Organisations participating in data matching exercises must inform individuals that their data will be processed by providing a written notice, known as a fair processing or privacy notice, which contains the information required by data protection legislation.
Guidance is available from the Information Commissioner’s website [opens in new window].
The privacy notice should contain information required by data protection legislation such as:
- the identity of the data controller
- the purpose or purposes for which the data may be processed
- the legal basis which the controller is relying on for processing
- the categories of personal data collected
- the recipient or category of recipients of personal data
- details of retention period or criteria on retention
- the source of the personal data
- the right to lodge a complaint with the Information Commissioner
- any further information that is necessary to enable the processing to be fair.
The Auditor General undertakes data matching exercises, like the National Fraud Initiative to help prevent and detect fraud. These exercises may involve matching personal data.
The processing of data by the Auditor General in a data matching exercise is carried out with statutory authority. Therefore, the Data Protection legislation [Opens in new window] does not require the Auditor General to obtain the consent of individuals to process their personal data.
More detail on the statutory framework within which the Auditor General conducts his data-matching exercises can be found in the Code of Data Matching Practice of the Auditor General for Wales [PDF 608KB Opens in new window].