Sharing personal information when preventing, detecting and investigating scams and frauds
Introduction
Effective data sharing between organisations and across different digital sectors is an important factor in preventing data-enabled scams and fraud.
The UK GDPR and the Data Protection Act 2018 (DPA) do not prevent you from sharing personal information where it is appropriate to do so, or from taking steps to prevent harm.
This advice is aimed at private sector organisations across the digital economy such as financial services, telecommunications and digital platforms that want to share personal information with each other to support scam and fraud mitigation efforts.
Our role is to help and encourage organisations to carry out this data sharing in a confident, responsible and compliant way. That includes following the principles of the UK GDPR as well as ensuring that you respect people’s information rights.
The ICO continues to engage with private and public sector organisations to support efforts to prevent people being harmed from scams and fraud.
Our regulatory approach
The ICO’s regulatory approach seeks to create an environment in which people are protected, while ensuring that organisations which process personal information can operate and innovate efficiently. This involves us providing regulatory certainty about what the law requires, reducing the cost of compliance and improving standards.
It is also important for us to clarify how we plan to exercise our powers. We take fair, proportionate and timely regulatory action to protect people’s information rights. When considering whether a regulatory response is necessary, we will take into account any steps you have taken in good faith to share personal information in line with the law to protect people from harm.
While every case is different, we will always use our powers in a robust, targeted and proportionate manner, ensuring that organisations are not worried that we may impose disproportionate sanctions.
Further reading
What should you consider when seeking to share data?
When you approach data sharing in a responsible, fair and proportionate way, data protection law enables you to share personal information for mitigating scams and fraud.
You are responsible for taking the right steps to ensure that you are meeting your data protection obligations:
-
Carry out a Data Protection Impact Assessment (DPIA)
A DPIA will help you assess any benefits, risks or potential negative effects of the data sharing you plan to do, and whether it is lawful. Conducting a DPIA is a legal requirement where processing is likely to result in a high risk to people. It is also good practice to complete a DPIA for any major project that involves disclosing personal information, or for any plans for routine data sharing, even if there is no specific indicator of likely high risk.
Further reading
-
Be clear about responsibilities
You should consider at an early stage whether you will be separate or joint controllers. The ICO’s Data Sharing Code of Practice mainly covers sharing personal information from one controller to another. But the Code also applies to situations where organisations pool information they hold. When data pooling, organisations need to consider if they are separate or joint controllers.
Further reading
-
Set up data sharing agreements
It is good practice to formalise data sharing arrangements in advance through a data sharing agreement, particularly where data sharing is not an ad hoc or one-off occurrence. These agreements set out the purpose and practicalities of data sharing and set standards that help everyone involved to be clear about their responsibilities. This helps you to show how you are meeting your accountability obligations under UK GDPR.
Further reading
-
Identify a lawful basis
You must identify a valid lawful basis for sharing personal information before you start and be able to demonstrate that it applies. If you’re a private sector organisation sharing data for scams and fraud prevention, relevant lawful bases may include legitimate interests, consent or performance of a contract. If using the legitimate interests lawful basis, you need to demonstrate how your processing passes the three-part ‘legitimate interests assessment’ (LI assessment).
Example – Considerations when disclosing personal information under legitimate interests (LI assessment)
Telecommunications and digital platform firms know criminals can exploit their services to socially engineer and scam consumers. Where a consumer is considered likely to have been exposed to a scam on these services, they are at a higher, potentially imminent, risk of being defrauded.
When you share personal information with banks in a timely way, you could enable them to assess risk and put extra checks in place to help prevent harm.
If you are considering sharing data in these circumstances you could look at legitimate interests as a lawful basis because of the compelling justification of preventing harm.
Completing the three-part LI assessment could involve:
- Noting that fraud prevention is recognised by Recital 47 of the UK GDPR as a legitimate purpose for processing data and providing information about the specific types and categories of personal information you want to process, why and what the benefits and outcomes are likely to be.
