Data collection, retention and storage
This privacy policy, together with other accompanying documentation referred to, sets out the basis upon which any 'personal data' we collect from you (sensitive personal data or otherwise), or that you provide to us, will be processed by the NHS Counter Fraud Authority (NHSCFA).
For the purpose of the Data Protection Act (DPA) 2018, the data controller is the NHS Counter Fraud Authority (NHSCFA ), registered with the Information Commissioner's Office (ICO) under registration number ZA290744 (expires 30 October 2024).
The NHSCFA is in compliance with the national data opt-out policy.
Please take the time to carefully read our policy to understand our practices and procedures regarding your personal data and how we treat it.
What type of data does the NHSCFA collect?
The NHSCFA collects data appropriate for preventing and detecting crime within the NHS, ensuring that personal data is adequate, relevant and not excessive for the purposes for which it is processed.
How does the NHSCFA collect data ?
Data is collected:
- through the process of data sharing with the wider NHS, public sector and professional regulatory bodies
- through the NHSCFA's Fraud and Corruption Reporting Line and online fraud reporting tool
- during the course of NHSCFA investigations, intelligence gathering and other proactive anti-crime programmes
- when you raise a general enquiry
- we may ask for information when you report a problem regarding the services provided by the organisation; and
- if you contact us we may keep a record of that correspondence or telephone call.
What constitutes a record?
Documents, electronic or paper-based files, email messages, diary records, faxes, reports, intranet and internet files, audio and video recordings, scanned records, information created, received and maintained as evidence and information by an organisation or individual, in pursuance of legal obligations or in the transaction of business.
How do the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 define the processing of data?
The processing of personal information and the protection of individual rights is governed by both the General Data Protection Regulation (GDPR) and Part 2 and/or Part 3 of the Data Protection Act 2018.
The primary purpose for processing your personal data determines what law protects your rights and provides the legal basis for our processing activities.
Where the NHS Counter Fraud Authority (NHSCFA) processes your personal data for general purposes not relating to the organisation’s statutory function, the GDPR and Part 2 of the Data Protection Act 2018 apply.
Where the NHSCFA processes your personal information for law enforcement purposes in connection with our statutory functions, Part 3 of the Data Protection Act 2018 applies.
Under the above provisions, the NHSCFA’s lawful bases for processing the types of personal data below fall within the following permitted categories:
- public task
- contract
- consent
Correspondence and contact with the NHSCFA for general purposes connected with its statutory function
Legal basis for processing personal data
This is type of personal data is processed under the GDPR and Part 2 of the Data Protection Act 2018 on the basis that the processing is necessary and in line with what can reasonably be expected when personal information is provided for general purposes.
These include, but are not limited to: processing job applications, securing goods or services for the NHSCFA, responding to enquiries and requests, investigating complaints and corporate administration purposes such as maintaining our records and accounts.
Information submitted via our fraud and corruption reporting line portals (online and telephone)
The NHSCFA provides both online and telephone reporting mechanisms for the reporting of fraud, bribery and corruption affecting the National Health Service.
Legal basis for processing data
This type of personal data is processed for law enforcement purposes Under Part 3 of the Data Protection Act 2018. Section 31 of the Act defines law enforcement purposes as:
...’the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security’.
When completing the online reporting form, you will be asked questions about whether you consent to the sharing of the personal details you have provided, but this is not the legal basis for processing.
You may be asked whether you give permission for the NHSCFA Intelligence Unit to pass on your personal details to case teams in the wider organisation or to outside agencies. Where permission is withheld, we will seek to respect your wishes but there may in rare circumstances be an overriding interest/obligation which may mean your personal details may have to be shared outside of the Intelligence Unit.
The personal information submitted on forms is stored securely in our systems, where your data is then subject to our internal retention and disposal policy.
Your personal data may be shared by the NHSCFA Intelligence Unit with internal teams or external organisations such as the police, other government organisations or regulatory bodies; for example where the information may be relevant to a live criminal or regulatory investigation.
Correspondence and contact with the NHSCFA for law enforcement purposes in connection with our statutory functions
Personal information collected under this heading will be processed for law enforcement purposes under Part 3 of the Data Protection Act 2018.
