Skip to content

Balancing data protection with fraud prevention obligations: ICO Guidance for private organisations

Insight

Data privacy

It is essential for private organisations to have the ability to share personal data to mitigate fraud and scams, but they must also navigate data protection obligations when they do so. The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has published guidance (the Guidance) to encourage organisations to share personal data responsibly when they are making efforts to tackle fraud and scams. The Guidance clarifies that data protection law should not be used as an excuse to avoid sharing data for these purposes. It is aimed at organisations such as banks and financial services firms, telecommunications providers and digital platforms which need to share personal information to detect, investigate and prevent fraud. The Guidance includes practical considerations and case studies to help organisations understand how the UK GDPR and other data protection legislation applies to their sharing of personal data for fraud prevention purposes.

The introduction of a mandatory reimbursement scheme in October 2024 requires payment service providers (PSPs) to reimburse consumer victims of authorised push payment (APP) fraud up to a maximum of £85,000 (see our article on this here). This scheme provides a strong incentive for PSPs to focus resources on fraud prevention and to share personal data about known or suspected fraudsters as part of such efforts. The cost of APP fraud has led to a rise in cross-industry partnerships focused on mitigating frauds and scams by sharing data about attacks and their perpetrators. For example, a collaborative framework known as Scam Signal between the mobile and banking industries identifies correlations between calls and fraudulent bank transfers to mitigate APP fraud. According to UK Finance, over two thirds of APP scams originate on an online platform, which emphasises the importance of collaborative data sharing between PSPs and other key platforms such as social media and telecommunications firms.

The Guidance provides reassurance and encouragement to organisations that data protection law should not prevent organisations from sharing personal information that may assist with tackling fraud, provided that they do so in a responsible, fair and proportionate way. To help meet data protection requirements, the Guidance suggests that organisations:

  1. Carry out a Data Protection Impact Assessment (DPIA). A DPIA helps organisations to assess the lawfulness, benefits and risks of any proposed data processing activity, including data sharing. It is a legal requirement to conduct a DPIA where data processing is likely to result in a “high risk to the rights and freedoms of natural persons” (see UK GDPR Article 35), although slightly unhelpfully, the term “high risk” is not defined in the legislation. However, the ICO says that completing a DPIA is also good practice for any major project involving the disclosure of personal information, or any plans for routine data sharing.
  2. Be clear about compliance responsibilities and determine early on whether the organisations will be separate or joint controllers. This will have an impact on UK GDPR compliance requirements including contracts or documented arrangements between the parties, and what is communicated to data subjects via privacy notices.
  3. Set up data sharing agreements, particularly where data sharing will be ongoing. Such agreements provide clarity about the responsibilities of all involved, setting standards and outlining the purpose and practicalities of data sharing.
  4. Identify a lawful basis for sharing personal information. The Guidance clarifies that, for private organisations sharing data for scams and fraud prevention purposes, the most relevant lawful bases under the UK GDPR include legitimate interests, consent, or performance of a contract. At present, if an organisation is relying on the legitimate interests basis, it is necessary to demonstrate how its processing passes a “legitimate interests assessment” (LIA). However, if enacted, the Data (Use and Access) Bill will designate the detection, prevention or investigation of crime as a specific, “recognised legitimate interest” (which will not then require an LIA). While the Guidance mentions consent as a possible basis for data sharing, we cannot see how this is likely to work in practice without a risk of tipping-off or undermining the investigation into suspected fraud or scams.
  5. Understand the type of data being shared. Since UK data protection law provides additional protection to certain types of data, including personal information relating to criminal convictions and offences, organisations need to know when they are processing such criminal offence data or one of the “special categories of personal data” under the UK GDPR. For sharing such data, organisations will need to take care to identify specific conditions for their data processing under the Data Protection Act 2018.
  6. Comply with the data protection principles set out in the UK GDPR, including fairness and transparency, purpose limitation, data minimisation, accuracy and storage limitation, security, and accountability. For example, the data minimisation principle requires organisations to be careful that they are not sharing any more personal information than is strictly necessary for their fraud prevention purposes.
  7. Have policies and procedures allowing people to easily exercise their data protection rights. It is good practice to provide a single point of contact, which should be detailed in a data sharing agreement and in external privacy policies, so that data subjects do not need to make multiple requests to different organisations.

