GDPR & Fraud: Can organisations in the private sector share personal data relating to fraud?

The data protection principles

Under the UK GDPR, personal data must be:

• Processed lawfully, fairly and transparently
• Collected for specific, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary
• Accurate and kept up to date
• Stored for no longer than necessary
• Processed securely to ensure confidentiality and integrity

Lawful basis for sharing personal data relating to fraud

As well as complying with the above principles, organisations must have a lawful basis for processing personal data.  ‘Processing’ includes sharing.  ‘Personal data’ includes any information which relates to an identifiable individual (e.g. names, addresses, bank details, online identifiers).

Under the UK GDPR, there are six lawful bases for processing personal data, however the most relevant for private sector organisations in cases of fraud are:

• Consent (Article 6(1)(a) – If an organisation explicitly informs a customer that their personal data may be shared in fraud investigations and obtains their consent (e.g. in an organisation’s Ts&Cs/ Privacy Statement), this would be a lawful basis for sharing. However, as consent can be withdrawn, it is not a particularly reliable basis for processing personal data.
• Legal obligation (Article 6(1)(c)) – This can be relied upon where an organisation has a legal obligation to share personal data relating to a fraud, such as financial institutions reporting fraudulent transactions in accordance with their AML obligations (which are beyond the scope of this note).
• Legitimate interests (Article (1)(f) – This is the most common basis relied upon by organisations sharing personal data relating to fraud. Where an organisation has a legitimate interest in preventing fraud and it does not override the rights and freedoms of the individual, data sharing may be justified.  For example, where financial institutions and insurers share information about known fraudsters in order to detect patterns of fraud and prevent further fraudulent activities.

Before relying on this basis, organisations should conduct a Legitimate Interests Assessment which essentially involves 3 elements:

1. Identifying a legitimate interest – in this case, fraud prevention.
2. Showing that sharing the personal data is necessary to achieve it. If the same result can be achieved in a less intrusive way then then Legitimate Interests will not apply.
3. Balancing the interests of the organisation against the rights of the individual. If the individual would not reasonably expect their personal data to be shared for this purpose, or if it would cause unjustified harm, then the interests of the individual are likely to override the interests of the organisation.

Sharing special category data and criminal offence data relating to fraud

If the personal data to be shared includes special category data (e.g. personal data that relates to health or racial/ethnic origin), then the organisation must, in additional to having a lawful basis for processing under Article 6 UK GDPR, also satisfy a condition under Article 9(2), for example:

• The individual gave explicit consent (Article 9(2)(a)).
• Sharing the personal data is necessary for the establishment, exercise or defence of legal claims (Article 9(2)(f)).
• There is a substantial public interest (Article 9(2)(g)). In order to rely on this condition, the organisation must also satisfy one of the substantial public interest conditions in Schedule 1, Part 2 of the DPA.  In this scenario, the paragraphs most likely to be relevant are 10 (necessary for preventing or detecting unlawful acts) and 14 (necessary for preventing fraud).

If the personal data to be shared includes criminal offence data (e.g. personal data that relates to criminal convictions or alleged offences such as suspected fraud), then the organisation must, in additional to having a lawful basis for processing under Article 6, also satisfy a condition under Schedule 1 of the DPA.  Again, the paragraphs most likely to be relevant are 10 (necessary for preventing or detecting unlawful acts) and 14 (necessary for preventing fraud).

Given the risks to individuals, there is more emphasis on obtaining consent to process special category and criminal offence data.  Where organisations are relying on paragraph 10 to process special category or criminal offence data, they will need to show that the processing is necessary for reasons of substantial public interest (for special category data only), justify why explicit consent has not been obtained (if that is the case) and consider whether an ‘appropriate policy document’ is required.

However, where organisations are relying on paragraph 14, it is assumed that there is a substantial public interest, they do not need to justify why explicit consent has not been obtained, but they will require an ‘appropriate policy document’.  In relation to both paragraphs, the organisation must be able to show that the processing is ‘necessary’ – according to the ICO, it does not have to be absolutely essential, but it must be more than just useful or standard practice, and it must be a targeted and proportionate way of achieving the purpose described.

What is an ‘appropriate policy document’?

An appropriate policy document outline’s an organisation’s compliance measures and retention policies for special category and criminal offence data.  It must outline the Schedule 1 condition the organisation is relying on, its procedures for complying with each of the principles, its retention and deletion policies and an indication of the retention period for the data that is being shared.  A template policy can be found on the ICO website.