What is the minimum retention period for data held by the NHSCFA?
There are no provisions within the DPA or the GDPR regarding data retention. The DPA and the GDPR both state that data processed for any purpose shall not be kept longer than is necessary for that purpose. The DPA and the GDPR therefore requires the destruction of data that is no longer relevant for its purpose. In order to comply with these principles, the NHSCFA reviews all data processed and considers how long the data will need to be kept, in line with the organisation's data handling, storage and retention policy.
What is the maximum retention period for data held by NHSCFA?
In cases where a full investigation has taken place and no evidence of fraud was proven or disciplinary/civil action was taken as a result, the retention and disposal of cases papers falls outside the conditions imposed by the Criminal Procedures Investigations Act 1996 (CPIA). Investigation papers are retained for a period of at least 6 years after the decision is made that no evidence of fraud is proven or after the conclusion of the investigation. This 6 year period allows for any objection/grievances or other legal processes, including litigation proceedings, in relation to the investigation to be raised and the investigation notes to remain available for that purpose. Data recorded on our fraud intelligence database will be retained for a period of 6 years after conclusion of the case. In cases involving the use of audio and visual recordings, these will also be retained for 6 years.
Completed investigations which have resulted in fraud being proven by way of criminal sanctions fall under conditions imposed by CPIA. This legislation states that:
'If the subject is convicted all material must be retained until at least:
- the convicted person is released from custody/discharged from hospital (or six years after conviction whichever is longer); or
- 'in all other cases six years from date of conviction.'
The NHSCFA therefore recommends that all papers, audio and visual recordings falling into this category be retained for a period of at least 6 years after conclusion of the case. This period takes into consideration criminal and civil court time limits imposed in relation to appeals.
Are NHSCFA required to comply with any formal information governance compliance programme?
The NHSCFA has to comply with the NHS Governance Toolkit. We also have to complete a return to the Cabinet Office to allow us to remain on the Public Services Network (PSN). PSN compliance is a way to demonstrate that an organisation's security arrangements, policies and controls are sufficiently rigorous for the organisation to interact with those connected to it.
Where do we store your personal data?
All data that we collect and any information that you provide to us is safely stored on our servers, which are encrypted through a secure system. No data is stored or transferred outside the European Economic Area (EEA).
Data sharing
How does the NHSCFA collect data?
We use information provided or held about you in the following ways:
- to provide you with information about our guidance or services that you request from us, where you have consented to be contacted for such purposes
- to improve our website to ensure that content is presented in the most effective manner
- to allow you in to participate in some of the interactive features of our service when you choose to do so
- to notify you about changes to our service(s)
You have the right to ask us not to process your personal data or share it with other organisations (subject to certain exceptions). We will usually inform you before collecting your data, if we intend to disclose your information to any third party. You can exercise your right to prevent such processing by checking the relevant tick boxes on the forms or data portals we use to collect your data.
Who does the NHSCFA share data with?
The NHSCFA shares data with other public bodies under Memorandums of Understanding (MOUs) and Information Sharing Agreements (ISAs). These enable cooperation and information sharing between public bodies. Our current list of MOUs and ISAs are available on the Who we work with page. We may also share data:
- if we are under a duty to disclose or share personal information in order to comply with any legal obligation
- for the prevention of crime, in accordance with the law, with regulatory or governing bodies;
- with analytics and search engine providers that assist us in the improvement and optimisation of our website. Please note that we do not disclose information about identifiable individuals to such third parties, but we may provide them with anonymous aggregate information about visitors and users ;
- those interacting with us on social media; or
- otherwise in accordance with this privacy policy
How does the NHSCFA manage the sharing of data?
The NHSCFA abides by legislation on data sharing, for example the DPA and the GDPR, which sets rules for the handling personal data, and the Human Rights Act and the common law duty of confidentiality, which protects confidential and private information (subject to certain exceptions). For further information see the following:
- Data Protection Act 2018
- General Data Protection Regulation
- Human Rights Act 1998
- The Common Law Duty of Confidentiality
What information does the NHSCFA provide to the media?
