ICO calls on businesses to share data for tackling fraud

The Information Commissioner’s Office (ICO) warned businesses that reluctance to share personal information to tackle scams and fraud can amount to a failure to protect their users from harm, and reassured that “data protection law does not prevent organisations from sharing personal information, if they do so in a responsible, fair and proportionate way”.

These messages were sent out as the regulator published its new practical advice to support organisations to share data responsibly to tackle scams and fraud. It quoted official statistics to show that online scams and fraud are the most frequently experienced crime in the UK, accounting for 39% of all reported crime in England and Wales. The ICO’s advice includes practical considerations and case studies on data sharing under the UK’s data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA). It is aimed at any organisations seeking to share personal information to identify, investigate and prevent fraud, especially banks, telecommunications providers and digital platforms.

In a statement, the ICO’s executive director for regulatory risk Stephen Almond said: “Protecting people must be the priority. I am warning organisations today that data protection law is not an excuse and it does not stop you sharing data that may assist with tackling fraud. Organisations acting responsibly can be reassured that we will take this into account if something goes wrong and we need to consider a regulatory response.”

As one example contained in the document, organisations may wish to explore sharing personal information with banks to identify users who are likely to have been exposed to a scam on their services. Timely sharing of this data could help banks to assess the risk and ensure extra checks are in place to prevent fraud, according to the ICO.

In another example, the ICO said that banks could share intelligence of scams and their perpetrators raised by their customers with the digital platform where the scams took place, so the scam is taken down and customers are protected. However, it also advised that as banks are not an official authority and the sharing may involve criminal offence data, banks should ensure appropriate safeguards are in place and develop an appropriate policy document before sharing this information.

Malcolm Dowden, a data protection expert at Pinsent Masons, said: “although framed as a warning, the ICO’s messages are helpful as they make it clear that steps taken in good faith to share personal information in line with the law to protect people from harm will be taken into account when the ICO considers whether a regulatory response is necessary. It underlines the point that data protection law is not designed to prevent the sharing of personal data, but to ensure that any sharing is lawful, fair and transparent. If the purpose is to improve the protection of individuals from online scams and fraud, then organisations ought not to be penalised for taking reasoned and appropriate steps.”

The ICO said the latest practical advice is a part of a wealth of resources from the ICO on sharing data responsibly, which also includes the ICO’s statutory Data Sharing Code, sector specific guidance, and practical case studies.