Cifas Homepage
NewsroomCareersContact Us

Fair Processing Notices for Cifas' Databases

This page provides the full fair processing notices for Cifas' National Fraud Database and Insider Threat DatabaseCifas Intelligence Service and Protective Registration Service with further details of how your information will be used, as well as information about your data protection rights.

If you have been referred to this page when applying for services or finance then please read the full National Fraud Database notice.

If you have been referred to this page in the context of being employed by or working for an organisation, including as a contractor or director, then please read the full Insider Threat Database notice.

If you have been referred to this page from the Cifas Intelligence Service then please read the full Cifas Intelligence Service Notice.

If you have been referred to this page in the context of Protective Registration, then please read the full Protective Registration notice.


National Fraud Database

The words "we", "us", and "our" relate to the organisation that referred you to this page.

GENERAL

1.    Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

2.    The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

3.    Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details.

4.    We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

5A.    [This paragraph applies if the organisation that referred you to this page is not a public authority.] We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested. Cifas has published its assessment of the legitimate interests in relation to the National Fraud Database

5B.    [This paragraph applies if the organisation that referred you to this page is a public authority.] We process your personal data on the basis that it is necessary in the public interest or in exercising official authority for us to prevent fraud and money laundering, and to verify identity, in order to protect ourselves and to comply with laws that apply to us.

6.    Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

7.    [This paragraph applies if the organisation that referred you to this page told you that they will use automated decisions.] As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact the organisation that referred you to this page.

CONSEQUENCES OF PROCESSING

8.    If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.

9.    A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact the organisation that referred you to this page.

DATA TRANSFERS

10.    Fraud prevention agencies may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then the fraud prevention agencies will ensure your data continues to be protected by ensuring appropriate safeguards are in place. Cifas has published more information about data transfers.

YOUR RIGHTS

11.    Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data, request that your personal data is erased or corrected, and request access to your personal data.

12.    For more information or to exercise your data protection rights, please contact the organisation that referred you to this page.

13.    You also have a right to complain to the Information Commissioner's Office which regulates the processing of personal data.


Insider Threat Database

The words "we", "us", and "our" relate to the organisation that referred you to this page.

GENERAL

1.    We will check your details against the Cifas databases established for the purpose of allowing organisations to record and share data on their fraud cases, other unlawful or dishonest conduct, malpractice, and other seriously improper conduct ("Relevant Conduct") carried out by their staff and potential staff. "Staff" means an individual engaged as an employee, director, trainee, homeworker, consultant, contractor, temporary or agency worker, or self-employed individual, whether full or part time or for a fixed-term.

2.    The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and other relevant conduct and to verify your identity.

3.    Details of the personal information that will be processed include: name, address, date of birth, any maiden or previous name, contact details, document references, National Insurance Number, and nationality. Where relevant, other data including employment details will also be processed.

4.    We and Cifas may also enable law enforcement agencies to access and use your personal data to detect, investigate, and prevent crime.

5A.    [This paragraph applies if the organisation that referred you to this page is not a public authority.] We process your personal data on the basis that we have a legitimate interest in preventing fraud and other Relevant Conduct, and to verify identity, in order to protect our business and customers and to comply with laws that apply to us. This processing of your personal data is also a requirement of your engagement with us. Cifas has published its assessment of the legitimate interests in relation to the Insider Threat Database.

5B.    [This paragraph applies if the organisation that referred you to this page is a public authority.] We process your personal data on the basis that it is necessary in the public interest for us to prevent fraud and other Relevant Conduct, and to verify identity, in order to protect ourselves and customers and to comply with laws that apply to us. This processing of your personal data is also a requirement of your engagement with us.

6.    Cifas will hold your personal data for up to six years if you are considered to pose a fraud or Relevant Conduct risk.

CONSEQUENCES OF PROCESSING

7.    Should our investigations identify fraud or any other Relevant Conduct by you when applying for or during the course of your engagement with us, your new engagement may be refused or your existing engagement may be terminated or other disciplinary action taken (subject to your rights under your existing contract and under employment law generally).

8.    A record of any fraudulent or other Relevant Conduct by you will be retained by Cifas and may result in others refusing to employ you. If you have any questions about this, please contact the organisation that referred you to this page.

DATA TRANSFERS

9.    Cifas may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then Cifas will ensure your data continues to be protected by ensuring appropriate safeguards are in place.. Cifas has published more information about data transfers.

YOUR RIGHTS

10.    Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data, request that your personal data is erased or corrected, and request access to your personal data.

11.    For more information or to exercise your data protection rights, please contact the organisation that referred you to this page.

12.    You also have a right to complain to the Information Commissioner's Office which regulates the processing of personal data.


