Staff Privacy Notice

Background

As an employer Mersey and West Lancashire Teaching Hospitals NHS Trust (MWL), (thereafter referred to as the Trust) must meet its contractual, statutory and administrative obligations. This ‘Privacy Notice’ explains in detail of the type of personal data that the Trust process about you.

The Trust is a Data Controller.  A Data Controller determines how the data will be processed and used within their organisation and with others they can share the data with. 

The Trust are registered as a ‘Data Controller’ with the Information Commissioner’s Office (ICO) and we are committed to ensuring that the personal data we process is handled in accordance with data protection legislation.  Our ICO registration number is ZB567937. We are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the data protection principles under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. This notice also explains how we handle personal data and keep it safe and secure.

The Trust employs specific roles to provide leadership and direction to ensure accountability and transparency to support compliance with Data Protection law.

These roles include:

Caldicott Guardian

The Trust is required to have a Caldicott Guardian.  The Caldicott Guardian is a senior health professional appointed to ensure that the data about those who use its service is handled in a confidential manner by the Trust and enabling appropriate data / information sharing.  The Caldicott principles are incorporated into the NHS Code of Practice.

Our Caldicott Guardian is Mr Alex Benson - caldicott.guardian@merseywestlancs.nhs.uk

Senior Information Risk Owner (SIRO)

The SIRO is an Executive Director in the Trust with overall responsibility for managing organisational information risk, security of information and putting strategies in place to control the identified risks.

Our SIRO is Malcolm Gandy - siro@merseywestlancs.nhs.uk

Data Protection Officer (DPO)

Under the UK General Data Protection Regulations (UK GDPR) all large public authority organisations such as MWL are legally required to employ a Data Protection Officer.  This person is an expert in data protection and can therefore inform and advise the Trust and its staff   about their obligations to comply with the UK GDPR and other Data Protection laws. Where there are data protection concerns the DPO will act as a contact point for you and will also act as the main contact for communication with the Information Commissioner’s Office. The DPO for the Trust is:

Our Trust Data Protection Officer (DPO) is Camilla Bhondoo.

The DPO can be contacted via the following means:

Address: Jubilee Court, Academy Site, Waterside, St Helens, WA9 1TT
Email: IG@midmerseyda.nhs.uk 

We will continually review and update this privacy notice to reflect changes in our services and to comply with changes in the law.  When such changes occur, we will revise the last updated date as documented in the version status in the footer of this document.

Introduction

The Trust as your employer collects personal data about you using the following legal basis:

• Article 6 1(b) – Processing is necessary for the performance of staff contracts
• Article 6 1(c) – Processing is necessary for compliance with a legal obligation
• Article 6 1(f) - Processing is necessary for the purposes of legitimate interests pursued by the Trust

Further specific details are provided in the ‘Data Processing Activities’ section below.

In general, the types of processing we undertake using personal data are:

• Recruitment and employment checks (for example, professional membership, references, proof of identification right to work in the UK and Occupational Health Clearances, etc)
• Staff Administration (bank account and salary / wages, as well as pension, tax and national insurance details)
• Education, training and development
• Publishing of senior level staff names in ‘Annual Reports’ and / or in response to Freedom of Information requests – the Trust has a legitimate interest to publish this information
• Personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support or adjustments for your employment
• Medical information relevant to your employment, including physical health, mental health, evidence of relevant vaccinations where a legal duty applies and absence history
• Information relating to your health and safety at work, and any incidents or accidents
• In order to comply with health and safety legislation we may undertake risk assessments
• Professional registration and qualifications, education and training history
• Information relating to employee relations (i.e. disciplinary proceedings, grievances and complaints, tribunal claims, etc)
• Criminal prosecution and prevention
• National fraud initiatives
• Conflict of Interest Forms
• Quality monitoring such as staff surveys
• Access to systems (network / email) and IT services
• In order to complete mandatory / legally required registers e.g. the Conflict-of-Interest Register

If we need consent to process your data under Article 6 (1) (a) of the UK GDPR we will contact you about this.  It will be explained to you in a clear way using plain language the reasons for this.  For more detail please see the “Purposes where consent is required” section.

Please regularly check this privacy notice as it is constantly updated to ensure we inform you of all types of processing of your personal data.

