Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
English
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sundanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
ZuluLawful basis
The ‘lawful basis’ for the use of personal data by external audit (currently Ernst & Young LLP) and internal audit (currently a Council-employed on-site team) is contained in the following:-
- Local Audit & Accountability Act 2014 (LAAA)
- Accounts & Audit Regulations 2015 (Regulations)
In respect of the local auditor (i.e. the council’s appointed external auditor), LAAA s22 includes requirements that:-
- A local auditor has a right of access at any reasonable time to every document……………..the auditor thinks is necessary for the purpose of the auditor’s functions under this Act
- - A relevant authority…………….must provide a local auditor with the facilities and information that the auditor reasonably requires for the purposes of the auditor’s functions under this Act.
Information shared with / accessed by external audit will therefore cover a number of areas and will include personal data, where relevant. The Council is a mandatory participant in the National Fraud initiative (NFI) which is currently undertaken by the Cabinet Office. The legal requirement for this is covered in LAAA s33 / Schedule 9. Specifications for the data required are provided annually and will include personal data. (Depending upon the area being covered, this data will include some or all of name, address, telephone number, email address, NI Number, date of birth). The main NFI exercise takes place every 2 years, but Council Tax and Electoral Roll data must be supplied on an annual basis. Further details, including the Privacy Notice provided by the Cabinet Office, may be found on the Fraud pages of the Council’s website.
In respect of internal audit, LAAA s32 refers to the Accounts & Audit Regulations. s5 of these states:-
5.
- A relevant authority must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance
- Any officer or member of a relevant authority must, if required to do so for the purposes of the internal audit -
- a) make available such documents and records; and
- b) supply such information and explanations; as are considered necessary by those conducting the internal audit.
- In this regulation "documents and records" includes information recorded in an electronic form.
In order to properly fulfil this role, the Council’s Constitution grants Internal Audit “unrestricted coverage of the Authority’s activities and unrestricted access to all records, assets, personnel and premises deemed necessary”. Internal Audit staff have day-to-day access to key Council systems, approved by the system owner, where there is a demonstrable need; access to other systems / data may be requested as and when required.
Data (including personal data) provided for use by internal audit, external audit and the NFI will be subject to the provisions of the General Data Protection Regulation (formerly the Data Protection Act) and relevant Council policies e.g. in respect of security, retention, etc. Audit will not directly collect or process data – should audit testing identify issues with systems or data, this will be referred to the appropriate system owner for review and rectification.
It should be noted that, as audit use of data is necessary to meet statutory requirements, there is no ‘opt out’ option present for either the Council or the data subject.