(1)The Public Finance and Accountability (Scotland) Act 2000 (asp 1) is amended as follows.
(2)In section 11 (Audit Scotland: financial provisions)—
(a)after subsection (1)(c) insert—
“(ca)carrying out a data matching exercise under section 26A,”, and
(b)after subsection (5) insert—
“(5A)Charges under subsection (1)(ca) may be imposed on (either or both)—
(a)persons who disclose data for a data matching exercise,
(b)persons who receive the results of such an exercise.”.
(3)After section 26 insert—
(1)Audit Scotland may carry out data matching exercises or arrange for them to be carried out on its behalf.
(2)A data matching exercise is an exercise involving the comparison of sets of data to determine how far they match (including the identification of any patterns and trends).
(3)The power in subsection (1) may be exercised for one or more of the following purposes—
(a)assisting in the prevention and detection of fraud,
(b)assisting in the prevention and detection of crime (other than fraud),
(c)assisting in the apprehension and prosecution of offenders.
(4)A data matching exercise may not be used for the sole purpose of identifying patterns and trends in a person's characteristics or behaviour which suggest the person is likely to commit fraud in the future.
(1)For the purposes of a data matching exercise, any person may disclose data to Audit Scotland (or a person acting on its behalf).
(2)Such disclosure does not breach—
(a)any duty of confidentiality owed by the person making the disclosure, or
(b)any other restriction on the disclosure of data.
(3)Nothing in this section authorises a disclosure—
(a)which contravenes the Data Protection Act 1998 (c.29),
(b)which is prohibited by Part 1 of the Regulation of Investigatory Powers Act 2000 (c.23) (interception, acquisition and disclosure of communications data), or
(c)of data comprising or including patient data.
(4)“Patient data” means data relating to an individual which is held for medical purposes and from which the individual can be identified.
(5)“Medical purposes” are the purposes of—
(a)preventative medicine,
(b)medical diagnosis,
(c)medical research,
(d)the provision of care and treatment,
(e)the management of health and social care services, and
(f)informing individuals about their physical or mental health or condition, the diagnosis of their condition or their care and treatment.
(6)Nothing in this section prevents disclosure of data under any other provision of this Act, another enactment or any rule of law.
(7)Data matching exercises may include data disclosed by a person outside Scotland.
(1)Audit Scotland may require the persons mentioned in subsection (2) to disclose to it (or a person acting on its behalf) such data as it (or the person acting on its behalf) may reasonably require for the purpose of carrying out data matching exercises in such form as it (or such person) may so require.
(2)Those persons are—
(a)a body or an office holder any of whose accounts is an account in relation to which sections 21 and 22 apply,
(b)a body whose accounts must be audited under Part 7 of the Local Government (Scotland) Act 1973 (c.65) (finance),
(c)a Licensing Board continued in existence by or established under section 5 of the Licensing (Scotland) Act 2005 (asp 16), or
(d)an officer or a member of a body, office holder or board mentioned in paragraph (a), (b) or (c).
(3)Audit Scotland must not require a person to disclose data if—
(a)the disclosure would contravene the Data Protection Act 1998 (c.29),
(b)the disclosure is prohibited by Part 1 of the Regulation of Investigatory Powers Act 2000 (c.23) (interception, acquisition and disclosure of communications data).
(4)A disclosure made in response to a requirement imposed under subsection (1) does not breach—
(a)any duty of confidentiality owed by the person making the disclosure, or
(b)any other restriction on the disclosure of data.
(5)A person mentioned in subsection (2) who without reasonable excuse fails to comply with a requirement made in accordance with this section is guilty of an offence and liable on summary conviction to a fine not exceeding level 3 on the standard scale.
(1)This section applies to the following data—
(a)data relating to a particular person obtained by or on behalf of Audit Scotland for the purpose of carrying out a data matching exercise, and
(b)the results of such an exercise.
(2)Data to which this section applies may be disclosed by or on behalf of Audit Scotland if the disclosure is—
(a)for, or in connection with, a purpose for which a data matching exercise is carried out,
(b)to a Scottish audit agency, or a related party, for, or in connection with a function of that audit agency under—
(i)Part 2 of this Act, or
(ii)Part 7 of the Local Government (Scotland) Act 1973 (c.65) (finance),
(c)to a United Kingdom audit agency, or a related party, for, or in connection with, a function of that audit agency corresponding or similar to—
(i)the functions of a Scottish audit agency, or
(ii)the functions of Audit Scotland under this Part, or
(d)in pursuance of a duty imposed by or under an enactment.