Data Sources

Your information could be collected in a number of different ways. This could be directly from you - in person, over the telephone or on a form you have completed, such as a job application, contractual documentation, timesheet or spreadsheet. 

Data also comes from external sources such as NHS Jobs, your professional body, current or previous employers or referees, the Disclosure and Barring Service, or government bodies like HM Revenue and Customs, the Department for Work and Pensions, or the UK Visas and Immigration.  Further details about our processing activities are detailed below.

Definition Of Data Types

The following are key words that are used to describe what data the Trust may use and other key Data Protection terminology that you will notice throughout this privacy notice.

Processing

This means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller

A Data Controller determines the purposes and means of processing personal data. The Trust are a Data Controller, we decide what to do with your data.

Data Processor

A Data Processor acts on instruction by a Data Controller and processes data on behalf of the controller. There may be instances that the Trust use a Data Processor to process your personal data. If we do the Data Processors we use must provide us with assurance that they will keep your data safe and demonstrate how. Just like Data Controllers they must also adhered to Data Protection legislation when processing any kind of personal data. 

Personal Data

This contains details that identify individuals even from one data item or a combination of data items. The following are demographic data items that are considered identifiable such as name, address, NHS Number, full postcode, date of birth. Under UK GDPR, this now includes location data and online identifiers.

Special Category Data

This is personal data that requires more protection due to the sensitive information it contains. The UK GDPR defines this data as personal data revealing: race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, it also relates to gene or biometric data (where used for identification purposes) and data concerning a person’s sexual life and sexual orientation and data relating to health. It does not include personal data about criminal allegations, proceedings or convictions as separate rules apply. 

Personal Confidential Data

This term came from the Caldicott review undertaken in 2013 and describes personal information about identified or identifiable individuals, which should be kept private or secret. It includes personal data and special categories of data but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’.

Pseudonymised Data or Coded Data

This is also sometimes known as reversible anonymisation. Patient identifiers such as name, address, date of birth are substituted with a pseudonym, code or other unique reference so that the data will only be identifiable to those who have the code or reference. To be truly regarded as pseudonymised data the organisation must not hold the key to be able to reverse the anonymisation.

Anonymised Data

This is data about individuals but with all identifying details removed. Data can be considered anonymised when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available.

Aggregated Data

This is statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.

Our Data Processing Activities

The law on data protection under the UK GDPR sets out a number of different reasons for which personal data can be processed.  The law states that we have to inform you what the legal basis is for processing personal data and also if we process special category data such as your occupational health data what the condition is for processing it.  The Trust also uses the services of data processors to process staff data as detailed below. The organisation’s we work with are bound by contractual agreements which outline that your information is processed under strict conditions and in accordance with the law.

Recruitment and employment checks

Recruitment and employment checks are carried out by the Trust. Personal data collected by the Trust during the recruitment process is downloaded from a recruitment management system called ‘Trac Systems Ltd’ and retained for successful applicants only. 

The TRAC System is an automated recruitment system which enables greater communication to the recruiting managers.  Managers that are recruiting staff into post will be able to log on and view the status of their vacancy, and progress of the pre-employment checks including ID Checks, Right to Work, Convictions, Professional Registration, Occupational Health and References.

Whilst TRAC is a separate advertising stream to NHS Jobs, jobs will still be posted on NHS Jobs (as a signpost only) and candidates that wish to apply for a vacancy will be redirected to the Trac portal.  Privacy notices provided by Trac are displayed to all people who apply directly into the Trac Recruitment System.

Information downloaded from the system by the Trust is emailed to the Human Resources Team which you have been appointed to and forms the basis of your employee personal file. NHS Jobs website supplied by Trac Systems Ltd has updated their privacy notice.

The Trust are also engaging the services of Verifile Limited to carry out virtual ID checks and where it is necessary for the role, DBS checks. The Trust will share only your name and email address with Verifile. Candidates are notified via a privacy notice that is accepted by the candidate when the application is being submitted on TRAC. The candidate will be asked to share further information directly with Verifile.

Workforce Management

The NHS ESR system provides the Trust with a range of tools that facilitate effective workforce management and planning; thereby enabling improved quality, improved efficiency and improved patient safety.

