Internal Audit privacy notice
Internal Audit provide independent and objective assurance to the Council, its Members, the Senior Management Team (including the S151 Officer) to support them in discharging their responsibilities.
Audit Activity is set at the start of the calendar year in the form of an annual plan which is agreed by the Audit Committee after consultation with senior management.
The plan will be altered over the course of the year to adapt to new risks and concerns.
The data processed by Internal Audit will depend on the annual plan and subsequent updates.
The Head of Internal Audit (HoIA) will decide whether to assign audits to the in-house team or use an outsource partner under a framework agreement (Cross council Assurance Service). This is currently PwC. PwC acts as a data controller when carrying out audit work on behalf of the council.
Section 5.2.5, Document 21 (Financial Regulations) of the Council's Constitution states: Internal Audit has unrestricted access to all information (including records, computer files, databases, systems, property and personnel) across any service and/or activities undertaken by the Council, or partners on the behalf of the Council where council information is held in order to review, appraise and report on the Council’s control framework.
Internal audit does not publish personal data as part of its reports.
Personal information collected
In auditing Council Services, any personal data held by those services may be accessed and used as evidence during an audit. For the purposes of an audit review, we may access the following:
- contact details
- date of birth
- financial information
- equalities information
- property information
- criminal/prosecution information
- health/medical information
- Social Services Records
- Human Resources Records
- other agencies involved
- education information
- housing information
- employment information
- information from the local authority from where you live and previously lived
- family/relationship information
- NHS number
- support network
- referral/assessment information
- images in photographs or film/CCTV
Who we share the information with
For the purposes of reporting on the outcomes of an audit assignment we share information with the following:
- Council Corporate Anti-Fraud Team (CAFT)
- Enforcement Agencies (via CAFT)
- Government Departments (e.g. MHCLG – grant certification)
- Our contractor PwC – PwC is considered a data controller when carrying out audits on behalf of the council, because of the independence it has in undertaking audits.
Legislation that applies
- S151 of the Local Government Act 1972, relating to the proper administration of the Council’s financial affairs.
- The Accounts and Audit Regulations 2015
- Public Sector Internal Audit Standards
How long we keep your information
Non-personal information and reports are retained 5 years.
All evidence for audit assignments which consists of personal data is deleted at the conclusion of the assignment.