The NHSCFA provides information to the media primarily in the form of press releases after successful legal action, normally issued just after sentencing or judgement. The factual content of these press releases is checked and signed off by the investigators who led the investigation and senior managers. Press office staff may provide informal background briefings to the media using information that is already in the public domain, but attributable quotes from the NHSCFA are usually from senior NHSCFA officials.
Accessing information
How can I access my personal information?
The DPA and the GDPR set the rules for disclosure of personal details. Every living individual has the right to request access to their own personal data. To request your personal data you must make a subject access request; this can be done via email to: DPArequest@nhscfa.gov.uk.
For more information on subject access requests, please see the Information Commissioner's Office website.
If you have a concern about the organisation's information rights practices, you have the right to make complaint to the ICO or another supervisory authority.
Can I access other information and how do I do it?
The Freedom of Information Act 2000 provides public access to information held by public authorities. To make a request for information from NHSCFA please email FOIrequest@nhscfa.gov.uk. For more details, please see the Freedom of information page.
Information security
Does the NHSCFA follow agreed standards for data management?
The key statutory requirement for compliance with records management principles is the DPA and the GDPR. They provide a broad framework of general standards that have to be met and considered in conjunction with other legal obligations. The NHSCFA also complies with the NHSBSA Records Management Audit Framework.
How does the NHSCFA monitor, maintain and review its standards for data management?
The NHSCFA is ISO 27001 certified and has a range of policies and procedures in place for ensuring high standards of data management and information assurance. We also follow a range of CESG standards and best practices to manage our information securely. CESG is the UK government's National Technical Authority (formerly the Communications-Electronics Security Group) for information assurance and protects the UK by providing policy and assistance on the security of communications and electronic data, in partnership with industry and academia. CESG works with the wider public sector, including health service, law enforcement, local government and the utility companies that provide the services that form the UK's critical national infrastructure.
How does the NHSCFA safeguard the information provided to our hotline and fraud reporting website?
All information provided to NHSCFA through our Fraud and Corruption Reporting Line or online fraud reporting form will be handled professionally, sensitively and in accordance with the law.
Our specialist staff will quickly decide if the matter you are reporting is something the NHSCFA can deal with or whether it needs to be passed on to another more appropriate organisation. If it is a matter for the NHSCFA, we will carefully consider all information that you provide us. We will consider the strength and relevance of the available evidence to decide whether your information is suitable for investigation. If it is, it will be allocated to a trained fraud investigator, either locally at an NHS organisation or within a specialist team at the NHSCFA.
Does the NHSCFA follow agreed standards for data management?
The NHSCFA is ISO 27001 certified and has a range of policies and procedures in place for ensuring high standards of data management and information assurance. We also follow a range of CESG standards and best practices to manage our information securely. CESG is the UK government's National Technical Authority (formerly the Communications-Electronics Security Group) for information assurance and protects the UK by providing policy and assistance on the security of communications and electronic data, in partnership with industry and academia. CESG works with the wider public sector, including health service, law enforcement, local government and the utility companies that provide the services that form the UK's critical national infrastructure.
How does the NHSCFA safeguard the information provided to our hotline and fraud reporting website?
All information provided to NHSCFA through our Fraud and Corruption Reporting Line or online fraud reporting form will be handled professionally, sensitively and in accordance with the law. Our specialist staff will quickly decide if the matter you are reporting is something the NHSCFA can deal with or whether it needs to be passed on to another more appropriate organisation. If it is a matter for the NHSCFA, we will carefully consider all information that you provide us. We will consider the strength and relevance of the available evidence to decide whether your information is suitable for investigation. If it is, it will be allocated to a trained fraud investigator, either locally at an NHS organisation or within a specialist team at the NHSCFA.
If the matter you are reporting is not for the NHSCFA to deal with, we may pass the information on to another public or regulatory body or the police so that it can be followed up by the right people. Your personal details will not be disclosed to anyone without your prior permission unless we are obliged to do so by law, or it is in the wider public interest.
When you contact the NHSCFA, you don't have to give us any information about yourself unless you want to. Telling us who you are may help us to investigate matters more quickly and effectively, but you can choose not to give us your name if you prefer. All information you provide will be treated in complete confidence.