For more detail about the NHS ESR system see: https://www.electronicstaffrecord.nhs.uk/home/

Payroll / Pension

E- Learning

The training system used by the Trust is the national e-learning system for healthcare https://www.e-lfh.org.uk/

IT Administration (network / email / system account administration)

The IT Department process your demographic details in order to set you up on the network and systems.  This is also required to set you up with a Trust account and also an email account for users who require this.

IT Department may have access to files and folders where personal data and / or special category data are stored as administrators of the network and to resolve any IT issues regarding the files / folders.  All staff sign ‘Confidentiality’ agreements and receive adequate IG training to inform them to keep this information safe and secure.

MIAA – Local Counter Fraud Services

MIAA work in partnership with the Trust to instigate an organisation wide culture of fraud prevention and fraud risk management. They assess your organisation’s specific fraud risks and will investigate any alleged instances thoroughly. Where there any suspicions of fraud your personal data may be shared.

To view their ‘Privacy Policy’ see: https://www.miaa.nhs.uk/privacy-policy-miaa/

Purposes where consent is required

There are also other areas of processing undertaken where consent is required for us or you to continue with a data processing activity. Under UK GDPR, consent must be freely given, specific, you must be informed and a record must be made that you have given your consent in order to confirm you have understood. 

Employee Assistance Programme  / Health and Wellbeing Support

Vita Health Group specialise in the provision of the Employee Assistance Programme (EAP) and are a data processor for the Trust. To view their ‘Privacy Policy’ see:

https://www.vitahealthgroup.co.uk/data-protection-policy/

Occupational Health

Physio Med specialise in the provision of the Physiotherapy services and are a data processor for the Trust. To view their ‘Privacy Policy’ see:

https://www.physiomed.co.uk/pages/our-privacy-policy

UK GDPR Article 15 - Right of Access Requests

If you have requested to view or be provided with a copy of your personal data we hold about you your request for access will provide this consent.  It will not be necessary to ask for identity checks if you are a current member of staff.

Childcare Vouchers

This childcare voucher is a service offered to you to support childcare costs.  You need to access the website directly and provide your details online to the supplier.  Please note by doing so you accept the risk of using this website and submitting your details online.

The NHS National Staff Survey

Each year NHS staff are invited to take part in the NHS National Staff Survey which is the largest survey of staff opinion’s in the UK. This survey service is provided by ‘Quality Health’ who are an accredited supplier of survey services to the health sector.

Using anonymous or aggregate information

 We use pseudonymised, anonymised and aggregated data in the following ways:

• To undertake anonymous staff surveys / questionnaires using Survey Monkey
• To produce staff statistics for example, number of staff in each department for Human Resource purposes
• To respond to Freedom of Information requests using anonymised information if requested to provide information about staff.
• To provide an Employee Assistance Programme run by Insight. They run an independent counselling and advice service, which is paid for by the Trust. It is available for you and any family members who are over 16, who live at your address. You do not need to disclose your personal information to use this service. You only need to provide the access code and the Trust name.

Where information is used for statistical purposes as above, secure measures are taken to ensure individuals cannot be identified where the law doesn’t allow this.  Anonymous / aggregate staff information may be passed to the council as part of integrated working.

How we protect your personal data

Under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), strict principles govern our use of information and our duty to ensure it is kept safe and secure. Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information can get access. This might be through the use of technology or other environmental safeguards.  We have an Information Governance Strategy and Framework that explains the data security governance within the Trust.

Technical assurance is provided regarding IT / Cyber processes in place as the Trust are required to complete the Data Security and Protection Toolkit (DSPT) which is an online assessment that must be completed every year by organisations who process Personal Data. It looks at what data protection, IT security and cyber security measures are in place. The Trust’s IT Department regularly monitor the network for potential vulnerabilities and attacks and look to always ensure security is strengthened.

Where we engage the services of Data Processors / suppliers i.e. Verifile, the Trust is required to carry out a ‘due diligence’ on the organisation. This means that the organisation looking to process your data on our behalf is subject to interrogation, looking specifically at what data protection and IT security they have in place to ensure they are safeguarding your data, this is documented via a Due Diligence Questionnaire and a Data Protection Impact Assessment and reviewed by our IT Security Team, IG Team, DPO and final approval is provided by the Trust’s SIRO.

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.

Under the NHS and Trust’s Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

Every NHS organisation has nominated staff with specific data protection responsibilities who are here to ensure your personal is safeguarded at all times, they are the SIRO, Caldicot Guardian and DPO.

Staff are reminded that actions within systems / emails and internet usage can be monitored, recorded and audited.

Everyone working for the Trust has a legal, ethical and contractual duty, enforceable through disciplinary procedures, to keep information confidential. As part of Information Governance mandatory training, all staff including contractors and committee members receive appropriate training and awareness regarding data security training to ensure you are aware of your personal responsibilities. We have incident reporting and management processes in place for reporting any IG (data) breaches or incidents.  We learn from such events to help prevent further issues and inform data subjects of breaches when required.

Retention and Destruction of personal data

Retention

Whenever we collect or process your data, we will only keep it for as long as is necessary for the purpose it was collected. In the NHS, all commissioners and providers apply retention schedules in accordance with the NHS England’s Records Management Code of Practice 2021.  This code is based on current legal requirements and professional best practice and sets the required standard of practice in the management of records for those who work within or contract to NHS organisations in England. 

For example, upon receipt of your recruitment information, information about your employment will be collated within your employee personal file for the duration of your employment, and for six years thereafter, or until your 75th birthday, whichever is sooner. Upon destruction of your file, a summary record is retained until your 75th birthday, unless your file is destroyed on your 75th birthday, when no further record will be retained.  This is documented in  NHS England’s Records Management Code of Practice 2021.

Destruction

Destruction of data will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal we:

• Ensure that information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a confidential waste disposal process.  The Trust use VINCI Facilities Management to dispose of confidential waste.  The Trust's Contract & Facilities Management manage and monitor the services provided by VINCI Facilities Management and ensures that the supplier complies with UK GDPR / DPA 2018 by documenting in a contract and / or obtaining assurance[CB1] 
• Ensure that electronic storage media used to hold or process information are destroyed or overwritten to national cyber security standard. The Trust’s IG Department manage this and are required to provide evidence as part of the Data Security and Protection Toolkit.

Who we share your data with?

To support you in your employment and to enable us to meet our legal responsibilities as an employer, sometimes we will need to share your information with others. We will not disclose any staff information without an appropriate lawful principle, unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it, or to carry out statutory functions i.e. reporting to external bodies to meet legal obligations.

Sometimes we are required by law to disclose or report certain information, which may include details which identify you. For example, sending statutory information to government organisations such as HM Revenue and Customs, or releasing information to the police or counter fraud. Where mandatory disclosure is necessary, only the minimum amount of information is released. There may also be occasions when the trust is reviewed by an independent auditor, which could involve reviewing randomly selected staff information to ensure we are legally compliant.

Only organisations with a legitimate requirement will have access to your information and only under strict controls and rules.

We will not sell your information for any purpose and will not provide third parties with your information for the purpose of marketing or sales.

Where is your data processed?

Your data is processed within the Trust and by other third parties as stated above who are UK based.  The services these companies provided are under specific contractual terms, which are compliant with UK data protection legislation. Your personal data is not sent outside of the UK for processing.

What are your rights over your personal data?

You have the following rights over your data we hold.

Right of access to personal data

Under the terms of the UK General Data Protection Regulation you have the right to request access to the information that we hold about you.  This is known as a “Right of Access” request. We kindly request that this in provided in writing / email (please note this is not compulsory) in order to provide adequate information to process your request. There is no charge (subject to exemptions) to have a copy of the information held about you and we must respond to you within one month (subject to exemptions).

If you would like a copy of your personal data from Mersey and West Lancashire  Teaching Hospital NHS Trust please contact: 

Access and Disclosure Team
Whiston Hospital
Mersey and West Lancashire Teaching Hospitals NHS Trust
Warrington Road
Prescot
Merseyside
L35 5DR

Telephone: 0151 430 1732

Email: Access.Disclosure@sthk.nhs.uk 

Requests are handled in line with our ‘Subject Access Procedure’ and you can use the Access Request form to make your request if this is helpful.  To request a copy of this form please contact the egal Services, Access and Disclosure team at the email address as above. If your request is posted please ensure it is marked to the private and confidential and addressed to the Legal Services, Access and Disclosure team. The team will liaise with the relevant department to ensure you receive your personal data.

Right to Rectification

If you think that there are inaccuracies in your record, you have the right to request that these be corrected or annotated. We have 1 month of receipt to deal with these requests.

Right to Erasure (‘to be forgotten’)

Only if we have your explicit consent for any processing we do, you have the right to request for the data you have consented to be deleted / erased. 

Right to Data Portability

Only if we have your explicit consent for any processing we do, you have the right to have data provided to you in a format you have requested such as in an excel spreadsheet, csv file format.

Right not to be subject to a decision based solely on automated processing

The Trust do not process data using this method, so this right will not apply to our data processing activities.

Right to withdraw consent

You have the right to refuse (or withdraw) consent to information sharing at any time. However, this may not be possible if the sharing is a mandatory or legal requirement imposed on the Trust. Any restrictions, and the possible consequences of withholding your consent, will be fully explained to you as the situation arises.

Right to object to processing

You have the right to object to processing. However please note if we can demonstrate compelling legitimate grounds which outweighs the interest of you then processing can continue.

Right to restriction of processing

This right enables individuals to suspend the processing of personal information, for example, if you want to establish its accuracy or the reason for processing it.

If you wish to pursue any of the above rights, please contact the Access and Disclosure Team. .

Complaints / Contacting the Regulator

If you feel that your personal data we hold at the Trust has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of personal data, please contact our Data Protection Officer (DPO) at the following contact details. 

Camilla Bhondoo

IG@midmerseyda.nhs.uk

Or the PALS team - pals@sthk.nhs.uk

If you are not happy with our responses and believe we are not processing your personal data in accordance with the law you may wish to take your complaint to a supervisory authority, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

You can contact them by calling 0303 123 1133

Or go online www.ico.org.uk/concerns

Or write to them at:

Information Commissioners Office (ICO)

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Further Information / Contact Us

We hope that this privacy notice has been helpful in setting out the way we handle your personal data at the Trust and your rights to control it. If you have any queries / or would like further information, please visit the useful websites below and / or contact us at the following contact details.

Links

If you would like to find out more useful information on the wider health & care social system approach to using personal information, please see the links below:

• Information Commissioners Office (ICO)
• NHS Constitution
• NHS Digital
• NHS England Records Management Code of Practice 2021
• NHS Digital Guide to Confidentiality in Health and Social Care

Fair Processing Notice for National Fraud Initiative 2024/25

Purpose

The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud. This is one of the ways in which the Minister for the Cabinet Office takes responsibility within government for public sector efficiency and reform.

Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body to see how far they match. The data is usually personal information. The data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the UK GDPR.

All bodies participating in the Cabinet Office’s data matching exercises receive a report of matches that they should investigate, so as to detect instances of fraud, over- or under-payments and other errors, to take remedial action and update their records accordingly.

Legal Basis of Processing

The legal basis for processing your personal data is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.

The National Fraud Initiative is conducted using the data matching powers bestowed on the Minister for the Cabinet Office by Part 6 of the Local Audit and Accountability Act 2014 (LAAA).

Under the LAAA Legislation

The Cabinet Office may carry out data matching exercises for the purpose of assisting in the prevention and detection of fraud.

The Cabinet Office may require certain bodies (as set out in the Act) to provide data for data matching exercises

Bodies may participate in its data matching exercises on a voluntary basis where the Cabinet Office considers it appropriate. Where they do so, the Act states that there is no breach of confidentiality and generally removes other restrictions in providing the data to the Cabinet Office.

The requirements of the data protection legislation, however, continue to apply, so data cannot be voluntarily provided if to do so would be a breach of data protection legislation. In addition sharing of patient data on a voluntary basis is prohibited.

The Cabinet Office may disclose the results of data matching exercises where this assists in the prevention and detection of fraud, including disclosure to bodies that have provided the data and to auditors that it appoints as well as in pursuance of a duty under an enactment.

The Cabinet Office may disclose both data provided for data matching and the results of data matching to the Auditor General for Wales, the Comptroller and Auditor General for Northern Ireland, the Auditor General for Scotland, the Accounts Commission for Scotland and Audit Scotland, for the purposes of preventing and detecting fraud.

