Data protection guidance for firms sharing customer information for the prevention of fraud

Obstacles for information sharing

The recent Economic Crime Transparency Act 2023 (2023 Act), along with accompanying guidance published in late 2024, encouraged the quicker and easier sharing of customer information between firms in the UK financial sector for the purposes of preventing, detecting and investigating economic crime concerns (see our blog post here for further details).

However, a firm still needs to keep in mind various obligations when it shares or receives information, which give rise to difficulties in the logistics of economic crime information sharing. One particular hurdle relates to data protection. The ICO, which is the UK’s data protection regulator, has now published seven steps that firms should take before sharing personal information in the prevention of scams and fraud, including to comply with the principles entrenched in the UK GDPR. The guidance is aimed at all firms in the digital economy, including financial services, telecommunications and digital platforms.

Factors for a firm to keep in mind when sharing personal data

In its recent guidance, the ICO aimed to reassure firms that the UK GDPR and the Data Protection Act 2018 (2018 Act) do not prevent them from sharing personal information where appropriate. Instead, it reminded firms of seven steps to be taken before sharing specific personal data to mitigate scams and fraud:

1. Conduct a Data Protection Impact Assessment (DPIA). A firm should assess the risks, benefits, potential negative effects and lawfulness of sharing the personal data. Whilst this is only legally required where processing is likely to result in a high risk to people, the ICO indicated that it is good practice to complete a DPIA for any major project or routine data sharing, regardless of risk levels.
2. Determine the nature of responsibilities. A firm should be clear from the outset (or at an early stage) whether they would be a data processor or controller.¹ Where firms are data controllers and pool information, they should also determine whether they are separate or joint controllers.
3. Set up data sharing agreements. Data sharing agreements should be put in place in advance, in order to formalise the data sharing arrangements, particularly for routine data sharing exercises. Such agreements should establish the purpose and practicalities of data sharing as well as clarify the responsibilities of those involved. 
4. Identify a lawful basis. Before sharing personal data, firms should establish a valid lawful basis which, for the prevention of scams and fraud, may include (i) legitimate interests (in which case organisations must apply a three-part legitimate interests assessment), (ii) consent, or (iii) contractual obligations. Through the Data (Use and Access) Bill (reportedly dubbed the ‘DUA Lipa bill’ by staff at the ICO and discussed in our blog here), the UK Government proposes to amend the UK GDPR to establish a new and additional “recognised legitimate interest” legal basis to process personal data. Unlike the existing typical “legitimate interest basis”, no balancing test would be required to rely on the new basis. One such “recognised legitimate interest” is processing necessary for the purposes of (a) detecting, investigating or preventing crime or (b) apprehending or prosecuting offenders, and the UK Government’s explanatory notes recognise that ‘crime’ includes fraud.
5. Identify the type of information. The UK GDPR and 2018 Act provide additional protection to “special category data” and certain criminal offence data, so a firm should carefully review the data that is proposed to be shared in order to determine whether any specific processing conditions apply, prior to sharing such information.
6. Comply with data protection principles. A firm is still expected to comply with the key principles set out in the UK GDPR to process personal information.² These principles are: (i) fairness and transparency; (ii) limiting the purpose of information sharing; (iii) ensuring that robust data standards are in place, including data minimisation, accuracy and storage limitation; (iv) putting in place appropriate organisational and technical security measures; and (v) ensuring a firm takes accountability for the information it shares, including by adopting a data protection by design and default approach.
7. Respect individuals’ information rights. A firm needs to have appropriate policies and procedures in place for individuals to exercise their data protection rights, such as a single point of contact in a data sharing agreement to avoid individuals needing to make multiple requests to multiple firms.

Information sharing in practice and regulatory expectations

Whilst the ICO’s guidance reassures firms that they will, in many cases, be able to lawfully share personal data in their efforts to tackle fraud it remains unclear how much benefit firms gain from sharing information until it becomes a more widespread practice amongst the industry, given the relatively significant amount of work and cost that a firm needs to first undertake in order to protect itself.

Firms also need to remain aware of potential supervisory and/or enforcement queries if regulatory expectations of information sharing evolve over time. For example, where there are questions about whether a firm has shared personal information in a compliant manner, the ICO may be in contact. However, at least for the foreseeable future, the ICO has reassured firms that it will aim to take a fair, proportionate and timely approach when considering whether a regulatory response is necessary. This will include the ICO considering steps that firms have taken in good faith to share personal information and whether they have done so in compliance with their legal obligations to protect individuals from harm – so setting in place strong policies and processes may be key.

Footnotes:

1. The ICO Data Sharing Code of Practice covers sharing personal information from one controller to another, and it also applies to data pooling.
2. UK GDPR Data Protection Principles.