- Providing a robust, detailed assessment of whether sharing specific types and categories of personal information is necessary and that it is a targeted and proportionate way of preventing harm that cannot be reasonably achieved in another less intrusive way.
- Ensuring your interest in sharing specific data is balanced against the rights of the people whose data you are sharing. It can be helpful to think about whether people would expect their information to be shared or if it would cause them unwarranted harm.
Completing an LI assessment when relying on legitimate interests helps you ensure that data sharing with third parties is lawful. The LI assessment can apply to both one off and recurring instances of data sharing. As the disclosing organisation, you’ll need to demonstrate that sharing is justified and compliant, but it will be the third party’s responsibility to determine its lawful basis for its own processing.
-
Understand the type of information being shared:
UK data protection legislation gives extra protection to special category data, as well as the personal information of offenders or suspected offenders in the context of criminal activity, allegations, investigations, and proceedings. If you are a private sector organisation processing this criminal offence data, you are unlikely to have official authority. That means you may only process criminal offence data if you can identify a specific condition for processing in Schedule 1 of the DPA 2018.
Example: Considerations when sharing criminal offence data
A customer realises they have engaged with a scam on a digital platform and reports suspicious transactions to their bank. During its inquiries, the bank gathers intelligence from the customer about the account on the digital platform that they considered was perpetrating the scam.
The bank wants to share this intelligence with the digital platform so that the scam is taken down and people are protected. This sharing may involve criminal offence data. That’s because it relates to people who are running the scams so, at this stage, this is information relating to a suspected offence.
The bank knows that additional protection applies when seeking to process and share criminal offence data. As the bank does not have official authority, it identifies a valid condition for this sharing in accordance with Article 10 of the UK GDPR and Schedule 1 of the DPA 2018. It must also have a lawful basis.
The bank relies on legitimate interest under Article 6 and takes into account the particular risks associated with criminal offence data in the LI assessment. The bank identifies a condition in Schedule 1 of the DPA (for example, preventing or detecting unlawful acts) and as it is not an official authority, the bank ensures that appropriate safeguards are in place.
The bank also develops an appropriate policy document before seeking to share this information. This is a document outlining the condition in Schedule 1 being relied upon, the bank’s procedures for complying with the principles in Article 5 and its retention and deletion policies for special category and criminal offence data.
Before any sharing takes place, the recipient of the personal information ensures that:
- they identify a lawful basis for processing and a condition under Schedule 1;
- appropriate safeguards are in place; and
- an appropriate policy document is developed.
-
Comply with the data protection principles
The UK GDPR sets out the key principles that must lie at the heart of your approach to processing personal information, so this is done in compliance with the law.
-
Fairness and transparency: Before sharing data, consider all the legal implications and ensure that your grounds for sharing data are valid under the UK GDPR. Do not share data in a way that is unduly detrimental, unexpected or misleading to people; and be clear, open and honest with people from the start about what you will use their personal information for.
-
Purpose limitation: Be clear about and record the purposes of your processing in your internal documentation and in information given to people whose data you process. Ensure personal information that is shared is only used for a new purpose if it is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law.
-
Data minimisation, accuracy and storage limitation: Embed robust data standards when sharing personal information to ensure you are:
-
only sharing the personal information you need to. Privacy Enhancing Technologies can help you comply with data minimisation;
-
taking all reasonable steps to ensure the personal information processed is not incorrect or misleading; and
-
not keeping personal information that is shared for longer than is needed.
-
-
Security: Process personal information securely with appropriate organisational and technical measures in place. You should take reasonable steps to ensure that the data you share will continue to be protected with adequate security by the recipient organisation.
-
Accountability: Take responsibility for what you do with personal information. As part of this, you must adopt a “data protection by design and default” approach. This means putting in place appropriate technical and organisational measures to implement the data protection principles when sharing data, so you are safeguarding people’s rights.
-
Respect people’s rights
You must have policies and procedures which allow people to easily exercise their data protection rights. In a data sharing agreement, it is good practice to appoint a single point of contact for people, which allows them to exercise their rights over their data that has been shared without making multiple requests to several organisations.
Further reading