Cifas Intelligence Service

Introduction

Cifas is an independent, not-for-profit membership organisation that protects businesses and individuals through effective and secure data and intelligence sharing between the private, public and third sectors. We are registered with the ICO with reference Z5080002 and our company number is 02584687.

The Cifas Intelligence Service collects and analyses data and information and shares the results of this analysis through intelligence reports to member organisations for the purposes of fraud and financial crime prevention as well as other forms of unlawful conduct, malpractice, and seriously improper conduct in relation to employment (collectively known as ‘Risk Conduct’). This service is intended to benefit Cifas members, victims of economic Risk Conduct and the public at large and may require us to process personal data about you.

As the data controller for the Cifas Intelligence Service product, we want to set out the personal information we obtain in order to provide the service to our members. We also want to explain the purposes we have in processing your personal data, and what your rights are.

What personal data do we process, and where do we get it from?

The data processed includes personal information which may been originally collected from you by our members as part of their checks for preventing Risk Conduct and to verify identity and then passed to us. We may also collect data about you from other third parties, which can include law enforcement agencies or public registers.

Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details.

What will we be doing with your personal data, and who will we share it with?

We will use the personal data we have been given or have collected ourselves to identify how we can help prevent and detect Risk Conduct. This is the purpose of the processing we do. We are helped in this by our service providers, including Microsoft Azure UK for hosting.

If we determine that Risk Conduct is likely, we may issue a confidential intelligence report to our members warning them of this and that there are grounds for them to investigate this risk further. This report may contain personal information about an individual, or groups of individuals, and will document the reasonable grounds to investigate possible links to Risk Conduct.

Members must not use the information contained in an intelligence report as the reason to withdraw or reject a financial product or service, employment or offer of employment.

We will share our intelligence reports with those members of our National Fraud Database and Insider Threat Database services who have also signed up to the Intelligence Service.

We may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

Our legal basis for processing, and how long we will keep your data for

We process your personal data on the basis that we have a legitimate interest in preventing Risk Conduct, and to verify identity, in order to protect our member’s business and to comply with laws that apply to us. We have published our assessment of the legitimate interests in relation to the Intelligence Service here.

The Cifas Intelligence Service can hold your personal data for different periods of time, and if you are considered to be linked to Risk Conduct, your data can be held for up to 18 months. In exceptional circumstances, your data can be held for longer.

Transfers outside of the UK

We are based in the UK, but part of distributing our intelligence reports may involve the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then we will ensure your data continues to be protected by ensuring appropriate safeguards are in place. We have published more information about data transfers.

Your Rights

Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data, request that your personal data is erased or corrected, and request access to your personal data.

Please be aware that these rights are not absolute. For example, in some circumstances we may consider that we have compelling legitimate interests that on balance override a request to delete data or to stop processing it.

Please see www.cifas.org.uk/individuals for how to contact us. Our data protection officer can also be contacted this way.

You also have a right to complain to the Information Commissioner's Office which regulates the processing of personal data.


Protective Registration

1A. [This paragraph applies if you specifically consented to Protective Registration] If you consent, your personal information will be used to create a Protective Registration record about you within the Cifas National Fraud Database, which will then be made available to the members of Cifas and to fraud prevention agencies participating in Cifas. The Protective Registration record will be used to help prevent fraud and money-laundering and to verify your identity. Cifas and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate, and prevent crime.

1B. [This paragraph applies if Protective Registration is taken as part of a wider product] In order for the Protective Registration service to work, it is necessary for your personal information to be recorded within the Cifas National Fraud Database, which will then be made available to the members of Cifas, and to fraud prevention agencies participating in Cifas, for the purposes of preventing fraud and money-laundering and to verify your identity. The Protective Registration record will be used to help prevent fraud and money-laundering and to verify your identity. Cifas and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate, and prevent crime.

2. There may be a slight delay when you apply for financial products and services as extra checks are made. Where the risk of fraud is very low some companies may instead accept the application and then contact you separately to ensure the application is from you. The Protective Registration will last for two years.

3. As part of the Protective Registration service Cifas may allow the transfer of your personal data outside of the UK. This may be to a country where the UK Government has decided that your data will be protected to UK standards, but if the transfer is to another type of country, then Cifas will ensure your data continues to be protected by ensuring appropriate safeguards are in place.

4. More information about Cifas and the participating fraud prevention agencies is available. To exercise your data protection rights including access and correction, or if you decide that you no longer want to have Protective Registration, please contact the organisation that referred you to this page. You also have a right to complain to the Information Commissioner’s Office, which regulates the processing of personal data.

Share:

Latest blog posts