The Information Commissioner’s Office (“ICO”) has published an open letter calling on organisations to “share personal information responsibly to protect their customers from scams and fraud”.

The letter responds to concerns that there is a reluctance within organisations to share personal information with third parties in order to help tackle scams and frauds. In particular, the letter refers to the withholding of information to banks, telecommunication providers and digital platforms which could otherwise help identify, investigate and prevent fraud.

The letter makes plain that “data protection law does not prevent organisations from sharing personal information, if they do so in a responsible, fair and proportionate way”.

Accompanying the letter, the ICO has published practical advice (supplementing the ICO’s general guidance on data sharing that can be found here) that aims to assist organisations to understand how to share such information in a way that complies with their data protection obligations. In particular, it outlines six steps that organisations should take into account:

1. Carry out a Data Protection Impact Assessment. This will help organisations to “assess any benefits, risks or potential negative effects of the data sharing you plan to do, and whether it is lawful”.
2. Be clear about responsibilities. Organisations should consider whether the third party with whom they share information will be a separate or joint controller.
3. Set up data sharing agreements. The ICO recommends formalising data-sharing arrangements in advance (especially where data sharing will not be a one-off) so as to set out the “purpose and practicalities of data sharing” and thereby meet accountability obligations under the UK GDPR.
4. Identify a lawful basis. The ICO suggests that “if you’re a private sector organisation sharing data for scams and fraud prevention, relevant lawful bases may include legitimate interests, consent or performance of a contract” and provides examples of how to conduct a legitimate interests assessment in such a situation.
5. Understand the type of information being shared. The guidance reminds organisations of the extra protection afforded to special category data and criminal offence data. It sets out a number of matters to consider if it is contemplated that such data will be shared.
6. Comply with data protection principles. Finally, the guidance reiterates the need for organisations to have the key principles of data protection “at the heart” of their approach to sharing information.

Commenting on the publication of the letter and new guidance, Stephen Almond, Executive Director for Regulatory Risk at the ICO, said, “from emotional distress to financial damage, scams and fraud have serious consequences. We strongly support responsible and effective data sharing between organisations, which is key to staying one step ahead of criminals and preventing scams before they cause harm. Protecting people must be the priority – I am warning organisations today that data protection law is not an excuse and it does not stop you sharing data that may assist with tackling fraud. Organisations acting responsibly can be reassured that we will take this into account if something goes wrong and we need to consider a regulatory response”.

To read more, click here.