Check out the latest information and advice on coronavirus (COVID-19).
The Central Midlands Audit Partnership is an Internal Audit partnership which consists of 6 partner organisations – Derby City Council, South Derbyshire District Council, Amber Valley Borough Council, Derby Homes, Derbyshire Fire & Rescue Service and Ashfield District Council. The Partnership is “hosted” by Derby City Council. Our address is The Council House, Corporation Street, Derby, DE1 2FS.
The team will have access to information held by service areas in order to be able to undertake their work; this may include the following types of data:
Information is collected in a number of ways. This includes:
CMAP provides an independent function whose primary objective is to provide assurance to the partner organisations on their risk management, control, fraud and governance processes. The requirement for internal audit function is set out in legislation; Section 151 of the Local Government Act 1972. The requirement for an annual governance statement is defined in the Accounts and Audit Regulations 2015.
The team comprises two main functions:
These functions require us to hold or have access to information from systems and processes across the council so that we can undertake our work and in doing so:
Where required we may publish and/or shared with key stakeholders (partners) information collected in the course of the audit work/investigation.
Coronavirus has been added as a notifiable disease under the Health Protection (Notification) Regulations 2010. Under the Public Health (Control of Disease) Act 1984 and associated Regulations; and the Coronavirus Act 2020 and associated Regulations the Council has a legal duty to store, process and share personal information. The information will be stored, processed and shared as part of the national, and local Coronavirus Test and Trace operations where necessary for investigations, as well as the testing and tracing of individuals, groups or businesses; and to assist in the investigation into cases of Coronavirus; Coronavirus outbreaks and issues of non-compliance with the Acts and associated Regulations. The information will also be used; interrogated and mapped to inform the Councils actions and decision making processes. Any such storage, processing or sharing of information will be done in the public interest in order to promote health and wellbeing.
During the investigation of cases and/or outbreaks of Coronavirus, information which is gathered may be shared between departments within Derby City Council; with other Councils associated with an outbreak; other health services or with other government bodies associated with the control of the Coronavirus. The Council has a duty to notify national Government bodies, such as Public Health England, and the relevant local authority where an individual resides (if different), where there are suspected Coronavirus cases. The Council will disclose the information under Article 9(2)(j) of GDPR (processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health), and confidential information may be lawfully disclosed in the public interest, without consent, where the benefits to an individual or to society outweigh both the individual’s and the public interest in maintaining the confidentiality of such data.
The Council may contact staff, service users, residents, patients, businesses and premises with messages relating to Coronavirus by text, phone, letter or e-mail. This contact is not direct marketing; therefore we do not need your Consent before contacting you. There is more information available on the national Information Commissioners Office approach to the current epidemic here: https://ico.org.uk/
CMAP has a duty to protect the public purse. The following acts and regulations provide the basis on which the officers of the team operate:
We may share elements of information with other internal services within partner organisations to enable the establishment of the effectiveness or otherwise of corporate systems and processes.
During the course of an investigation data may be shared with other departments within partner organisations such as human resources; with government departments and organisations such as the Cabinet Office (National Fraud Initiative), the police, Her Majesty’s Revenues and Customs, the department for work and pensions, the National Health Service, and the border agency etc.
Information may be shared with legal practitioners, tribunals and courts where criminal or civil action is taken against an individual.
We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.
CMAP has retention schedules in place that ensure information is only held for as long as it is needed.
The partners’ IT security and confidentiality policies ensure that your information is protected, and available only to staff directly involved in your care. Details of how we keep your information secure are available on the general privacy information page.
If you want to know more about how CMAP uses information, your rights or have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance.
You can contact our Data Protection Officer on 01332 640763 or by email at firstname.lastname@example.org.
For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO):