Privacy Notice: National Fraud Initiative

Dumfries & Galloway College (the College) is providing you with this information to comply with data protection law to ensure that you are fully informed and that we are transparent in how we collect and use your personal data.

Your privacy and trust are very important to us and this Privacy Notice provides essential information about how the College handles your personal data and the rights you have in relation to how we use your data. The College is committed to complying with all applicable Data Protection legislation.

Who are we?

Dumfries & Galloway College is the ‘Controller’ and is responsible for looking after the personal data that you provide.

Registered office:

Dumfries & Galloway College
Bankend Road

For any queries or concerns about how your personal data is being processed, you can contact the Data Protection Officer (DPO) at

This privacy notice relates to the following process:

Sharing Data with Audit Scotland: National Fraud Initiative.

Purpose for processing – why do we collect information about you?

We collect and use your information for the following purposes:

The College is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

On behalf of the Auditor General for Scotland, Audit Scotland appoints the auditor to audit the accounts of the College. It is also responsible for carrying out data matching exercises under the National Fraud Initiative.

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This will include personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified but the inclusion of personal data within a data matching exercise does not mean that any specific individual is under suspicion. Where a match is found it indicates that there may be an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. The exercise can also help bodies to ensure that their records are up to date.

Dumfries & Galloway College is required to provide specific sets of data to Audit Scotland for matching purposes. Information on the data sets can be found at:

Our lawful bases (reason) for processing your information are:

  • Article 6(1)(e) Use is necessary for performing a task in the public interest or under official authority vested in us.
  • Article 6(1)(c) Use is necessary for us to comply with a legal obligation.

The data being used includes special category (sensitive) data. Our legal reason for using this sensitive data is/are:

  • The legal basis for processing your special category and criminal convictions data is Article 9 (2) (g) substantial public interest, and sections 6, 10, 11, and 12 of schedule 1 to the Data Protection Act 2018.

The use of data by Audit Scotland in a data matching exercise is carried out under their statutory authority, normally under its powers in Part 2A of the Public Finance and Accountability (Scotland) Act 2000. It does not require the consent of the individuals concerned under the Data Protection Act 2018. Data matching by Audit Scotland is subject to a Code of Practice. This may also be found here.

For further information on Audit Scotland’s legal powers and the reasons why it matches particular information, see the full text privacy notice at:

What information do we collect about you?

As part of your employment with the College we collect a range of relevant information about you – this is detailed in the Staff Privacy Notice.

When you do business with us, we also collect specific data for procurement and payment purposes.

For the purposes of the NFI, data shared between the College and Audit Scotland is defined in the NFI data sets:

Payroll data

Trade creditors standing data

Trade creditors history

How do we collect it?

Your personal information is collected when you complete our application process and from your personal files as your employment continues.

We also collect personal information when you enter into a business arrangement with us, for example to supply goods or services.

If you were to withhold the information we require for this process, the consequences would be:

We would not be able to assess your funding application or provide access to financial support.

Who do we share your information with?

For the purposes of the NFI your data is shared, via a secure portal, with Audit Scotland.

Details of data transfers to any third countries or international organisations

Your information will not be shared outside of the European Economic Area.

How do we look after your information and how long do we keep it for?

We will take all reasonable steps to prevent the loss, misuse or alteration of information you give us. Your personal information will be stored securely and will only be accessed by authorised staff, agents, contractors and other organisations who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality and must comply with data protection law.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Your employment data will be kept for 6 full years plus current year when you leave employment in line with the College’s data retention schedule for staff records and then will be destroyed confidentially.

Data extracted from existing systems for upload to the NFI portal is securely deleted as soon as it is uploaded.

Automated decision making processes, including profiling

Automated decision making is not used as part of this process.

Your rights

Under Data Protection laws you have certain rights in relation to how the College manages and uses your personal information:

  • The right to be informed (this is the Privacy Notice)
  • The right to access your personal data
  • The right to rectification if the personal data we hold about you is incorrect
  • The right to restrict processing of your personal data

In addition the following rights apply only in certain circumstances:

  • The right to withdraw consent at any time (if consent is our lawful basis for processing your data)
  • The right to object to our processing of your personal data
  • The right to request erasure (deletion) of your personal data
  • The right to data portability
  • The right not to be subject to automated decision making including profiling.

For more information about your rights please see

Contact us

If you have any issues about this notice or the way the College has handled your personal information, please contact our Data Protection Officer in the first instance:


Telephone: 01387 734 364 or write to:

Data Protection Officer
Dumfries & Galloway College
Bankend Road

Complaints to UK Information Commissioner’s Office (ICO)

If you are dissatisfied with the response from the College you have the right to lodge a complaint with the Information Commissioner’s Office about our handling of your data:

You can do this online: ICO Online

By telephone: 0303 123 1113

Or write to:

Information Commissioner’s Office
Wycliffe House
Water Lane