The Guidance is part of an evolving landscape of data sharing to combat fraud and scams. Firms in the UK financial sector will no doubt be aware of provisions in the Economic Crime and Corporate Transparency Act 2023 (ECCTA) (sections 188 to 193) which strengthen anti-money laundering powers. One of the key reforms is to enable organisations to share customer information more easily by disapplying civil liability for breaches of confidentiality where information is shared to prevent economic crime (for more information, see UK Government guidance published in October 2024).

ECCTA (sections 199 to 206) also introduces the new failure to prevent fraud offence (see our article on this here). Much discussion has arisen around the implementation of this new offence, which comes into force on 1 September 2025. Issues have been raised around how sensitive information can be protected when organisations seek to implement and enforce “reasonable fraud prevention procedures”. Ensuring that the procedures do not lead to breaches of confidentiality is a critical consideration for organisations that are subject to the new offence. The ICO Guidance may provide some assistance to organisations in this respect.

Despite the relatively positive messaging in the ICO’s new Guidance, balancing the regulatory and legal requirements of data protection law with effective fraud detection and prevention strategy remains complex. It is important to seek legal advice at an early opportunity to ensure that these sometimes competing obligations are properly met and an appropriate balance is found.

Please contact William Charrington, Alan Baker and Hannah Bohm-Duchen if you would like to discuss.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, January 2025

Want to know more?

Contact us

About the authors

Alan Baker lawyer photo

Alan Baker

Partner

Alan advises on all aspects of data protection law, commercial contracts and the use of information and intellectual property assets, as well as commercial regulatory issues. He helps clients to balance the sometimes competing objectives of minimising compliance risks and maximising commercial rewards.

Alan advises on all aspects of data protection law, commercial contracts and the use of information and intellectual property assets, as well as commercial regulatory issues. He helps clients to balance the sometimes competing objectives of minimising compliance risks and maximising commercial rewards.

Email Alan +44 (0)20 3375 7441
William Charrington lawyer photo

William Charrington

Partner

William advises corporate clients, institutions and high net worth individuals on a wide range of contentious matters including resolving complex contractual and civil fraud disputes. His practice has a strong focus on disputes involving intellectual property, art and cultural property.

William advises corporate clients, institutions and high net worth individuals on a wide range of contentious matters including resolving complex contractual and civil fraud disputes. His practice has a strong focus on disputes involving intellectual property, art and cultural property.

Email William +44 (0)20 3375 7171
Hoi-Yee Roper lawyer

Hoi-Yee Roper

Senior Counsel

Hoi-Yee is Senior Counsel and the Knowledge Lawyer in the Dispute Resolution team. As an experienced litigator and author of legal guidance, Hoi-Yee works with the team to ensure they deliver the best possible service to clients. She keeps the team up to date with developments in the law, practice and technology, ensures the team has the resources required to undertake client work, and oversees dispute resolution training to the team and across the firm. In addition, Hoi-Yee regularly contributes to client briefings and legal journals.

Hoi-Yee is Senior Counsel and the Knowledge Lawyer in the Dispute Resolution team. As an experienced litigator and author of legal guidance, Hoi-Yee works with the team to ensure they deliver the best possible service to clients. She keeps the team up to date with developments in the law, practice and technology, ensures the team has the resources required to undertake client work, and oversees dispute resolution training to the team and across the firm. In addition, Hoi-Yee regularly contributes to client briefings and legal journals.

Email Hoi-Yee +44 (0)20 3375 7186
Hannah Bohm-Duchen lawyer

Hannah Bohm-Duchen

Senior Associate

Hannah has a broad commercial disputes practice, with a particular focus on commercial litigation, contentious financial services matters and civil fraud.

Hannah has a broad commercial disputes practice, with a particular focus on commercial litigation, contentious financial services matters and civil fraud.

Email Hannah +44 (0)20 3375 7185
Back to top