|
Fair processing notice compliance return (NFI Form 3)
Each body should inform data subjects that their data will be submitted to the Auditor General for Wales (the Auditor General) for NFI purposes in accordance with the Code of Data Matching Practice of the Auditor General for Wales.
The Auditor General has drafted a Code of Data Matching Practice to govern the his data matching exercises, and is currently consulting on the Code before finalising and laying it before the National Assembly for Wales.
Key contacts are required to confirm that the NFI fair processing notices have been provided by completing and returning the Fair Processing Compliance Return (WAO FORM 3).
Fair processing notices
Bodies participating in the Auditor General's data matching exercises should inform individuals that their data will be processed, as required by the Data Proection Act 1998. For data processing to be fair, the first data protection principle requires data controllers to inform individuals whose data is to be processed of:
- the identity of the data controller;
- the purpose or purposes for which the data may be processed; and
- any further information which is necessary to enable the processing to be fair.
Exemptions
However, when certain exemptions within the Data Protection Act 1998 apply, data controllers are not required to provide fair processing information. For example, where personal information must be made available to the public because of a statutory requirement, there is no need to provide fair processing information (the section 34 exemption).
The notice
The notice should clearly set out an explanation that their data may be disclosed for the purpose of preventing and detecting fraud. The notice should state that the data will be provided to the Commission for this purpose. The notice should also contain details of how individuals can find out more information about the processing in question.
Communication with individuals whose data is to be matched should be clear, prominent and timely. Where further data sets are required that individuals were not informed about in the original notices, new notices should be issued outlining the additional information needed. Where a data controller is not required to provide a notice e.g. because of the section 34 exemption, it is good practice for new notices to be issued anyway.
Participating bodies should submit a declaration confirming compliance with the fair processing notification requirements (NFI Form 3 – Fair processing compliance return – see above).
Layered notices
The Information Commissioner recommends a layered approach to fair processing notices. Usually there are three layers in a layered fair processing notice: summary notice, condensed text and full text. Taken together, the three layers comprise the fair processing notice.As the Code has not yet been finalised, the guidance provided below is for information at this stage as it may be subject to change.
Summary Notice (level 1)
The summary notice should provide the minimum necessary content and should be provided to the individuals whose data is to be matched. Where practicable it should point to where more detailed information can be found, for example, by providing web-links to the second and third layers, or contact details for a named person such as the Key Contact or Data Protection Officer. Participating bodies should make clear where individuals can obtain further information about how, why and by whom their data is being processed.
Where an application form is used to collect the data, the summary notice should usually be included on this form. In other cases, where participating bodies usually communicate with the data subject formally at least once a year, for example by newsletter, the summary notices should be included in these communications. Participating bodies should sent these communications to named individuals in advance of each data matching exercise where practicable. This will avoid the cost of a separate mailing.
Participating bodies should notify their employees both at the time of the original application for their post and before each exercise, for example, by including a summary notice in their payslip.
Condensed Text (level 2)
The condensed text should give a summary of the Auditor General’s data matching exercises, and should be available on the participating organisation’s website as well as in hard copy on request. This layer should provide a link to the more detailed full text.
Full Text (level 3)
The full text is available here and it includes an explanation of the legal basis for its data matching exercises and a more detailed description of how the initiative works.
While participating bodies should decide the content and means of issue of fair processing notices for themselves, good practice examples of a three-layered approach for public bodies are included at Appendix 1. Such notices will have the effect of deterring fraud as well as informing applicants about the use of data in data matching.
Example Notices
Benefits of the layered approach
The benefits of using a layered approach are to give appropriate levels of fair processing information to different audiences, depending on their information needs. Individuals who wish to have a relatively short explanation can access this in a summary notice, while information that is more comprehensive is available for others.
|
