Balancing data protection with fraud prevention obligations: ICO Guidance for private organisations
Insight

It is essential for private organisations to have the ability to share personal data to mitigate fraud and scams, but they must also navigate data protection obligations when they do so. The Information Commissioner’s Office (ICO), the UK’s data protection regulator, has published guidance (the Guidance) to encourage organisations to share personal data responsibly when they are making efforts to tackle fraud and scams. The Guidance clarifies that data protection law should not be used as an excuse to avoid sharing data for these purposes. It is aimed at organisations such as banks and financial services firms, telecommunications providers and digital platforms which need to share personal information to detect, investigate and prevent fraud. The Guidance includes practical considerations and case studies to help organisations understand how the UK GDPR and other data protection legislation applies to their sharing of personal data for fraud prevention purposes.
The introduction of a mandatory reimbursement scheme in October 2024 requires payment service providers (PSPs) to reimburse consumer victims of authorised push payment (APP) fraud up to a maximum of £85,000 (see our article on this here). This scheme provides a strong incentive for PSPs to focus resources on fraud prevention and to share personal data about known or suspected fraudsters as part of such efforts. The cost of APP fraud has led to a rise in cross-industry partnerships focused on mitigating frauds and scams by sharing data about attacks and their perpetrators. For example, a collaborative framework known as Scam Signal between the mobile and banking industries identifies correlations between calls and fraudulent bank transfers to mitigate APP fraud. According to UK Finance, over two thirds of APP scams originate on an online platform, which emphasises the importance of collaborative data sharing between PSPs and other key platforms such as social media and telecommunications firms.
The Guidance provides reassurance and encouragement to organisations that data protection law should not prevent organisations from sharing personal information that may assist with tackling fraud, provided that they do so in a responsible, fair and proportionate way. To help meet data protection requirements, the Guidance suggests that organisations:
- Carry out a Data Protection Impact Assessment (DPIA). A DPIA helps organisations to assess the lawfulness, benefits and risks of any proposed data processing activity, including data sharing. It is a legal requirement to conduct a DPIA where data processing is likely to result in a “high risk to the rights and freedoms of natural persons” (see UK GDPR Article 35), although slightly unhelpfully, the term “high risk” is not defined in the legislation. However, the ICO says that completing a DPIA is also good practice for any major project involving the disclosure of personal information, or any plans for routine data sharing.
- Be clear about compliance responsibilities and determine early on whether the organisations will be separate or joint controllers. This will have an impact on UK GDPR compliance requirements including contracts or documented arrangements between the parties, and what is communicated to data subjects via privacy notices.
- Set up data sharing agreements, particularly where data sharing will be ongoing. Such agreements provide clarity about the responsibilities of all involved, setting standards and outlining the purpose and practicalities of data sharing.
- Identify a lawful basis for sharing personal information. The Guidance clarifies that, for private organisations sharing data for scams and fraud prevention purposes, the most relevant lawful bases under the UK GDPR include legitimate interests, consent, or performance of a contract. At present, if an organisation is relying on the legitimate interests basis, it is necessary to demonstrate how its processing passes a “legitimate interests assessment” (LIA). However, if enacted, the Data (Use and Access) Bill will designate the detection, prevention or investigation of crime as a specific, “recognised legitimate interest” (which will not then require an LIA). While the Guidance mentions consent as a possible basis for data sharing, we cannot see how this is likely to work in practice without a risk of tipping-off or undermining the investigation into suspected fraud or scams.
- Understand the type of data being shared. Since UK data protection law provides additional protection to certain types of data, including personal information relating to criminal convictions and offences, organisations need to know when they are processing such criminal offence data or one of the “special categories of personal data” under the UK GDPR. For sharing such data, organisations will need to take care to identify specific conditions for their data processing under the Data Protection Act 2018.
- Comply with the data protection principles set out in the UK GDPR, including fairness and transparency, purpose limitation, data minimisation, accuracy and storage limitation, security, and accountability. For example, the data minimisation principle requires organisations to be careful that they are not sharing any more personal information than is strictly necessary for their fraud prevention purposes.
- Have policies and procedures allowing people to easily exercise their data protection rights. It is good practice to provide a single point of contact, which should be detailed in a data sharing agreement and in external privacy policies, so that data subjects do not need to make multiple requests to different organisations.
The Guidance is part of an evolving landscape of data sharing to combat fraud and scams. Firms in the UK financial sector will no doubt be aware of provisions in the Economic Crime and Corporate Transparency Act 2023 (ECCTA) (sections 188 to 193) which strengthen anti-money laundering powers. One of the key reforms is to enable organisations to share customer information more easily by disapplying civil liability for breaches of confidentiality where information is shared to prevent economic crime (for more information, see UK Government guidance published in October 2024).
ECCTA (sections 199 to 206) also introduces the new failure to prevent fraud offence (see our article on this here). Much discussion has arisen around the implementation of this new offence, which comes into force on 1 September 2025. Issues have been raised around how sensitive information can be protected when organisations seek to implement and enforce “reasonable fraud prevention procedures”. Ensuring that the procedures do not lead to breaches of confidentiality is a critical consideration for organisations that are subject to the new offence. The ICO Guidance may provide some assistance to organisations in this respect.
Despite the relatively positive messaging in the ICO’s new Guidance, balancing the regulatory and legal requirements of data protection law with effective fraud detection and prevention strategy remains complex. It is important to seek legal advice at an early opportunity to ensure that these sometimes competing obligations are properly met and an appropriate balance is found.
Please contact William Charrington, Alan Baker and Hannah Bohm-Duchen if you would like to discuss.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, January 2025