Before providing a service, or employing a new staff member, Cifas members can check details against our databases for matches with individuals whose behaviour appears to be consistent with that of known fraudulent conduct. Some Cifas members use staff based outside of the UK and of the European Economic Area (the EEA, which includes the EU) to carry out those checks. This means that if a match is found, Cifas will be making what data protection law describes as a transfer of personal data to a “third country”.
Transfers of personal data from the UK to a third country are allowed where that country is considered “adequate” in data protection terms by the European Commission and the UK government. The Information Commissioner’s Office publishes a list at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/#adequacy-decisions, and this includes the Privacy Shield framework that covers the USA.
Transfers are also allowed where “appropriate safeguards” have been put in place between Cifas and the member based outside of the UK, and in practice this means that Cifas and the member will sign a contract called “a set of controller to controller standard contractual clauses”. The ICO has published the wording of the standard contract at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/#dp-clauses.
Social Smart: Instagram Checkout – friend or foe?
Who are you opening the door to? Why your customers could be the downfall of open banking.
Fraudulent mortgage applications on the rise
Fighting fraud locally: how councils are fighting fraud
Internet safety tips for students