Introduction
- The Comptroller and Auditor General for Northern Ireland (C&AG), head of the Northern Ireland Audit Office (NIAO), has statutory powers to conduct data matching exercises for the purpose of assisting in the prevention and detection of fraud. The powers are contained in the Serious Crime Act 2007, which adds Articles 4a to 4h to the Audit and Accountability (Northern Ireland) Order 2003.
- The Serious Crime Act imposes a regulatory regime alongside existing fair processing and other compliance requirements of data protection legislation. Any person or body conducting or participating in the C&AG’s data matching exercises must, by law, have regard to a statutory Code of Data Matching Practice.
- Data matching involves comparing sets of data, such as the payroll or benefits records of a body, against other records held by the same or another body to see how far they match. This allows potentially fraudulent claims and payments to be identified.
- The next data matching exercise under the C&AG’s powers will be undertaken in 2024-25, as part of the National Fraud Initiative (NFI). As in previous NFI exercises, the Public Sector Fraud Authority will carry out the key aspects of the exercise on behalf of the C&AG, including the collection and processing of data.
- The data obtained for the 2024 - 25 exercise will be matched on a cross jurisdictional basis across the UK.
Distribution of Matches
- Once the data matching process is completed, the output will be available to participating organisations, for consideration and investigation, via the secure NFI web-based application. Responsibility for investigating matches will rest with the participating organisations. Organisations are not expected to investigate all matches but should use a risk-based approach to decide on how many, and which, matches to investigate.
- The data matching output provided by the Public Sector Fraud Authority indicates the priority reports and higher risk data matches within each report. It is important to note that the matches do not necessarily indicate fraud but they highlight an inconsistency which may be worthy of further investigation.
Audit
- The C&AG and local government auditors will use the output from the NFI exercise to help them assess the arrangements that the bodies they audit have in place to prevent and detect fraud.
- Information on the role of the C&AG and the local government auditors is at www.niauditoffice.gov.uk.
Statutory framework
- The C&AG conducts data matching exercises under statutory powers in the Audit and Accountability (Northern Ireland) Order 2003, as amended by the Serious Crime Act 2007.
- The legislation requires the C&AG to prepare a code of practice to govern the data matching exercises, and to consult over it before approving and laying it before the Assembly. The original Code was laid before the Northern Ireland Assembly in July 2008. A revised Code, taking account of the transfer of the NFI to the Public Sector Fraud Authority and the provisions of the 2018 General Data Protection Regulation (GDPR), was laid in November 2018, following consultation with key stakeholders, including the Information Commissioner’s Office. The revised Code can be viewed here.
- Under the legislation, the C&AG may carry out data matching exercises for the purpose of assisting in the prevention and detection of fraud, as part of an audit or otherwise. The C&AG may require certain bodies to provide data for a data matching exercise. These are bodies whose accounts are required to be audited by:
- the C&AG, other than any body whose accounts are required to be audited by virtue of section 55 of the Northern Ireland Act 1998, which includes North/South Implementation bodies audited jointly by the C&AG and the Irish Comptroller and Auditor General; and
- a local government auditor.
Therefore central government bodies (that is Northern Ireland departments, executive agencies, police and justice bodies, non-departmental public bodies and health and social care bodies) and local government bodies (district councils) must participate if required.
- Other bodies may participate in the data matching exercises on a voluntary basis where the C&AG considers it appropriate. The requirements of data protection legislation and the GDPR will apply.
- The C&AG may disclose the results of a data matching exercise to bodies that have provided the data. The C&AG may also disclose both data provided for data matching and the results of data matching to the Public Sector Fraud Authority, the Auditor General for Wales, the Auditor General for Scotland, the Accounts Commission for Scotland and Audit Scotland, for the purposes of preventing and detecting fraud. This is an important aspect of the legislation as it enables cross jurisdictional data matching.
- The processing of data by the C&AG in a data matching exercise is carried out with statutory authority. It does not require the consent of the individuals concerned to satisfy data protection legislation.
Privacy Notices
- Under data protection legislation and the GDPR, NFI participants must tell individuals that their data will be processed. This information is provided by way of a Privacy Notice.
