to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found, it may indicate that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
The processing of data by the C&AG (in practice the processing is undertaken by the Cabinet Office on the C&AG’s behalf) in a data matching exercise is carried out with statutory authority under his powers in Articles 4A to 4G of the Audit and Accountability (Northern Ireland) Order 2003.
The Belfast HSC Trust is required to provide data and participate in the data matching exercise.
Under the General Data Protection Regulations (GDPR) (article 6, 1 (c) and the Data Protection Act 2018 (section 8), the legal basis for processing personal data under the NFI is that it is necessary for compliance with a legal obligation to which the controller is subject. It does not require the consent of the individuals concerned under the Data Protection Act 2018 or GDPR.
Details of the data that is matched are available on the Northern Ireland Audit Office (NIAO) website at:
Data is matched for the purpose of assisting in the prevention and detection of fraud.
The data is shared with the C&AG and the cabinet office.
The C&AG may disclose the results of data matching exercises where this assists in the prevention and detection of fraud, including disclosure to bodies that have provided the data, and to local government auditors, as appropriate, as well as in pursuance of a duty imposed by, or under, a statutory provision.
The C&AG may disclose both data provided for data matching and the results of data matching to the Cabinet Office, the Auditor General for Wales, the Auditor General for Scotland, the Accounts Commission for Scotland and Audit Scotland, for the purposes of preventing and detecting fraud.
Individuals whose data is included in data matching exercises have rights under data protection legislation. Guidance on individual’s rights is available on the Information Commissioner’s website at https://ico.org.uk/your-data-matters/
Individual’s usual rights of access to data held about them may be limited as a consequence of exemptions in the Data Protection legislation (as set out in Schedule 2 of the Data Protection Act 2018). Exemptions will apply in relation to the processing of personal data for the prevention and detection of crime.
Personal data will not be kept for longer than is necessary. Data retention under the NFI will be in accordance with a data deletion schedule to be published on the Cabinet Office’s NFI web page at:
The Belfast HSC Trust and its auditors may retain some data for a longer period, for the purposes of audit, continuing investigations or prosecutions. Data will however only be held for the required length of time necessary relating to any such audit, investigation or prosecution.
Data matching by the C&AG is subject to a Code of Data Matching Practice. This can be found at:
For further information on the C&AG and the NFI, see:
For further information on the NFI and data matching, please contact the Belfast HSC Trust Data Protection Officer on 028 9504 6576.
If you wish to complain about how your personal data has been processed, please contact the Belfast HSC Trust Data Protection Officer (see above).
If you remain dissatisfied, you can make a complaint to the Information Commissioner, at: