National Audit Office

Privacy Policy

We are committed to protecting our visitors’ and/or user’s privacy and we will not collect any personal information about you as a visitor unless you provide it voluntarily. 

Pursuant to the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act (Cap 586), we have a legal duty to respect and protect any personal information we collect from you and we will abide by such duty. We take all safeguards necessary to prevent unauthorised access and we do not pass on your details collected from you as a visitor and/or user, to any third party unless you give us your consent to do so or as authorised by law.

Our privacy statement applies to information we collect in connection with:

  • Our statutory audit work
  • Job applicants
  • Current and former employees
  • Correspondence and communication including subject access requests or freedom of information enquiries
  • Our events
  • Visitors to our website
  • The use of cookies by the National Audit Office
  • Suppliers of goods and services

Data Protection Officer

We have appointed a Data Protection Officer who is responsible for overseeing how our data is used, our information governance policies and procedures, privacy notice and your rights as an individual under data protection law. If you have any queries or concerns about our use of personal information or this notice here are the contact details

E-mail: dpo@nao.gov.mt;

Phone: +(356) 22055000;

Postal mail at National Audit Office, Notre Dame Ravelin Floriana VLT1601.

Data Protection law

The purposes for which the NAO processes personal data are derived from Section 108 of the Constitution of Malta which sets out the Auditor General’s general mandate, the Auditor General and the NAO Act of 1997 and Standing Order No. 120 of the House of Representatives of 1995 which extends the mandate, and the Local Councils Act of 1995 that imposed special obligations and responsibilities on the Auditor General and the NAO.

We process data where we have a clear legal basis for doing so and where it is proportionate and necessary in pursuance of our roles and responsibilities. In practice this means that we may potentially collect, use, store and transfer different kinds of personal data.

When we undertake audit work under out statutory powers, we may collect information from public bodies that contains some personal data.

Personal data that we collect from public bodies or directly through individuals (but not using cookies) may be used in audit tests to help us form audit opinions and to provide audit reports. We will only use this information for the purpose for which it was collected. We will hold the data securely in accordance with our Information Technology and Data Management Policy. When the data is no longer needed, it will be disposed in accordance with our retention schedule as specified in our said policy.

The NAO ensures that personal data is processed in terms of the Data Protection Act (Chapter 586 of the Laws of Malta – “the DPA”) and the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “the GDPR”).

The NAO ensures the confidentiality and security of such personal data.

Job Applicants

The information you provide as part of the application process will be treated in confidence and will be shared only with Finance and Administration Section and  Management. We will not disclose information to any third parties without informing you beforehand or unless the disclosure is required by law.

We hold personal information about unsuccessful candidates for a maximum period of 2 years after the recruitment process has been completed and it will then be destroyed or deleted.

Current and former employees

We process personal data for current and former employees that includes identity data, contact data, work data and financial data for payroll and accounting purposes.

All the above data is protected under the DPA and the GPDR and unless disclosure is required by law, no such data will be shared to third parties without the consent of the employees.

The NAO also keeps a personal file record for all current and former employees.

Every employee has the right of access to whatever information is held on him/her in the payroll and accounting systems and in his/her personal files

We will retain information for employees who terminate their employment with the NAO in accordance with the requirements of our retention schedule as specified in the IT policy.

People who make a complaint or correspond with us

When we receive a compliant, correspondence or concerns about the National Audit Office, a public body we audit, subject access request or freedom of information request we hold the correspondence in a file.

We will only use the personal information we collect to process the complaint, correspondence, or request. We may have to disclose your details when we are investigating any matters that you raise  and if you tell us that you do not want to disclose or share your personal information, we will try to request this. However, it may not be possible to investigate your request on an anonymous basis.

We will keep information provided to us in complaints, correspondence subject access, or freedom of information in line with our retention policy.

Events

We organize and facilitate events solely as well as in collaboration with other public bodies.

Events can include conferences, engagement, or other meetings and events.

Any information that is specifically collected whether as a delegate, facilitator or contributor will not be disclosed to third parties without your consent.

Visitors to our Website

We may need to communicate with visitors to our website for administrative or operational reasons. Where we collect specific information from this purpose, we will not pass it on to any other organization.

We also collect standard internet log information and details of visitor behaviour patterns when someone visits our website. We do this to find out things such as number of visitors to the various parts of our site, to monitor the download of our reports and publications and to help improve the service we provide.

This data collection process is carried out electronically in the background and visitors to our website may not be aware that this is taking place. We believe that this process is not intrusive to visitors’ privacy as we do not attempt to find out the identities of visitors to our website. The standard internet log information collected will only be used for the purposes mentioned and will not be passed on to any organisiation.

Use of cookies

We use cookies to collect internet information from visitors to our website. A cookie also known as HTTP cookie, web cookie or browser cookie is usually a small file sent from a website and stored in a user’s browser when a user accesses certain websites. We use cookies to help make our website function effectively and efficiently and to give us information about your use of the site along with that of other visitors.

Other websites

Our website may contain links to other websites which are outside our control and are not covered by this notice. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy notice which may differ from ours.

Social media features and widgets

Our website includes links to social media such as Facebook and LinkedIn and these features may collect information such as your IP address, which web page you are looking at on our website and may set a cookie to enable a feature to function properly. Social media features may be hosted by a third party or directly on our website. Your interaction with these features is governed by the privacy policy of the company providing them.

Suppliers

We hold information about our suppliers in our accounting system for the purpose of managing our relationship with them, such as placing orders and arranging for payment to be made. This information may be used for internal reporting purposes.

Access to Personal Information

In terms of the GDPR and the DPA, any individual may request from the NAO access to and rectification of personal data, and, in certain circumstances, has:

  • The right for erasure of personal data.
  • The right for restriction of the processing.
  • The right to object to the processing of the personal data.
  • The right to data portability.

Such requests may be made in writing to the NAO’s Data Protection Officer. In addition, an individual has a right to lodge a complaint with the Office of the Information and Data Protection Commissioner (www.idpc.gov.mt).

 Changes to this Privacy Notice

If there are any changes to this Privacy Notice, the NAO will replace this page with an updated version. Therefore, it is in one’s own interest to check the “Privacy Notice” page to be aware of any changes which may occur from time to time.