- Participants should, as far as is practicable and unless an exemption from the fair processing requirement applies, provide or make readily available, privacy notices to the individuals about whom they are sharing information. The privacy notice should:
- clearly explain that their data may be disclosed for the purpose of preventing and detecting fraud;
- include details of the legal basis on which the data controller relies for the processing;
- in accordance with the Information Commissioner’s guidance, specify with whom the data will be shared; and
- contain details of how individuals can find out more information about the processing in question.
- For more information on privacy notices, participants should refer to the Information Commissioner’s guidance at https://ico.org.uk/for- organisations/accountability-framework/transparency/
- The Comptroller and Auditor General’s full text privacy notice for the National Fraud Initiative is available on the NIAO’s website at https://www.niauditoffice.gov.uk/national-fraud-initative . It includes an explanation of the legal basis for the C&AG’s data matching exercises.
- The Key Contact for each participating organisation must submit a declaration via the secure NFI web application confirming that they have complied with Privacy Notice requirements.
Contact nominations and responsibilities
Senior Responsible Officer role
- The director of finance, or equivalent senior named officer, will act as ‘Senior Responsible Officer’ (SRO) for the NFI. The SRO is responsible for ensuring the participating organisation meets its statutory requirements. The SRO should:
- nominate a Key Contact;
- ensure the Key Contact has access to the matches via the secure NFI web application when they become available; and
- ensure that the Key Contact fulfils all privacy notice requirements.
Key Contact role
- The Key Contact is responsible for:
- fulfilling the organisation’s privacy notice requirements. The Key Contact should be in direct communication with their organisation's data protection officer or equivalent;
- ensuring that the data formats guidance and data specifications are adhered to;
- nominating appropriate users to upload data submissions, investigate the matches and act as point of contact for other bodies about a match (‘preferred dataset contact’);
- co-ordinating and monitoring the overall exercise; and
- ensuring that outcomes from the investigation of matches are recorded on the secure NFI web application promptly and accurately.
- In small organisations, one person may fulfil the Key Contact, data submission, dataset contact and investigation roles.
Data submission role
- The user responsible for the submission of the data should ensure that data:
- meets the specifications (see Appendix 1);
- contains a header row;
- is in the correct format (see Appendix 3);
- is submitted via the data file upload (DFU) facility; and
- is submitted by the required deadline (see Table 2 at paragraph 30).
Investigation role
- The Key Contact will set up a user or number of users with access to the NFI web application so that they can review and investigate the matches. The users may also be responsible for responding to enquiries from other matched bodies if the Key Contact delegates this role.
- Once the data matching process for each exercise is completed, the output will be available to the relevant participating body via the secure NFI web application. Participating bodies are then responsible for reviewing and investigating matches as appropriate.
- The secure NFI web application contains embedded guidance with the data matching output. It is essential that users follow this guidance as it helps with prioritising reports and the matches within them.
Data requirements
- The data requirements for the 2024-25 data matching exercise are set out in Table 1, with the corresponding data specifications set out in Appendix 1. Points to note are:
- The requirements of the Code of Data Matching Practice of the Comptroller and Auditor General for Northern Ireland in relation to privacy notices should be adhered to. In addition, see paragraphs 16 to 19 above. Liaise with your own Data Protection Officer if you require any clarification.
- The Data Submission section (see page 14) provides details on how to upload data securely. This is the only acceptable method.
- For bodies whose payroll is administered through HR Connect, if you are NOT an NICS department, you must request a file of data from HR Connect administrators in line with the payroll data specification and upload it directly to the Public Sector Fraud Authority. For NICS departments, HR Connect will provide a payroll file to NICS HR who will upload the data on behalf of all NICS departments.
- For bodies whose creditors are administered through Account NI, each individual body must request from Account NI a file of data in line with the creditors’ data specifications (standing data and payments history). Bodies will then upload their creditors’ datasets directly to the Public Sector Fraud Authority.
- In cases where a provider submits data (e.g. payroll) direct to the Public Sector Fraud Authority on behalf of a body, it is the body’s responsibility to ensure that the provider receives full and timely instructions about this requirement and that employees are notified in line with the fair processing requirements.
