What this privacy notice is for
Our core data protection obligations and commitments are set out in the Council’s primary Privacy Notice
Dudley MBC is committed to protecting and respecting your privacy in terms of how we collect, use, store and destroy your personal information. The Council is the data controller for the personal information we collect under the Data Protection Act 2018. This privacy notice is designed to provide you with type of data we collect, why we need to collect your personal data and what we will do with it.
Audit Services is responsible for delivering the Council’s internal audit and corporate fraud service. Dudley MBC provides an internal audit service because it is required by law.
Audit Services may process any personal information held elsewhere within the Council (or its contractors and partners) in order to assess and provide assurances on the arrangements for governance, risk management and internal control.
Audit Services will also process personal information to meet the requirements of the National Fraud Initiative and for internal fraud and enforcement duties for the prevention or detection of crime, fraud or errors. Additionally, personal information may be collected (new personal information) and processed in relation to corporate fraud investigations.
In order to deliver these services Audit Services are required to collect, store, use, share and dispose of personal information, known as data processing.
The Accounts and Audit Regulations (2015) requires every local authority in England to maintain an effective internal audit service to evaluate the effectiveness of its risk management, control and governance processes taking into account public sector internal auditing standards or guidance.
The Council's Director of Finance and Legal Services has a statutory duty under Section 151 of the Local Government Act 1972 to establish a clear framework for the proper administration of the authority's financial affairs. To perform that duty the Section 151 Officer relies, amongst other things, upon the work of Audit Services in reviewing the operation of systems of internal control and financial management.
Other legislation, policies and guidance that allow us to do this includes, but is not limited to:
Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017
- Fraud Act 2006
- Bribery Act 2010
- Regulation of Investigatory Powers Act 2000
- Dudley MBC’s Constitution
The information Audit Services collects is dependent upon the reasons it is required. Audit Services will not collect unnecessary information; information collected may include:
- Names, addresses and signatures
- Dates of birth
- Correspondence and e-mails including contact details
- National Insurance Number
- Financial information, including bank and card payment details
- Photographs
- Registrable interests
Audit Services share the data we have collected in line with our duties to comply with Part 6 of the Local Audit and Accountability Act 2014.
Audit Services may share personal information about you with the following organisations:
- External Audit Provider (Grant Thornton) :To review our audit working papers and audit reports to ensure we are delivering an effective service;
- Externally appointed Internal Audit review body: To provide supporting evidence for their external review of the internal audit service against the Public Sector Internal Audit Standards (2017);
- Cabinet Office: to undertake matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise. This data may then be passed on to other public bodies to investigate any matches. See the Anti-Fraud Privacy Notice.
Information may also be shared with the police, government departments and other local authorities for the purposes of the prevention or detection of crime and/or the apprehension or prosecution of offenders without the permission of the data subject. The Council will consider such requests on a case by case basis.
Audit Services may share your personal information with other teams within the Council in order to prevent or detect crime, assist in the apprehension or prosecution of offenders and to recover outstanding debt.
Either there would be a legal requirement to share information or there would be a contract in place with the person or organisation who is to receive the information. Information would be shared by the person or organisation attending Audit Services offices or would be uploaded into a secure portal or sent by secure means.
Your information is held securely and in accordance with Audit Services Information Security Charter. Audit Services have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. Audit Services limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality
Audit Services will not use your information for any purpose other than for which it was collected unless we are able or required to by law.
Audit Services will only keep your information for as long as it is required by us or other regulatory bodies in order to comply with legal and regulatory requirements or for other operational reasons. In most cases this will be a minimum of six years.
Once the retention period has been reached the information will be destroyed either by shredding or by electronic deletion.
Further Information
Refer to the Corporate Privacy Notice.
Review
This Privacy Notice will be reviewed on an annual basis