[F1PART 2ASDATA MATCHING
Textual Amendments
F1Pt. 2A (ss. 26A-26G) inserted (6.10.2010) by Criminal Justice and Licensing (Scotland) Act 2010 (asp 13), ss. 97(3), 206(1); S.S.I. 2010/339, art. 2
26APower to carry out data matching exercisesS
(1)Audit Scotland may carry out data matching exercises or arrange for them to be carried out on its behalf.
(2)A data matching exercise is an exercise involving the comparison of sets of data to determine how far they match (including the identification of any patterns and trends).
(3)The power in subsection (1) may be exercised for one or more of the following purposes—
(a)assisting in the prevention and detection of fraud,
(b)assisting in the prevention and detection of crime (other than fraud),
(c)assisting in the apprehension and prosecution of offenders.
(4)A data matching exercise may not be used for the sole purpose of identifying patterns and trends in a person's characteristics or behaviour which suggest the person is likely to commit fraud in the future.
26BVoluntary disclosure of data to Audit ScotlandS
(1)For the purposes of a data matching exercise, any person may disclose data to Audit Scotland (or a person acting on its behalf).
(2)Such disclosure does not breach—
(a)any duty of confidentiality owed by the person making the disclosure, or
(b)any other restriction on the disclosure of data.
(3)Nothing in this section authorises a disclosure—
(a)which contravenes [F2the data protection legislation] ,
[F3(b)which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016,]
(c)of data comprising or including patient data.
(4)“Patient data” means data relating to an individual which is held for medical purposes and from which the individual can be identified.
(5)“Medical purposes” are the purposes of—
(a)preventative medicine,
(b)medical diagnosis,
(c)medical research,
(d)the provision of care and treatment,
(e)the management of health and social care services, and
(f)informing individuals about their physical or mental health or condition, the diagnosis of their condition or their care and treatment.
(6)Nothing in this section prevents disclosure of data under any other provision of this Act, another enactment or any rule of law.
(7)Data matching exercises may include data disclosed by a person outside Scotland.
Textual Amendments
F2Words in s. 26B(3)(a) substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 67 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g)
F3S. 26B(3)(b) substituted (27.6.2018) by Investigatory Powers Act 2016 (c. 25), s. 272(1), Sch. 10 para. 8(2) (with Sch. 9 paras. 7, 8, 10); S.I. 2018/652, reg. 12(g)(iii)
26CPower to require disclosure of dataS
(1)Audit Scotland may require the persons mentioned in subsection (2) to disclose to it (or a person acting on its behalf) such data as it (or the person acting on its behalf) may reasonably require for the purpose of carrying out data matching exercises in such form as it (or such person) may so require.
(2)Those persons are—
(a)a body or an office holder any of whose accounts is an account in relation to which sections 21 and 22 apply,
(b)a body whose accounts must be audited under Part 7 of the Local Government (Scotland) Act 1973 (c.65) (finance),
(c)a Licensing Board continued in existence by or established under section 5 of the Licensing (Scotland) Act 2005 (asp 16), or
(d)an officer or a member of a body, office holder or board mentioned in paragraph (a), (b) or (c).
(3)Audit Scotland must not require a person to disclose data if—
(a)the disclosure would contravene [F4the data protection legislation] ,
[F5(b)the disclosure is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.]
(4)A disclosure made in response to a requirement imposed under subsection (1) does not breach—
(a)any duty of confidentiality owed by the person making the disclosure, or
(b)any other restriction on the disclosure of data.
(5)A person mentioned in subsection (2) who without reasonable excuse fails to comply with a requirement made in accordance with this section is guilty of an offence and liable on summary conviction to a fine not exceeding level 3 on the standard scale.
Textual Amendments
F4Words in s. 26C(3)(a) substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 68 (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g)
F5S. 26C(3)(b) substituted (27.6.2018) by Investigatory Powers Act 2016 (c. 25), s. 272(1), Sch. 10 para. 8(3) (with Sch. 9 paras. 7, 8, 10); S.I. 2018/652, reg. 12(g)(iii)
26DDisclosure of results of data matchingS
(1)This section applies to the following data—
(a)data relating to a particular person obtained by or on behalf of Audit Scotland for the purpose of carrying out a data matching exercise, and
(b)the results of such an exercise.
(2)Data to which this section applies may be disclosed by or on behalf of Audit Scotland if the disclosure is—
(a)for, or in connection with, a purpose for which a data matching exercise is carried out,
(b)to a Scottish audit agency, or a related party, for, or in connection with a function of that audit agency under—
(i)Part 2 of this Act, or
(ii)Part 7 of the Local Government (Scotland) Act 1973 (c.65) (finance),
(c)to a United Kingdom audit agency, or a related party, for, or in connection with, a function of that audit agency corresponding or similar to—
(i)the functions of a Scottish audit agency, or
(ii)the functions of Audit Scotland under this Part, or
(d)in pursuance of a duty imposed by or under an enactment.
(3)“Scottish audit agency”, for the purpose of subsections (2)(b) and (c)(i), means—
(a)the Auditor General, or
(b)the Accounts Commission.