- Experience from previous NFI exercises has shown that Trade Creditors standing data and payments history are complicated specifications so extreme care should be taken when extracting this data, otherwise the quality of the output can be severely affected.
Table 1: Data requirements 2024-25
All mandatory participants must provide the following Datasets:
Payroll (including agency workers)
Trade creditors' payment history
Trade creditors' standing data
Pensions (through relevant pension paying authority
The following bodies must also submit these additional datasets
Body | Datasets Required |
---|---|
Northern Ireland Housing Executive |
|
Department of Finance |
|
Belfast Health and Social Care Trust Northern Health and Social Care Trust South Eastern Health and Social Care Trust Southern Health and Social Care Trust Western Health and Social Care Trust |
|
Department for Infrastructure |
|
Department for Communities |
|
Northern Ireland Audit Office (Voluntary Participant) |
|
NI Water (Voluntary Participant) |
|
Translink (Voluntary Participant) |
|
Victims and Survivors Service (Voluntary Participant) |
|
Timetable
The timetable, from launch of the exercise and collection of data through to distribution of matches, is set out in Table 2.
Activity | Who | How | Timing |
---|---|---|---|
Confirm contact details for the 2024- 25exercise | Senior Responsible Officer / Key Contact | Changes should be notified via email, as and when they arise, to: nficoordinator@niauditoffice.gov.uk and helpdesk@nfi.gov.uk | Updating of contact details is a continuous process. Changes should be notified as and when they arise |
2024-25 web application becomes available | NFI Team (PSFA) | The link to the web application is https://www.nfi.gov.uk/ . | Web application for 2024-25 will be available from Tuesday 25 June 2024 |
Check the list of expected datasets | NFI Key Contact | Key Contacts should log into the 2024-25 web application Data File Upload (DFU), check that the list of expected datasets is accurate and advise any changes to the NFI Coordinator by. (nficoordinator@niauditoffice.gov.uk ) | Between Tuesday 30 July and Tuesday 27 August 2024 |
Issue the FINAL data specifications for each data set | NFI Team (PSFA) | Final data specifications are available on theNFI GOV.UK web page | By 31 July 2024 |
Issue NFI Instructions to bodiesparticipating in NFI 2024-25 | NFI Coordinator (NIAO) | NIAO will email Instructions, including finaldata specifications, to the Senior Responsible Officer in all participating organisations (and copy to the Key Contact for information). A copy will be on the NIAO website at https://www.niauditoffice.gov.uk/national- fraud-initative . | From Monday 12th August |
Ensure the person uploading data has a web application account | NFI Key Contact | Key Contacts should ensure the person(s) responsible for uploading data has a user account on the web application. | By Friday 30 August 2024, and as and when future changes occur |
Complete the 24-25 privacy notice compliance declaration in the | NFI Key Contact | Key Contacts should ensure the privacy notice compliance declaration is completed. | By Friday 30 August 2024 |
Activity | Who | How | Timing |
---|---|---|---|
web application |
|
|
|
Extract data from systems in accordance with the data specifications and upload data to the NFI web application | NFI Key Contact / User (data upload) | Key Contacts should ensure that data is extracted from systems as at 30 September 2024 (unless otherwise stated in the data specification) and uploaded to the 2024-25 web application via the data file upload (DFU) facilityas soon as quality checkshave been completed.
The database for 2024/25 will close on Friday 8 November 2024, this means to allow sufficient time for your data to be processed and data quality checked prior to the closure of the database, data will actually need to be submitted by Friday 25 October 2024.
Late data, or data that does not adequately meet specified data quality criteria may incura penalty fee. | Data must be uploaded between Tuesday 1 October 2024* and Friday 25 October 2024 ***
Database closes on Friday 8 November 2024.