(3)“Scottish audit agency”, for the purpose of subsections (2)(b) and (c)(i), means—
(a)the Auditor General, or
(b)the Accounts Commission.
(4)“United Kingdom audit agency”, for the purposes of subsection (2)(c), means—
(a)the National Audit Office,
(b)the Audit Commission for Local Authorities and the National Health Service in England,
(c)the Auditor General for Wales,
(d)the Comptroller and Auditor General for Northern Ireland, or
(e)a person designated as a local government auditor under article 4 of the Local Government (Northern Ireland) Order 2005 (S.I. 2005/1968 (NI.18)).
(5)“Related party”, in relation to a Scottish or United Kingdom audit agency means—
(a)a person acting on its behalf,
(b)a body or office holder whose accounts are required to be audited by it or by a person appointed by it, or
(c)a person appointed by it to audit those accounts.
(6)If the data used for a data matching exercise includes patient data—
(a)subsection (2)(a) applies only so far as the purpose for which the disclosure is made relates to a relevant NHS body, and
(b)subsection (2)(b) or (c) applies only so far as the function for, or in connection with, which the disclosure is made relates to such a body.
(7)In subsection (6)—
“patient data” has the same meaning as section 26B(4), and
“relevant NHS body” means—
an NHS body as defined in section 22(1) of the Community Care and Health (Scotland) Act 2002 (asp 5),
a health service body as defined in section 53(1) of the Audit Commission Act 1998 (c.18),
a Welsh NHS body as defined in section 60 of the Public Audit (Wales) Act 2004 (c.23),
a
(8)Data disclosed under subsection (2) may not be further disclosed except—
(a)for, or in connection with—
(i)the purpose for which it was disclosed under subsection (2)(a), or
(ii)the function for which it was disclosed under subsection (2)(b) or (c),
(b)otherwise for the investigation or prosecution of an offence, or
(c)in pursuance of a duty imposed by or under an enactment.
(9)Except as authorised by subsections (2) and (8), a person who discloses data to which this section applies is guilty of an offence and liable—
(a)on summary conviction, to imprisonment for a term not exceeding 12 months, to a fine or to both, or
(b)on conviction on indictment, to imprisonment for a term not exceeding two years, to a fine or to both.
(1)Audit Scotland may publish a report on a data matching exercise (including a report on the results of an exercise).
(2)Such a report must not include data relating to a particular person if—
(a)the person is the subject of any data included in the data matching exercise,
(b)the person can be identified from the data, and
(c)the data is not otherwise in the public domain.
(3)A report published under subsection (1) is to be published in such manner as Audit Scotland considers appropriate for the purposes of bringing it to the attention of those members of the public who may be interested.
(4)Nothing in section 26D prevents publication under this section.
(5)This section does not affect any powers of an auditor where the data matching exercise in question forms part of an audit under—
(a)Part 2 of this Act, or
(b)Part 7 of the Local Government (Scotland) Act 1973 (c.65) (finance).
(1)Audit Scotland must prepare, and keep under review, a code of practice with respect to data matching exercises.
(2)Regard must be had to the code in carrying out and participating in any such exercise.
(3)Audit Scotland must consult the following persons before preparing or altering the code of practice—
(a)the Information Commissioner,
(b)the persons mentioned in section 26C(2), and
(c)any other person Audit Scotland thinks fit.
(4)Audit Scotland must, from time to time, publish the code.
(1)The Scottish Ministers may by order amend this Part—
(a)to add a public body to the persons mentioned in section 26C(2),
(b)to modify the application of this Part in relation to a public body so added, or
(c)to remove a person from the persons mentioned in section 26C(2).
(2)An order under this section may include such incidental, consequential, supplementary or transitional provision as the Scottish Ministers think fit.
(3)In this section, “public body” means a person whose functions—
(a)are functions of a public nature, or
(b)include functions of a public nature.
(4)A person referred to in subsection (3)(b) is a public body to the extent only of the functions referred to in that subsection.”.
Commencement Information
I1S. 97 in force at 6.10.2010 by S.S.I. 2010/339, art. 2