Data Protection Impact Assessments

Before sharing personal data with another organisation, a data protection impact assessment (“DPIA”) should be carried out.  This will help assess the benefits and risks of the intended data sharing and whether it is lawful.  DPIAs must be carried out where sharing the personal data is likely to result in a high risk to the rights and freedoms of individuals. For example, where special category or criminal offence data is to be shared.  A template DPIA can be found on the ICO website.

Data Sharing Agreements

Data sharing agreements (“DSAs”) between organisations help to ensure compliance with the UK GDPR and the DPA and it is good practice to have them in place where two or more separate legal entities regularly share personal data for fraud prevention, detection or investigation.  DSAs set out the purpose of the data sharing, define what happens to the data at each stage, and ensures that the parties are clear about their roles and responsibilities in relation to the data.  A DSA might be used, for example, where a bank is sharing fraud data with a credit reference agency.

There is a wealth of information on the ICO website about what a DSA should include; but in brief it should cover:

• The parties to the agreement and identify who the data controllers are at each stage
• The purpose of the data sharing initiative (e.g. fraud prevention)
• The process by which other organisation can be included in (or existing organisations excluded from) the arrangement
• The types of personal data that will be shared (organisations should share the minimum information necessary to achieve the purpose)
• The lawful basis for sharing (e.g. legal obligation or legitimate interest)
• Whether there is any special category data and if so the relevant condition for processing
• Security measures, including how the data will be transferred, stored and protected
• Retention periods and how the data will be securely deleted
• Transparency and the rights of individuals, including informing individuals (e.g. in a privacy notice) that their data might be shared for fraud prevention purposes; and explaining how individuals can access, rectify or object to the processing of their personal data. Individuals may have limited rights to access, object or erases criminal offence data if doing so would interfere with a fraud investigation.
• How compliance with the agreement will be monitored and reviewed

Examples of data sharing in the private sector where there is suspected fraud

The data sharing below assumes that the organisation sharing the data has complied with the data protection principles, has a lawful basis for processing and, where necessary, meets the conditions under Article 9(2) UK GDPR and Schedule 1 DPA.  The organisation should also have carried out a DPIA and have in place an appropriate policy document and a data sharing agreement (where required).

• A customer reports an unauthorised transaction to their bank. The bank investigates and concludes that the transaction was made using stolen card details.  The bank shares the relevant transaction data with law enforcement authorities in order to assist with their investigation; other financial institutions in order to determine whether similar frauds have been committed; and fraud prevention databases in order to try to prevent fraudsters from targeting other banks.

• An online retailer spots that several high-value orders have been placed using different credit cards with different payer details but delivered to the same address. The retailer shares the information with the payment processor which flags the transactions as fraudulent, and then reports the incident to law enforcement authorities.

• A bank receives a loan application, however the individual has no knowledge of the application. The bank therefore concludes this is a case of identity theft and shares the data with credit reference agencies in order to alert them to the fraudulent activity; other banks in order to try to prevent the fraudster from applying for a loan elsewhere; and law enforcement in order that they can investigate the identity theft.

There are some additional considerations where an organisation shares personal data with a law enforcement authority, including whether any exemptions apply (such as the crime and taxation: general exemption which is set out in Schedule 2 DPA) which would relieve the organisation of certain obligations.  This is beyond the scope of this note.

Summary

Organisations in the private sector are permitted to share personal data where fraud is suspected, but in order to ensure they are compliant with the relevant data protection laws, they must:

1. Comply with the data protection principles
2. Have a lawful basis for sharing the data
3. Where special category or criminal offence data is being shared, satisfy the relevant condition(s) under Article 9(2) UK GDPR and Schedule 1 DPA
4. Have in place an appropriate policy document if required
5. Carry out a data protection impact assessment (required where special category or criminal offence data is being shared, but good practice even where it is not)
6. Have in place a data sharing agreement where personal data is shared regularly (again, good practice even where it is not)

If your business requires assistance in formulating its approach to data sharing in relation to fraud prevention and detection, please contact Elaine Mitchell at Elaine.Mitchell@tenetlaw.co.uk with any questions or to arrange a call so we can understand more about your business and the specific challenges you face.

We are always keen to invest our time helping organisations navigate the complex world of responding to and avoiding fraud, so please do reach out and get to know us.