There are three ways of reporting that determine how your personal details are handled (you can find out more about each by visiting the Report fraud page ):
- Information and contact details - LINKED If you have no concerns about your personal details being linked to the information you are providing (or if you are reporting something in an official capacity as part of your job) your details will be held with the information and made available to the investigating officer. This will allow us to contact you easily should anything need to be clarified.
- Information and contact details - SEPARATED If you are happy to provide your personal details to the NHSCFA but would like your personal details separated from the information you are providing, measures will be taken on receipt to ensure that the information that you provide does not reveal your identity. Your personal details will not be disclosed to anyone including the investigating officer without your permission unless we are obliged to do so by law, or it is in the wider public interest.
- Reporting - ANONYMOUSLY Sources can remain completely anonymous in their dealings with the NHSCFA. We will not ask you for your name or any contact details. Please be sure to provide as much information and detail as possible regarding the fraud, as we will not be able to contact you again for further information.
Does the NHSCFA comply with statutory frameworks for protecting whistleblowers?
From 1 February 2016, NHS Protect/the NHSCFA has become a 'prescribed person' under the Public Interest Disclosure Act (PIDA) 1998, which provides the statutory framework for protecting workers from harm if they blow the whistle on their employer. Under PIDA, whistleblowers may tell a relevant prescribed person about suspected wrongdoing they believe may have occurred, including crimes and regulatory breaches. Passing information like this is known as making a 'disclosure'.
The work NHS Protect/the NHSCFA does as a prescribed person to receive and follow up the disclosures whistleblowers make to us is also in line with the recommendations of the Prescribed Persons Order 2014. The Order sets out a list of over 60 organisations and individuals that a worker may approach outside their workplace to report suspected or known wrongdoing. The organisations and individuals on the list have usually been designated as prescribed persons because they have an authoritative or oversight relationship within the sector, often as a regulatory body. An up-to-date list can be found at: www.gov.uk/government/publications/blowing-the-whistle-list-of-prescribed-people-and-bodies--2
Not everyone that reports concerns to NHS Protect/the NHSCFA can be automatically considered to be a whistleblower. In order to be entitled to legal protections, specific criteria need to be met. A whistleblower is usually an employee, who makes a public interest disclosure by reporting certain types of wrongdoing. As a whistleblower you are protected by law, you shouldn't be treated unfairly or lose your job because you 'blow the whistle'. NHS Protect/the NHSCFA as a prescribed person is not responsible for deciding whether the individual who has made the disclosure qualifies for protection. Ultimately this will be decided by an employment tribunal in contested cases. The prescribed person is unable to become involved in grievances between workers and employers, other than to confirm that a protected disclosure was made.
How can I make a protected disclosure?
The purpose of being a 'prescribed person' is to provide workers with a mechanism to make their public interest disclosures to an independent body that may be able to act upon them. A worker reporting to a prescribed person will potentially qualify for the same employment rights as if they had made a disclosure to their employer. Such disclosures are legally referred to as 'protected disclosures'.
If a protected disclosure is made, the worker may have a right to redress through an employment tribunal should they suffer a detriment or be dismissed from work as a result of making that disclosure. When a whistleblower makes a disclosure to a prescribed person they escalate the issue beyond their employer, as those with investigatory and regulatory functions can consider acting upon the information that has been disclosed to them. In particular, whistleblowers can provide an important source of information to prescribed persons, which will enable prescribed persons to gain a greater understanding of the sectors they regulate/oversee.
Further guidance on the whistleblower process and role of prescribed persons can be found from the following sources: https://www.gov.uk/whistleblowing
www.gov.uk - bis-15-201-Prescribed-persons-guidance.pdf
Third party links
Our website may from time to time contain links to and from the websites of affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy notices and therefore we do not accept any responsibility or liability for these. Please ensure you check these policies before you submit any personal data to these websites.
Changes to our privacy policy
Any changes we make to our privacy policy in the future will be posted on this page.
Contact us
Questions, comments or requests regarding this privacy policy are welcome and they should be addressed to generalenquiries@nhscfa.gov.uk