Privacy Notice for Fraud and Investigation Function

Data Controller: Mole Valley District Council

Mole Valley District Council (“MVDC”) is the body exercising control over the purpose for which and the manner in which your personal data is processed.

Data Controller’s contact details:

MVDC Pippbrook, Dorking RH4 1SJ. Telephone: 01306 885001.

Data Protection Officer:

Mr Tom Penlington (Solicitor). Telephone: 01306 879354

The legal basis for and the purposes of the processing:

MVDC has a legal duty to protect the public funds it administers, and may use information held about you for all lawful purposes, including but not limited to the prevention and detection of crime including fraud and money laundering.

One of the primary objectives of the council’s Anti-Fraud & Corruption Policy is to ensure the prevention of fraud and corrupt acts and to ensure that any instances or allegations of these are investigated and dealt with effectively. As part of this we may conduct pro-active counter fraud reviews into transactions and records held across different business areas. They are designed specifically to identify unusual, incorrect or potentially fraudulent transactions.

The legal basis for processing and or sharing your personal information is under article 6(1) (c) and 6(1)(e) of the UK GDPR. We process your information as part of our compliance with a legal obligation and under our public tasking duties.

  • The legal basis for Counter Fraud investigations is set out below:
    Section 151, Local Government Act 1972
  • The Council Tax Reduction Schemes (Detection of Fraud and Enforcement) (England) Regulations 2013
  • Local Audit and Accountability Act 2014 (Part 6)
  • Section 68 of the Serious Crime Act 2007
  • Prevention of Social Housing Fraud Act 2013
  • The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017
  • Fraud Act 2006
  • Criminal Procedures and Investigations Act 1996
  • Schedule 2, Data Protection Act 2018
  • The Police & Criminal Evidence Act 1984 (PACE)

We collect and process the following categories of personal information:

  • Personal and family details
  • Lifestyle and social circumstances
  • Details about your involvement with the council
  • Financial details
  • Employment details
  • Housing needs
  • Visual images, personal appearance and behaviour
  • Licenses or permits held
  • Business activities
  • Case file information
  • Criminal convictions and offences

The source of the personal data:

We collect information in a number of ways, for example, by letter, written applications for services, email, face-to-face, other agencies, credit referencing and intelligence gathering and analysing organisations, telephone calls, anonymous sources, online forms and proactive investigatory enquires.

Recipients and categories of recipients of the personal data:

We will share personal information with law enforcement or other authorities if required by applicable law such as:

  • The Cabinet Office
  • Government agencies
  • The Police
  • Judicial agencies e.g. Courts
  • Department of work and pensions
  • HMRC
  • Local authorities
  • Housing Associations
  • Credit reference, other data collection agencies and other fraud and investigation intelligence organisations

We will only share information with these organisations where it is appropriate and legal to do so.  We may also share information, for example, if there is a risk of serious harm or threat to life. Where this is necessary, we are required to comply with all aspects of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

MVDC is under a duty to protect the public funds it administers, and to this end may use the information you have provided for the prevention and detection of fraud. It may also share this information with other bodies responsible for auditing or administering public funds for these purposes. This includes MVDC’s statutory participation in the Cabinet office’s National Fraud Initiative (NFI) data matching exercises.

For further information about data sharing for fraud prevention and investigation, visit our Data Matching Level 2 Notice page.

Further information on onward transfers:

MVDC will not transfer the personal data you have provided outside of the UK or European Union unless this is permitted in accordance with the Data Protection Act 2018.

How long the personal data will be kept for:

The personal data you have supplied will be retained and destroyed in accordance with MVDC’s Records Retention and Disposal Schedule.
Generally we will keep electronic records for up to six years on conclusion of their use (e.g. at the point an investigation is ended).
Where we collect or process information for data matches purposes, we review each project on its own merits and may delete records within six years if it is no longer relevant to hold bulk data which has been used for matching.

Statutory Obligations to provide the personal data:

There is no statutory obligation on you to provide any personal data about you in relation to an investigation, however obligations may still apply for the particular council service that you accessing (see individual services privacy notice for more information).

Automated Decision Making:

The personal data provided by you will not be used for any automated decisions.

Data Subject Rights:

From 25 May 2018 you will have some specific rights in respect of your personal data. These may include some or all of the following rights to:

  • see what personal data about you MVDC holds at any time (subject to certain caveats); For example, we cannot let you see any parts of your record which contain: confidential information about other people; or Information a professional thinks will cause serious harm to you your or someone else’s physical or mental wellbeing; or If we think that giving you the information may stop us from preventing or detecting a crime.
  • have MVDC correct any errors (if any) in the personal data it holds about you
  • request your personal data is erased (though this right will not apply where MVDC is processing your personal data because it is necessary to comply with a legal obligation).
  • request processing of your personal data is restricted (this will only apply in certain situations, for example where its accuracy is contested, where the processing is unlawful and you oppose its proposed erasure by MVDC, or where MVDC no longer needs to process the personal data but it is required by you in connection with legal claims).
  • following any changes to your personal data made as a result of (i) rectification, (ii) erasure, or (iii) restriction, MVDC will inform any third party recipients of the changes made, unless this is impossible or would involve disproportionate effort.
  • object to the processing where the processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the data controller (though MVDC will still be able to continue with the processing in certain circumstances, such as if there are compelling grounds for the processing which override your interests).
  • the Right to data portability which provides you with the right to receive personal data (which you have previously provided to MVDC) in a commonly used and readable format.

Will the personal data be processed for a different purpose?

No. If MVDC needs to inform recipients about any action it has taken under the Data Protection Act then it will do so by placing a Notice on MVDC’s website informing the public of any relevant changes
If you are dissatisfied with how your personal data is processed by MVDC then you have the right to complain to the Information Commissioner who can be contacted at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF.

Google Analytics:

MVDC uses Google Analytics software to collect information about how you use MVDC does this to help make sure the site is meeting the needs of its users and to help us make improvements.

The cookies MVDC uses for this purpose are:

Universal Analytics:

Name    Purpose    Expires
_ga    This helps us count how many people visit by tracking if you’ve visited before    2 years
_gid    This helps us count how many people visit by tracking if you’ve visited before    24 hours
_gat    Used to manage the rate at which page view requests are made    10 minutes
Google Analytics
Name    Purpose    Expires
_utma    Like _ga, this lets us know if you’ve visited before, so we can count how many of our visitors are new to GOV.UK or to a certain page    2 years
_utmb    This works with _utmc to calculate the average length of time you spend on GOV.UK    30 minutes
_utmc    This works with _utmb to calculate when you close your browser    When you close your browser
_utmz    This tells us how you reached GOV.UK (for example from another website or a search engine)    6 months

How do I prevent being tracked by Google Analytics?

If you are uncomfortable with this tracking, you can take the following actions:

  • Use a tracking-blocker, such as Privacy Badger
  • Clear cookies after every browsing session

Install the Google Analytics opt-out extension.