Introduction
The following is a record of the legitimate interests assessment that Cifas has carried out for the processing of personal data within the National Fraud Database. It identifies the processing involved and the legitimate interests that exist in relation to the National Fraud Database, and the balance of those interests is considered in conjunction with the safeguards that exist.
What processing is there?
The querying of National Fraud Database records to identify fraud risk as part of the assessment of:
- An application by a potential customer of a member where the aim of the overall assessment is to determine whether to accept or reject that application, or
- The conduct of a customer in relation to an existing account where the aim of the overall assessment is to determine whether the customer presents a level of risk no longer acceptable to the member.
Details of fraud risks that a Cifas member identifies are recorded in the National Fraud Database in order to help the rest of the Cifas membership protect themselves and their customers from further fraud.
The risk of fraud could relate to the identity of the applicant or customer, or could relate to the conduct of the customer in running the existing account. The risk of fraud could also relate to the information originally given by an applicant when opening an account, when that information has been relied upon by a member during its decision making process.
What are the legitimate interests?
The General Data Protection Regulation gives fraud prevention as an example of a legitimate interest (Recital 47).
It is in the legitimate interests of members to protect themselves from fraud, in order to be able to continue in business, and Cifas has a legitimate interest in enabling members to prevent fraud. It is also in the interests of the customers of each member that fraud against a member is prevented, in order that the member can continue to provide products or services.
It is in the interests of individuals whose identities are being misused for identity theft, impersonation and account takeovers to be prevented.
Fraud prevention is in the general public interest – it is important for consumers to have access to realistically obtainable financial products, and other goods and services, which may otherwise be unavailable or limited in the event that widespread fraud occurs.
Is the processing necessary?
Individuals who intend to deceive members typically operate across business sectors, targeting any organisation where they can find a weakness and operating at volume, and so data sharing through cross-sector collaboration is the best and most effective approach to identifying new fraud risks. Fraud is a non-competitive issue and as a not-for-profit membership organisation, Cifas is trusted by organisations public and private to ensure that the data sharing is lawful, reciprocal, and fair.
Balancing the interests
It is reasonable to expect that organisations will take steps to prevent fraud against themselves and against their existing customers. Members of Cifas using the National Fraud Database prevent over a billion pounds in fraud losses each year. If those losses had not been prevented, then the costs of financial products, goods and other services such as insurance would be higher – a significant negative impact upon the wider public.
The purpose of the National Fraud Database is to highlight to members an increased risk of fraud relating to a specific application or existing account, based on past conduct. There can therefore be a significant impact upon individuals recorded within the National Fraud Database; after an investigation, applications can be rejected or existing facilities closed if the risk is determined to be too high or further fraudulent conduct is identified. At the same time though, individuals whose identities are being misused by organised crime groups have a strong interest in protecting their identities from that misuse – from accounts being opened in their names or from their own accounts being taken over.
The National Fraud Database offers an effective and efficient means for Cifas and its members to identify fraud risk in real time, with a minimal impact upon the user experience of applicants, and minimal expense to members which might otherwise need to be passed on to consumers. Without an effective means of fraud prevention technologies and methods – which meet sophisticated techniques employed by fraudsters in an increasingly digital world – the general public may be denied proper access to a wide range of commercial and competitive financial services and products.
What safeguards are in place?
A Cifas member must operate within the terms of the National Fraud Database Handbook – a guide that sets out eight Principles of use with accompanying guidance. These Principles and guidance describe the controls in place to protect the data on the database, and ensure that the highest possible level of fairness and transparency are observed:
- The National Fraud Database can only be used for preventing fraud and financial crime, and for complying with legislation;
- The fair processing notice that all members provide clearly states that personal information will be shared and records of fraud risk retained;
- All risk records must be supported by accurate and relevant evidence, and provided in a timely manner;
- Only trained staff can access the National Fraud Database, operating under suitable technical and organisational measures to prevent unauthorised use of personal data;
- Innocent parties such as victims of impersonation are clearly distinguished from other individuals recorded within the National Fraud Database;
- Members must ensure that the fraud risk data is interpreted in a proportional manner according to their own risk appetite and the product being assessed.
Cifas is a specified anti-fraud organisation under the terms of section 68 Serious Crime Act 2007, which provides public authorities with the legal power to share information with Cifas for fraud prevention. It is a condition of being a specified anti-fraud organisation that the Information Commissioner’s Office be given access to audit and inspect data sharing arrangements between public authorities and Cifas; the ICO audited Cifas in 2014.
As the data controller of the National Fraud Database, Cifas is responsible for the security of the system. Cifas is certified to ISO/IEC 27001:2013, the international standard for operating an information security management system, and to Cyber Essentials, the online security scheme run by the Government’s National Cyber Security Centre. The National Fraud Database runs in the Microsoft Azure UK cloud, which is itself certified to ISO/IEC 27001:2013 and many other international security standards, and so benefits from the Microsoft global incident response team. Cifas commissions regular penetration testing of all systems by independent experts approved under the CREST scheme.
Cifas operates a complaints process that provides all individuals with a way to challenge, and if necessary correct or remove, information that may be recorded about them within the National Fraud Database. The first step is for an individual to exercise their right of access to any personal data held about them on the National Fraud Database by contacting Cifas. An individual can then contact the member that recorded the fraud risk information to challenge it, and if an individual is not satisfied with the response then Cifas will review the complaint.
Given the importance of fraud prevention, should the review by Cifas into the complaint find that the evidence supports the risk record it will be very rare that Cifas and Cifas members do not have compelling, overriding grounds to carry on processing the personal data concerned. Individuals can always approach the relevant regulator (typically the Financial Services Ombudsman) as well as the Information Commissioner’s Office at any stage.
Conclusion
The legitimate interests of Cifas, its members and the public, and the interests of data subjects themselves, in the processing, subject to the safeguards described above, are significant, and outweigh the limited competing interests of data subjects. Cifas therefore concludes that the processing may be undertaken on the basis of those legitimate interests.
Cifas' Data Protection Officer can be contacted at dpo@cifas.org.uk or through the main Contact Us page.