Note: different dates will apply for rates, LPA, and state pension, to be advised separately. |
Cut-off for the main NFI 2024-25data submission | NFI Key Contact / Senior Responsible Officer | If data is not received and processed by closeof business on Friday 25 October 203it may be classed as late and a failure to fully meet yourstatutory duty** | 5pm on Friday 25 October 2024*** |
Set up or confirm accounts for those who will be reviewing matches | NFI Key Contact | Key Contacts should ensure user accounts are set up on the web application. Users responsible for reviewing matches can access the online Help menu in preparation for the release. | By Monday 2 December 2024 and as and when future changes occur |
2024-25 matches available | NFI Team (PSFA) | The PSFA NFI Team will send an email to Senior Responsible Officers and Key Contacts, informing them that the matches are available. | From Friday 20th December 2024**** |
* A series of reminders will be issued to Key Contacts from Tuesday 8 October 2024. If data has not been received, or we have not been notified of a delay, by 15 October 2024 reminders will be copied to Senior Responsible Officers i.e. 2 weeks after the submission date.
** Under Articles 4A to 4G of the Audit and Accountability (Northern Ireland) Order 2003.
*** Failure to submit all of your required data promptly and of acceptable quality may incur additional fees and result in some datasets being excluded from the matching process for the 2024/25 results release. Data should still be submitted for a later supplementary
match release.
**** There may be subsequent match releases should data not be provided by the required deadline.
- Before data is extracted (downloaded) from local systems, it is essential that the guidance on data upload to the NFI secure website is taken into account:
- data upload instructions (Appendix 2); and
- data format (Appendix 3).
- If you require any further guidance on how to extract, upload or submit data please contact the NFI Data Centre (Synectics Solutions Ltd) via email helpdesk@nfi.gov.uk or call 0845 345 8019.
- To upload the data, log into the secure NFI web application and select the Data File Upload option from the relevant National Exercise menu. The secure application features 256 bit Secure Sockets Layer encryption and enables data files to be password protected. Before downloading data from your system, please refer to Appendix 2.
- Data should be submitted using the Data File Upload (DFU) facility within the NFI secure website. This is the only acceptable method to supply NFI data. If any other method of submission is used, our policy will be to inform the Senior Responsible Officer that data has been put at unnecessary risk.
Password protection
- As part of our ongoing commitment to keep your data secure, in line with good practice when handling personal data, you are required to password protect each dataset once extracted from the relevant systems. If required, refer to the guidance on the Public Sector Fraud Authority website at https://www.gov.uk/guidance/uploading-data-to-national-fraud-initiative .
- The document Protect Yourself Online (available on the Public Sector Fraud Authority website at the above link) provides guidance on using the NFI secure web application.
- If you require any further guidance on extracting data from your system or submitting data, contact the NFI Data Centre (Synectics Solutions Ltd) via email helpdesk@nfi.gov.uk or call 0845 345 8019.
Making the process more efficient
- The Senior Responsible Officer and Key Contact can take measures to make the NFI process more efficient. These include:
- ensuring all contact details are up to date;
- reviewing the data quality reports from the previous exercise to identify any improvements that can be made for the next data submission (these reports will be accessible from the home page of the secure NFI web application);
- making sure that appropriate staff review all data extraction guidance documents prior to submission of data; and
- planning in advance what investigative resources are needed, based on local expertise and knowledge, so the matches can be dealt with promptly. For example, trade creditor duplicate matches are perhaps best dealt with by a nominated person in either Internal Audit or Accounts Payable.
Communications
- The Public Sector Fraud Authority and the NIAO are committed to ensuring the NFI is effective. We will continue to work closely with key contacts and others to provide regular and timely information to all parties involved in the investigation process. The NFI communication plan includes:
- access to NFI related reference material on the Public Sector Fraud Authority’s NFI web page (www.gov.uk/government/collections/national- fraud-initiative) and the NIAO web page (https://www.niauditoffice.gov.uk/national-fraud-initative );
- important messages to be placed within the NFI software on the Message Board of the new Home page;
- NFI general support from the Public Sector Fraud Authority via nfiqueries@cabinetoffice.gov.uk ;
- NFI technical support on 0845 345 8019 or via helpdesk@nfi.gov.uk ; and
- general enquiries about the NFI in Northern Ireland should be addressed in the first instance to the NFI Co-ordinator via email at nficoordinator@niauditoffice.gov.uk