Statutory framework

The Commission conducts data matching exercises under its statutory powers in the Audit Commission Act 1998, Part IIA.

Legislation requires the Commission to prepare a code of practice to govern its data matching exercises, and to consult over it before approving and laying it before Parliament. The code of data matching practice 2008 was laid before Parliament on 21 July 2008. The 2008 Code replaced the previous Code published by the Commission in May 2006.

The Commission may carry out data matching exercises for the purpose of assisting in the prevention and detection of fraud, as part of an audit or otherwise. The Commission may require certain bodies to provide data for data matching exercises. Currently these are all the bodies to which it appoints auditors other than registered social landlords. Other bodies may participate in its data matching exercises on a voluntary basis where the Commission considers it appropriate. Where they do so, the statute states that there is no breach of confidentiality and generally removes other restrictions in providing the data to the Commission. The requirements of the Data Protection Act 1998 continue to apply.

The Commission may disclose the results of data matching exercises to bodies that have provided the data and to auditors that it appoints. It may also disclose both data provided for data matching and the results of data matching to the Auditor General for Wales, the Comptroller and Auditor General for Northern Ireland, the Auditor General for Scotland, the Accounts Commission for Scotland and Audit Scotland, for the purposes of preventing and detecting fraud.

The processing of data by the Commission in a data matching exercise is carried out with statutory authority. It does not require the consent of the individuals concerned under the Data Protection Act 1998.