Privacy Notice - Internal Audit

What this privacy notice is for

Our core data protection obligations and commitments are set out in the council’s primary privacy notice at:

Updating our privacy notices

We may update or revise our privacy notices at any time so please refer to the version published on our website for the most up to date details

What we use your information for

We collect or obtain your personal information to review the internal control processes and provide an internal audit opinion on:

  • Accounts Payable; the systems used by the council to pay money out,
  • Accounts Receivable; the systems used by the council to receive money in,
  • Adults’ services; the systems used by the council to support adults across Oldham,
  • Cash income to the council; for services that collect cash directly from the public such as parking, life-long learning, cemeteries and crematoria,
  • Council Tax,
  • Council Tax Reduction,
  • Non-Domestic Rates (also known as Business Rates),
  • Housing Benefit,
  • Housing Rents,
  • Schools and council employees’

We may share your information with other departments within the Council, if there is a legal basis to do so for the purposes of delivering other Council activities. Where this happens, data sharing agreements are in place to control the use of this data.

What categories of personal information we use

Personal information can be anything that identifies and relates to a living person. This can include information that when linked with other information, allows a person to be uniquely identified. For example, this could be your name and contact details.

The law treats some types of personal information as ‘special’ because the information requires more protection due to its sensitivity. This information consists of:

  • Racial or ethnic origin
  • Sexuality and sexual life
  • Religious or philosophical beliefs
  • Trade union membership
  • Political opinions
  • Genetic and bio-metric data
  • Physical or mental health
  • Criminal convictions and offences

In order to carry out these purposes we collect and obtain the following personal information.

Category of personal data

Special/Sensitive

Name

 

Address

 

Telephone Number(s)

 

Email address

 

Employer Details

 

Income Details

 

Bank Details

 

Household Composition

 

Income and Expenditure

 

Date of Birth

 

National Insurance Number

 

Nationality

 

Health (Physical/Mental)

Yes

Criminal convictions and offences

Yes

We will use information about your physical or mental health, or disability status to review controls around council services such as council tax discounts and exemptions, adult services provision or to audit grants for property adaptations and other spend related to these health conditions.

We will use information about any criminal convictions and offences to review controls around pre-employment checks including Disclosure and Barring Service (DBS) checks.

Legal basis for processing

Oldham council has a statutory requirement to maintain an Internal Audit function.

The Accounts and Audit Regulations (2015) requires every local authority in England to maintain an effective internal audit service to evaluate the effectiveness of its risk management, control and governance processes taking into account public sector internal auditing standards or guidance.

The Council's Director of Finance has a statutory duty under Section 151 of the Local Government Act 1972 to establish a clear framework for the proper administration of the authority's financial affairs. To perform that duty the Section 151 Officer relies, amongst other things, upon the work of Internal Audit in reviewing the operation of systems of internal control and financial management.

The legal basis for processing and or sharing your personal information is article 6(1) (c) and 6(1) (e) of the General Data Protection Regulations.

The legal basis for our audit work is:

Service Area

Legislation

Internal audit

  • Local Government Act 1972
  • Accounts and Audit (England) Regulations 2015

All of the data used to complete internal audits is collected from council departments and partner agencies who set out their legal basis for the collection, processing and sharing of the primary data is their Privacy Notices.

Information sharing/recipients

We may share personal information about you with the following organizations:

  • The councils’ external audit provider (Currently Mazars LLP): To provide evidence for them to review our audit working papers and to ensure that we have adequately supported internal control opinions.
  • Externally appointed Internal Audit review body (Currently CIPFA): To provide supporting evidence for their external review of the internal audit service against the Public Sector Internal Audit Standards (2017).
  • The Unity Partnership Ltd: A company which administers services on behalf of Oldham
  • Local Government Ombudsmen: We may share information when requested as part of any ongoing complaint
  • HMRC: If required to do so to comply with any on-going investigations
  • Cabinet Office: We participate in the Cabinet Office’s National Fraud Initiative, a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise. This data may then be passed on to other public bodies to investigate any
  • EU Grant Auditors: In order to comply with any on-going European Union Grant Audits
  • Department of Work and Pensions: In order to comply with any on-going DWP investigations

We may share your information with other departments within the Council, if there is a legal basis to do so. Where this happens, data sharing agreements are in place to control the use of this data. These services currently include:

  • Counter Fraud team: To provide information to support fraud
  • The Audit Committee: To enable Those Charged with Governance to review the data that has supported our audit conclusions and to assess the likely impact of any control deficiencies identified on the council’s risk management

We may be asked to provide access to personal information by relevant authorities with regulatory powers such as the police, government departments and other local authorities for the purposes of the prevention or detection of crime and/or the apprehension or prosecution of offenders without the permission of the data subject. The Council will consider such requests on a case by case basis.

As a service we do not collect data from the public directly but have access to the systems used across the council to ensure that the highest standards of controls are in place to protect the public purse. Therefore whilst we draw conclusions from personal data the data used to

draw those conclusions is not shared beyond the internal service that shared it with us initially unless otherwise stated above.

As well as information collected directly from you by the council departments that we audit, we may also obtain or receive information from:

  • Landlords: To support the audits of the Housing Benefits, Council Tax and Council Tax Reduction internal
  • Department of Work and Pensions: To support the audits of the Housing Benefits, Council Tax and Council Tax Reduction internal
  • Valuation Office Agency: To support the audits of the Housing Benefits, Council Tax and Council Tax Reduction internal
  • Credit Reference Agencies: To support the audits of the Housing Benefits, Council Tax and Council Tax Reduction internal
  • Other Council Services: To review that their systems of internal controls are operating effectively and provide an internal audit opinion to those charged with
  • MioCare Group Community Interests Company: To review that their systems of internal controls are operating effectively and provide an internal audit opinion to those charged with
  • Schools operated and maintained by Oldham council: To review that their systems of internal controls are operating effectively and provide an internal audit opinion to those charged with
  • External bodies who have their payrolls processed by the Unity Partnership Ltd: To review that their systems of internal controls are operating effectively and provide an internal audit opinion to those charged with

Data Transfers beyond European Economic Area

We do not transfer any of your personal information outside the European Economic Area (‘EEA’).

Automated Decisions

All the decisions we make through the processing of your personal data involve human intervention.

Our Guide to Exercising Your Rights outlines the procedure to ask us for an automated decision to be reviewed by an appropriate officer. This can be found at

How long we keep your data

We will only keep your information for as long as it is required by us or other regulatory bodies in order to comply with legal and regulatory requirements or for other operational reasons. In most cases this will be a minimum of six years.

Where can I get advice

More information on how to seek advice in order to exercise your rights, raise a concern or complain about the handling of your personal information by the council can be found in the council’s privacy notice which can be found at: