Organisations participating in data matching exercises must notify individuals that their data will be processed and the purpose(s) for which it will be processed.
The Information Commissioner recommends a layered approach to fair processing notices.
Usually there are three layers:
- Level 1 summary notice provides the minimum necessary content and should be provided by participating bodies to the individuals whose data are to be matched. It sets out where more detailed information can be found.
- Level 2 condensed text provides a summary of the Auditor General’s data matching exercises, and should be available on the participating body’s website and in hard copy on request. The notice will provide a link to the more detailed full text.
- Level 3 full text for the National Fraud Initiative includes an explanation of the legal basis for the data matching exercise, an explanation of its legal basis and a more detailed description of how the initiative works.
The Auditor General undertakes data matching exercises, like the National Fraud Initiative to help prevent and detect fraud. These exercises may involve matching personal data.
The processing of data by the Auditor General in a data matching exercise is carried out with statutory authority. Therefore, the Data Protection Act 1998 [Opens in new window] does not require the Auditor General to obtain the consent of individuals to process their personal data.
More detail on the statutory framework within which the Auditor General conducts his data-matching exercises can be found in the Code of Data Matching Practice of the Auditor General for Wales [PDF 391KB Opens in new window].