-optimized.jpg){kind=avatar}
Data protection law does not prevent organisations from sharing personal information, if they do so in a responsible, fair and proportionate way, the data protection regulator, the ICO, has reiterated. The ICO, marking its 40th anniversary as the data privacy regulator, published new advice to provide clarity on data protection considerations and support organisations to share data responsibly to tackle scams and fraud. It’s aimed at especially banks, telecommunications providers and digital platforms.
For example, a business may wish to explore sharing personal information with banks to identify users who are likely to have been exposed to a scam on their services. Timely sharing of this data could help banks to assess the risk and ensure extra checks are in place to prevent fraud, the ICO said.
Stephen Almond, Executive Director for Regulatory Risk at the ICO, said: โFrom emotional distress to financial damage, scams and fraud have serious consequences. We strongly support responsible and effective data sharing between organisations, which is key to staying one step ahead of criminals and preventing scams before they cause harm.
โProtecting people must be the priority – I am warning organisations today that data protection law is not an excuse and it does not stop you sharing data that may assist with tackling fraud. Organisations acting responsibly can be reassured that we will take this into account if something goes wrong and we need to consider a regulatory response.โ
Nick Sharp, Deputy Director Fraud in the National Economic Crime Centre, part of the National Crime Agency, welcomed the advice. The ICO recommends that you carry out a Data Protection Impact Assessment (DPIA) of any benefits, or risks; a DPIA is a legal requirement where processing is likely to result in a high risk to people. It’s good practice to formalise sharing in advance through an agreement, particularly where data sharing is not ad hoc or a one-off. You must identify a valid lawful basis for sharing personal information before you start; such as ‘legitimate interests’, such as preventing fraud, whereby a bank seeks to share reports of suspicious transactions with a digital platform for it to take down a scam.
For more resources on data sharing under the Data Protection Act 2018 visit https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/.
