We administer a fraud prevention and detection service so as to ensure the prevention of fraud and corrupt acts within and external to our organisation and to ensure that any instances of these are investigated and dealt with effectively. As part of our Anti-fraud and Corruption Strategy, we conduct a programme of pro-active counter fraud reviews into transactions and records held across our different business areas. These reviews are designed specifically to identify unusual, erroneous or potentially fraudulent transactions.

We are required by law to protect the public funds we administer. We participate in the National Fraud Initiative administered by the Cabinet Office.

Processing activity - we use personal information across all our services to help to prevent and detect crime and fraud and to protect the public funds that we manage. It is necessary for us to collect and hold personal information about you. In general terms, we process personal information relating to:

  • counter fraud reviews into transactions and records
  • data matching
  • whistleblowing investigations
  • general correspondence between you and us on matters related to any investigations
  • investigating and if applicable, prosecuting for fraudulent activity

Information requirements - our processing activities may include:

  • full name
  • address including postcode
  • date of birth
  • telephone number
  • email address
  • forwarding address(es)
  • local authority(s) details (where you have been identified as living)
  • health information
  • employer details
  • income details
  • expenditure details
  • financial details
  • Power of Attorney details
  • additional occupants’ details
  • liability order(s)

Lawful bases1- our lawful bases for processing your personal information are:

UK GDPR: Article 6(1)(c) – our legal obligations under:

  • Local Government Finance Act 1988
  • Non-Domestic Rating (Collection and Enforcement)(Local Lists) Regulations 1989
  • Local Government Finance Act 1992 (as amended)
  • Social Security Administration Act 1992
  • Non-Domestic Rating (Small Business Rate Relief)(England) Order 2004
  • Fraud Act 2006
  • Serious Crime Act 2007
  • Local Government Finance Act 2012 (the administration of council tax)
  • Non-Domestic Rating (Small Business Rate Relief)(England) Order 2012
  • Local Audit and Accountability Act 2014 (Part 6)

UK GDPR Article 6(1)(e) and DPA 2018, section 8(c) -where needed for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (under the above legislation)

UK GDPR Article 9(2)(g) and DPA 2018, Schedule 1, paras.6(1) & (2)(a) and 20 - special category personal data - where processing is necessary for the reasons of substantial public interest (under the above legislation)             

UK GDPR Article 10 as supplemented by DPA 2018 section 10(5) & Schedule 1, Part 2, paras. 6(1) and (2)(a), paras.10, 12, 14 and Part 3, para. 33 - criminal convictions and offences - where processing is necessary for reasons of substantial public interest (under the above legislation),

namely to:          

  •  prevent or detect unlawful acts
  •  comply with regulatory requirements relating to unlawful acts and dishonesty etc.
  •  prevent fraud.

We have a Data Protection Policy that sets out how this information will be handled.

Joint Data Controller - the administration, billing and collection of council tax is undertaken by us jointly with Sevenoaks District Council under a collaborative partnership arrangement. We decide together all the purposes for using the personal information that we share and we decide together the broad ways in which that personal information will be used.On occasion, in accordance with section 6(2) of the Data Protection Act 2018, we may be prevented from sharing and/or delegating the exercise of our functions, thereby requiring us to exercise our functions as a sole data controller.

Data processor -aAs a local authority, we are required by law to protect the public funds we administer and must ensure we are active in looking for and identifying fraud and embedding a counter fraud culture at the heart of our organisation. We have a Data Processing Agreement with Destin Solutions Ltd to cross check business rates relief on non-domestic properties (excluding empty rate relief) against English local authorities’ similar data sets. Destin is our data processor and only processes personal information in line with our instructions.

Data sharing - we may share and receive information from:

  • our department(s) including Electoral Registration
  • local authorities
  • other local authorities
  • Department for Work and Pensions
  • Kent Intelligence Network
  • employers
  • HMRC
  • Government agencies
  • Courts/tribunals
  • Cabinet Office (as part of the National Fraud Initiative)
  • National Audit Office
  • Police
  • National Anti-Fraud Network (Tameside MBC)
  • credit reference agencies
  • health and social care organisations

HMRC: Where we detect suspicious behaviours of fraud and/or crime across our functions, we have may receive from and share information with HMRC (Customer Compliance Group – RIS Intelligence, Volume Intelligence, Intelligence Exchange).

We may also rely on a number of exemptions, which allow us to share information without needing to comply with all the rights and obligations under the Data Protection Act 2018. Please refer to the Kent and Medway Information Agreement for further details on our sharing arrangements.

Retention period - we keep your personal information for the minimum period necessary. The information outlined in this Privacy Notice will be kept as follows, unless exceptional circumstances require longer retention e.g a pending court case:

  • prosecution files - 7 years from date of closure;
  • sanction files (formal cautions/penalties) - 5 years from date of closure;
  • non fraud cases - 6 months from date of closure

All information will be held securely and disposed of confidentially.

Anonymisation - your personal information may be converted ('anonymised') into statistical or aggregated data in such a way that ensures that you cannot be identified from it. Aggregated data cannot, by definition, be linked back to you as an individual and may be used to conduct research and analysis, including the preparation of statistics for use in our reports.

Right to object - where processing your personal information is required for the performance of a public interest task (see our lawful bases above), you have the right to object on ‘grounds relating to your particular situation’. We will have to demonstrate why it is appropriate for us to continue to use your personal data.

Changes to this Privacy Notice - we review this Privacy Notice regularly and will place updates on our website.

Please refer to our Corporate Privacy Notice for further details of how we process your personal information and for details on your additional rights.

-------------------------------------

1 Note that we may process your personal information on more than one lawful basis depending on the specific purpose for which we are using your information

GDPR Fraud Prevention and Detection (Joint Service with SDC) Privacy Notice