On April 16, 2015, the U.K. Information Commissioner’s Office (“ICO”) published the results of a survey of data sharing arrangements between the public and private sectors for the purposes of fraud prevention.
Generally, the ICO’s report confirmed a high level of compliance and adherence to good practice in respect of data sharing by the private sector.
However, the report suggested that there is room for improvement in some areas relating to data sharing by public authorities, where, in some cases, there appears to be a lack of formality surrounding data sharing arrangements, a lack of transparency over the purposes for which data is shared and a failure to review data quality and the security of data sharing processes to some extent.
Background and Legal Basis for Data Sharing
Sections 68-72 of the U.K. Serious Crime Act 2007 (“SCA”) allow public authorities to share information with certain specified anti-fraud organisations (“SAFOs”) for fraud prevention purposes through a “legal gateway”. In addition, guidance is provided to public authorities sharing information through the legal gateway by the U.K. Home Office’s “Data Sharing for the Prevention of Fraud Code of Practice” (“Home Office Code”).
Sections 68-72 of the SCA were intended to address increasing anxieties over the scale of fraud and reactions to it, together with the legal obstacles to membership by public sector bodies of certain private sector fraud prevention data sharing schemes. Sections 68-72 of the SCA permit public authorities to share information as members of SAFOs or in accordance with other arrangements, and provide that such disclosures will not breach either the U.K. Data Protection Act 1998 (“DPA”) or any confidentiality obligations that bind public authorities.
Among other things, Section 68 provides that a public authority may, for the purposes of preventing fraud or a particular kind of fraud, disclose information as a member of a SAFO or otherwise in accordance with any arrangements made by such an organisation. The information may be information of any kind and may be disclosed to the SAFO, any members of it or any other person to whom disclosure is permitted by the arrangements concerned.
An “anti-fraud organisation” for these purposes means any unincorporated association, body corporate or other person which enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud or which has any of these functions as its purpose or one of its purposes.
Section
Sections 68-72 of the SCA came into force on October 1, 2008. So far, 11 anti-fraud organisations have been specified for the purposes of Section 68: the Insurance Fraud Bureau (“IFB”); Equifax Limited; N Hunter Limited (National Hunter); BAE Systems Applied Intelligence Limited; CIFAS; Experian Limited; Synectics Solutions Limited; Dun and Bradstreet Limited; Insurance Fraud Investigators Group (“IFIG”); Callcredit Information Group Limited; and Telecommunications United Kingdom Fraud Forum Limited (“TUFF”).
Background to Review and Objectives
The ICO has the power to audit data sharing arrangements for fraud prevention purposes between private and public sector organisations. Pursuant to this power, the ICO carried out a review of the data sharing arrangements which have been implemented between SAFOs and public authorities between June and October 2014. The ICO’s aim was to understand what types of data sharing arrangements have been established between SAFOs and public authorities and whether these meet the requirements of the DPA and also the good practice guidelines set out in the Home Office Code and also in the ICO’s statutory “Data Sharing Code of Practice” (“ICO’s Code”).
The data sharing activities of 33 public authorities were considered, as well as the 11 SAFOs, and site visits were also carried out in respect of four SAFOs that receive personal data from public authorities for fraud prevention purposes. The issues raised included questions regarding the types and format of personal data shared, the volume and frequency of data shared, privacy notices, procedures for ensuring data quality and correcting inaccurate personal data, retention periods and deletion of personal data, data subject access requests and security, among others.
Analysis and Outcomes
Of the 33 public authorities to which the survey was sent, 22 completed it, with nine confirming that they share personal data with SAFOs for fraud prevention purposes, either frequently or from time to time. Ten of the 11 SAFOs completed the survey, with five confirming that public authorities share personal data with them for fraud prevention purposes (the others included organisations that had been designated as SAFOs only since July 2014).
The results showed a considerable difference between the numbers of public authorities that signified that they share personal data with SAFOs for fraud prevention purposes and the number of public authorities that SAFOs confirmed actually do so. This may result from public authorities being unclear as to the legal basis they are using in order to share data for these purposes and/or in respect of the identity of the SAFOs. The ICO intends to monitor this issue in various ways.
Key Conclusions
The survey resulted in a number of key conclusions.
Personal Data Sharing Agreements
The Home Office Code suggests that data sharing agreements which include all applicable requirements of the ICO’s Code and other agreed rules should be put in place between public authorities and SAFOs. Similarly, the ICO’s Code suggests that organisations which are sharing data put data sharing agreements in place, which could form part of contracts with other organisations, especially where considerable volumes of data are to be shared, or data is to be shared routinely.
The survey suggested that public authorities sharing personal data with SAFOs tend to do so as members of the SAFOs or pursuant to other arrangements, and that membership rules and data sharing agreements establish agreed rules governing data sharing arrangements. Having said that, four of the nine public authorities which confirmed that they share personal data with SAFOs for fraud prevention purposes confirmed that no relevant agreements with SAFOs were in place, with one confirming that it did not keep records of either the incidences or the amount of data that it shares with SAFOs.