(4)“United Kingdom audit agency”, for the purposes of subsection (2)(c), means—
[F6(a)the Comptroller and Auditor General,]
[F7(b)the Secretary of State,
(ba)the Minister for the Cabinet Office,
(bb)a local auditor within the meaning of the Local Audit and Accountability Act 2014,]
(c)the Auditor General for Wales,
(d)the Comptroller and Auditor General for Northern Ireland, or
(e) a person designated as a local government auditor under article 4 of the Local Government (Northern Ireland) Order 2005 ( S.I. 2005/1968 (NI.18)).
(5) “ Related party ”, in relation to a Scottish or United Kingdom audit agency means—
(a)a person acting on its behalf,
(b)a body or office holder whose accounts are required to be audited by it or by a person appointed by it, or
(c)a person appointed by it to audit those accounts.
(6)If the data used for a data matching exercise includes patient data—
(a) subsection (2)(a) applies only so far as the purpose for which the disclosure is made relates to a relevant NHS body, and
(b)subsection (2)(b) or (c) applies only so far as the function for, or in connection with, which the disclosure is made relates to such a body.
(7)In subsection (6)—
“ patient data ” has the same meaning as section 26B(4), and
“ relevant NHS body ” means—
(a)an NHS body as defined in section 22(1) of the Community Care and Health (Scotland) Act 2002 (asp 5),
(b)[F8 a body mentioned in paragraph (a), (b) or (c) of paragraph 4(12) of Schedule 9 to the Local Audit and Accountability Act 2014 (“relevant NHS body”);]
(c)a Welsh NHS body as defined in section 60 of the Public Audit (Wales) Act 2004 (c.23),
(d)a
(8)Data disclosed under subsection (2) may not be further disclosed except—
(a)for, or in connection with—
(i)the purpose for which it was disclosed under subsection (2)(a), or
(ii)the function for which it was disclosed under subsection (2)(b) or (c),
(b)otherwise for the investigation or prosecution of an offence, or
(c)in pursuance of a duty imposed by or under an enactment.
(9)Except as authorised by subsections (2) and (8), a person who discloses data to which this section applies is guilty of an offence and liable—
(a)on summary conviction, to imprisonment for a term not exceeding 12 months, to a fine or to both, or
(b)on conviction on indictment, to imprisonment for a term not exceeding two years, to a fine or to both.
Textual Amendments
F6S. 26D(4)(a) substituted (1.4.2012) by Budget Responsibility and National Audit Act 2011 (c. 4), s. 29, Sch. 5 para. 24; S.I. 2011/2576, art. 5
F7S. 26D(4)(b)-(bb) substituted for s. 26D(4)(b) (1.4.2015) by Local Audit and Accountability Act 2014 (c. 2), s. 49(1), Sch. 12 para. 47(2); S.I. 2015/841, art. 3(x) (with Sch. para. 2) (as amended (27.6.2016) by S.I. 2016/675, art. 2)
F8Words in s. 26D(7) substituted (1.4.2015) by Local Audit and Accountability Act 2014 (c. 2), s. 49(1), Sch. 12 para. 47(3); S.I. 2015/841, art. 3(x) (with Sch. para. 2) (as amended (27.6.2016) by S.I. 2016/675, art. 2)
26EPublication of reports on data matchingS
(1)Audit Scotland may publish a report on a data matching exercise (including a report on the results of an exercise).
(2)Such a report must not include data relating to a particular person if—
(a)the person is the subject of any data included in the data matching exercise,
(b)the person can be identified from the data, and
(c)the data is not otherwise in the public domain.
(3)A report published under subsection (1) is to be published in such manner as Audit Scotland considers appropriate for the purposes of bringing it to the attention of those members of the public who may be interested.
(4)Nothing in section 26D prevents publication under this section.
(5)This section does not affect any powers of an auditor where the data matching exercise in question forms part of an audit under—
(a)Part 2 of this Act, or
(b)Part 7 of the Local Government (Scotland) Act 1973 (c.65) (finance).
26FData matching code of practiceS
(1)Audit Scotland must prepare, and keep under review, a code of practice with respect to data matching exercises.
(2)Regard must be had to the code in carrying out and participating in any such exercise.
(3)Audit Scotland must consult the following persons before preparing or altering the code of practice—
(a)the Information Commissioner,
(b)the persons mentioned in section 26C(2), and
(c)any other person Audit Scotland thinks fit.
(4)Audit Scotland must, from time to time, publish the code.
26GPowers of the Scottish MinistersS
(1)The Scottish Ministers may by order amend this Part—
(a)to add a public body to the persons mentioned in section 26C(2),
(b)to modify the application of this Part in relation to a public body so added, or
(c)to remove a person from the persons mentioned in section 26C(2).
(2)An order under this section may include such incidental, consequential, supplementary or transitional provision as the Scottish Ministers think fit.
(3)In this section, “public body” means a person whose functions—
(a)are functions of a public nature, or
(b)include functions of a public nature.
(4)A person referred to in subsection (3)(b) is a public body to the extent only of the functions referred to in that subsection.]