Wrongful disclosure of data obtained for the purposes of data matching by any person is a criminal offence. A person found guilty of the offence is liable on summary conviction to a fine not exceeding level 5 on the standard scale.

The Cabinet Office may charge a fee to a body participating in a data matching exercise and must set a scale of fees for bodies required to participate.

The Cabinet Office must prepare and publish a Code of Practice. All bodies conducting or participating in its data matching exercises, including the Cabinet Office itself, must have regard to the Code.

The Cabinet Office may report publicly on its data matching activities.

Special category data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The legal basis for processing your special category personal data is:

Article 9(g) UK GDPR: processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The Cabinet Office conducts data matching exercises to assist in the prevention and detection of fraud. The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014.

The Cabinet Office’s legal basis for processing your criminal convictions data is paragraphs 6 and 10 of schedule 1​ to the Data Protection Act 2018.

Recipients

Your personal data will be shared by us as necessary for the purposes of preventing and detecting fraud with:

• The Auditor General for Wales
• The Comptroller and Auditor General for Northern Ireland
• The Auditor General for Scotland
• The Accounts Commission for Scotland
• Audit Scotland

And with mandatory participants who include:

• district and county councils
• London and metropolitan boroughs
• unitary authorities
• police authorities
• fire and rescue authorities
• pension authorities
• NHS Trusts and strategic health authorities Foundation Trusts
• Integrated Care Boards
• passenger transport authorities
• passenger transport executives
• waste authorities
• Greater London Authority and its functional bodies

In addition, the following bodies provide data to the Cabinet Office for matching on a voluntary basis:

• Private sector pension schemes (various)
• Home Office
• Metropolitan Police – Operation Amberhill
• Special health authorities
• Housing associations
• Probation authorities
• National park authorities
• Central government pensions schemes
• Insurance Fraud Bureau
• Central government departments
• Other private organisations/companies/credit reference agencies

We will share records containing personal data with HMRC. These will be matched against HMRC records and additional HMRC information appended and fed back to the NFI. The HMRC matching will seek to identify persons at the address provided and relevant income related information. Data matching services are then provided to the NFI by the Department for Work and Pensions, and by our IT Supplier using only UK Data Centres.

The data that is matched and the reasons for matching it

For information summarising the various match types for each particular type of participating organisation and the purpose of the matching please refer to the document NFI match types per participating body. We also provide the following services:

ReCheck

ReCheck is a flexible data matching service which complements the national exercise. This service allows NFI participant bodies to re-perform existing data matching, at a time that suits them, by uploading their organisation’s datasets for internal matching.

AppCheck

NFI participants can use this service at the point of application to check against NFI data to help verify people’s identity or if they have left out relevant information that might affect their entitlement to a benefit, service or employment.

FraudHub

Allows NFI participant bodies, who want to work together, to regularly and effectively screen their collective data in order to prevent errors in processing payments and to reduce fraud.

Code of Data Matching Practice

Data matching by the Cabinet Office is subject to a code of practice.

Further Information

View more information about the Cabinet Office data matching exercises. You can also read national reports on the NFI published by the Cabinet Office.

Your Rights

You have the right to:

• request information about how your personal data are processed, and to request a copy of that personal data
• request that any inaccuracies in your personal data are rectified without delay
• request that any incomplete personal data are completed, including by means of a supplementary statement
• request that your personal data are erased if there is no longer a justification for them to be processed.
• in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted

Where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller: You have the right to object to the processing of your personal data. This right does not apply where your data is disclosed to us under a legal obligation under Paragraph 2 of Schedule 9 of the Local Audit and Accountability Act 2014.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Email: casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact Details

The data controller for your personal data is the Cabinet Office. The contact details for the data controller are:

Head of the NFI
1 Horse Guards Road
London
SW1A 2HQ
Email: nfiqueries@cabinetoffice.gov.uk

The contact details for the data controller’s Data Protection Officer (DPO) are:

Stephen Jones
DPO
Cabinet Office
70 Whitehall
London
SW1A 2AS
Email: dpo@cabinetoffice.gov.uk

This page was last updated March 2025 and will be reviewed in March 2026.