The Information Commissioner's Office (ICO), the UK's independent regulator for data protection, has published new guidance seeking to encourage companies to share data in order to tackle fraud. The guidance is the latest in a series of legal developments in UK economic crime which have sought to expand information sharing in the private sector as a route to addressing criminality.
The guidance is targeted at banks, telecom providers, and digital platforms, and seeks to reassure private sector actors that data protection does not prevent the sharing of personal information in all circumstances, provided it is done responsibly, fairly, and proportionately.
Practically, the ICO recommends that organisations who want to share personal data for mitigating scams and fraud take the following steps to demonstrate compliance with their data protection obligations.
- Carry out a Data Protection Impact Assessment (DPIA). This is a matter of good practice whenever disclosing personal information and a legal requirement when data processing is high risk. It assists not only with analysing the benefits, risks and potential negative effects of the data sharing, but also with demonstrating that action taken was lawful, if later challenged.
- Be clear about responsibilities and consider setting up a data sharing agreement. A data sharing agreement between the sender and recipient can help provide clarity on responsibilities for the data shared, and (again) provides a means of demonstrating how each party has sought to satisfy its legal obligations.
- Identify a lawful basis for sharing personal data. If the purpose of the data sharing is to prevent scams and fraud, organisations may be able to rely on legitimate interests, consent or performance of a contract as lawful bases.
- Comply with UK GDPR principles and data subject rights. The guidance highlights the principles of fairness and transparency, purpose limitation, data minimisation, accuracy and storage limitation, security and access/accountability. It reminds companies that fraud prevention is recognised under the UK GDPR as a legitimate purpose for processing data and sharing certain information.
The ICO's guidance follows a recent trend in the UK of businesses being encouraged to take more proactive steps to address fraud. The Economic Crime and Corporate Transparency Act 2023 (ECCTA), for example, introduced legislative protection from civil liability for the sharing of information between businesses in the anti-money laundering regulated sector, where such sharing would assist in the prevention and detection of economic crime. The UK Government also published guidance on those provisions last month. ECCTA also introduced the new corporate offence of "Failure to Prevent Fraud", which is set to come into force on 1 September 2025. Under the offence, corporate entities will have an obligation to implement "reasonable procedures" to prevent fraud by associated persons for the entity's benefit.
Despite these broader developments, it is unclear whether the ICO's guidance will encourage greater information sharing in practice. The guidance offers encouragement and a degree of protection, and helps to clarify at a general level how organisations can lawfully share personal information to help tackle fraud, but there is still currently an absence of incentives for companies to share such information with other businesses – often their competitors. Nor is there a material punishment for businesses that decline to share such information, even where it might prevent crime. It is possible that the introduction of the "Failure to Prevent Fraud" offence may increase such incentives going forward, and encourage businesses to (for example) consider entering into data sharing agreements with one other to demonstrate their "reasonable procedures". In the meantime, the extent to which private sector actors heed the ICO's call for greater collaboration remains at their discretion.
"Data protection law is not an excuse and it does not stop you sharing data that may assist with tackling fraud" - Stephen Almond, Executive Director for Regulatory Risk at the ICO
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.