Transparency and Fairness
The first data protection principle set out in the DPA obliges data controllers to process personal data fairly and lawfully and in accordance with at least one of the conditions set out in Schedule 2 to the DPA and, in the case of sensitive personal data, in accordance with at least one of the conditions set out in Schedule 3 to the DPA as well. This includes informing data subjects of which organisations their personal data are being shared with and for what purposes. The Home Office Code suggests that, to the extent possible, public authorities should actively provide privacy notices or at least make them readily available to data subjects whose personal data is being processed and shared. Similarly, the ICO’s Code suggests that organisations should identify themselves to data subjects and confirm who they are going to share their personal data with and for what purposes.
The survey indicated that SAFOs tend to publish “layered” privacy notices on their websites or other published materials which clearly indicate their identities, the purposes that they are processing personal data for and who they are sharing it with. In addition, making privacy notices available is a condition of membership of a number of SAFOs. However, the survey suggested that two of the public authorities which confirmed they share personal data with SAFOs for fraud prevention purposes do not appear to make privacy notices available.
The ICO noted that both SAFOs and public authorities should be open regarding their data sharing activities in general terms, notwithstanding their justifiable concerns regarding the alerting of suspected fraudsters in certain cases.
Personal Data Accuracy
The fourth data protection principle requires data controllers to ensure that personal data is accurate and, where necessary, kept up to date. Public authorities are recommended by the Home Office Code to correct inaccuracies in their records which are discovered and to inform any SAFO to which inaccurate data has been disclosed so that the SAFO’s records can also be corrected. The Home Office Code also suggests that public authorities should regularly check the quality of data to be shared. Similarly, the ICO’s Code suggests that organisations should ensure periodically that the data they are sharing is of good quality and should also ensure that personal data is accurate before sharing takes place. Organisations should also ensure that systems are implemented which allow for any necessary amendments of personal data to be made after sharing has taken place.
The survey showed that SAFOs oblige members and other data sharing partners to adhere to agreed data quality requirements which are based on the design of anti-fraud databases hosted by SAFOs and/or included in data sharing agreements or membership rules when sharing personal data. However, a number of public authorities suggested that they do not review data quality before disclosing personal data.
Personal Data Retention Periods
Regarding the fifth data protection principle, which requires that personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes, the Home Office Code recommends that SAFOs and public authorities should agree maximum time limits for holding personal data under information sharing arrangements. Similarly, the ICO’s Code recommends that all organisations involved in data sharing should delete any personal data which is no longer required for the purposes for which it was shared.
The survey results indicated that, although one of the nine public authorities which confirmed that they shared personal data with SAFOs for fraud prevention purposes has not agreed specific data retention periods with SAFOs, SAFOs tend to retain personal data for fraud prevention purposes in accordance with agreed retention periods in order to comply with the fifth data protection principle.
The Rights of Data Subjects
The sixth data protection principle requires data controllers to process personal data in accordance with the rights of data subjects under the DPA. Such rights include, among other things, a right to access personal data. The Home Office Code recommends that public authorities must put in place staff who are in charge of enquiries and complaints from individuals and data subject access requests. The ICO’s Code also sets out recommendations regarding how to deal with data subject access requests in accordance with the DPA for organisations involved in personal data sharing.
The survey suggested that all public authorities have implemented procedures to deal with data subject access requests, and that SAFOs have established procedures to identify and reply to data subject access requests in accordance with the DPA as well.
Personal Data Security
The seventh data protection principle requires data controllers to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The Home Office Code and the ICO’s Code both include general recommendations in respect of security measures which are suitable taking into account the sensitivity or confidentiality of the relevant personal data.
The survey results suggested that SAFOs have implemented appropriate technical and organisational security measures regarding personal data, including independent reviews of information procedures and systems to make sure that security procedures meet certain standards, such as ISO/IEC 27001. Some SAFOs also audit their members periodically to make sure they are complying with the DPA and the relevant SAFO’s membership rules. However, of the public authorities, three of the nine which confirmed that they share personal data with SAFOs suggested that they do not review the security of data sharing arrangements with SAFOs, and one suggested that it has not agreed secure procedures to transfer personal data to SAFOs.
Points to Note and Further Action
Overall, the survey indicated that generally the sharing and handling of personal data accords with the recommendations set out in the ICO’s Code, and that sharing personal data between public and private sector organisations is necessary and proportionate for fraud prevention purposes.
As well as the survey itself, the site visits which were carried out in respect of some SAFOs confirmed that the relevant SAFOs have established appropriate procedures to deal with personal data shared by public authorities which conform to accepted and good practice guidelines and standards.
However, some survey responses showed that improvements could be made in certain areas, and that it would be advisable for the public authorities to follow good practice recommendations in a number of respects. These include putting in place data sharing agreements with SAFOs which incorporate agreed rules and standards, and reviewing data sharing arrangements with SAFOs from time to time to ensure that the law and good practice guidelines are being followed. Public authorities should also ensure that personal data is of appropriate quality before it is disclosed, and make sure personal data is not kept for longer than necessary by agreeing maximum retention periods with SAFOs.
The survey responses also suggested that public authorities should also keep records of what personal data they are sharing with SAFOs and why it is shared, ensure that privacy notices are made available to data subjects to inform them why their personal data is being shared and with whom, and should also put in place agreed secure procedures to transfer personal data in transit to SAFOs.
Clare Sellars is a Partner at Weightmans LLP, London. She may be contacted at clare.sellars@weightmans.com.
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.