Dear Audit Scotland,
The questions below relate to Public Service pensions in Scotland.
1.How Long should data matching material obtained from the benefits agency and unrelated to the administration of a current pension be held?
2.Please supply a copy of the current code of data matching Practice.
Dear Mr Caulfield,
This email is to acknowledge and reply to your Freedom of Information
request dated 17 December in which you requested information on the
Retention of Data Matching Material Scottish Public Pensions Agency.
1. How Long should data matching material obtained from the benefits
agency and unrelated to the administration of a current pension be
The Audit Commission run the NFI data processing and matching of data
on behalf of Audit Scotland for data submitted by participating
Scottish bodies. The Audit Commission have a contract with a company
called Synectics Solutions who actually undertake the data processing
across the UK for the NFI exercises. They are responsible for hosting
data, security and destruction. Details of the security review and
accreditation of the NFI systems are found at Appendix 1 to our latest
NFI report which can be found here
Any NFI requested Benefits Agency data is supplied by the DWP directly
to the Audit Commission for the UK.
Scottish Public Pensions Agency (SPPA) supplies the Scottish Pensions
data for those pensions schemes which they administer.
In terms of data retention and destruction these are covered by the
Code of Data Matching Practice which can be found here
Paragraph 2.18.4 summarises overall position regarding retention data:
'All original data submitted to Audit Scotland (or the Audit
Commission on its behalf) will be destroyed and rendered irrecoverable
by the Audit Commission within six months of submission by the
participant. Subject to paragraph 2.18.5 below, all data that are
derived or produced from that original data, including data held by
any firm undertaking data matching as the agent of Audit Scotland or
the Audit Commission, will be destroyed and rendered irrecoverable
within three months of the conclusion of the exercise.'
Paragraph 2.18.3 summarises local position for bodies regarding
retention of data:
'Participants and their auditors may decide to retain some data after
this period. Data may, for example, be needed as working papers for
the purposes of audit, or for the purpose of continuing investigation
or prosecution. Participants should consider what to retain in their
individual circumstances in the light of any particular obligations
imposed on them. Mandatory participants, to which the AGS or Accounts
Commission appoints an auditor, should discuss with their auditor what
should be retained for the purposes of audit. All participants should
ensure that data no longer required, including any data taken from the
secure NFI website, are destroyed promptly and rendered irrecoverable.
Data retained will be subject to the requirements of the Data
Protection Act 1998.'
The SPPA is a mandatory participant and is therefore required to
comply with these Code provisions regarding retention and destruction
of data and the Data Protection Act.
2. Please supply a copy of the current Code of Data Matching Practice.
Link to the current Audit Scotland Code:
Corporate Governance Manager
Audit Scotland|110 George Street|Edinburgh|EH2 4LH
Switchboard: 0131 625 1500| E-mail: [email address]
Right of review and appeal
If you are dissatisfied with how we have handled your information request
or would like us to reconsider the decision we made, please write to:
Diane McGiffen, Chief Operating Officer, at 110 George Street, Edinburgh,
EH2 4LH. You should do this as soon as possible and within 40 working days
of the date of issue of our response to your request.
If, after that, you are still not satisfied you can ask the Scottish
Information Commissioner to review how we dealt with your request. This
should be done within 6 months after the date of receipt of our response
to your review. The Commissioner is independent of Audit Scotland and can
decide whether we acted properly and according to the Freedom of
Information (Scotland) Act 2002.
The Information Commissioner can be contacted at: The Scottish Information
Commissioner, Kinburn Castle, Doubledykes Road, St Andrews, Fife, KY16
9DS, Tel 01334 464 610, email [email address]
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
4. mailto:[email address]
5. mailto:[email address]