The Information Commissioner’s Office (ICO) has published a review of data sharing procedures which take place between the public bodies and private companies for fraud prevention purposes. The ability for data to be shared in this way is enshrined in sections 68 to 72 of the Serious Crime Act 2007, without which public bodies would likely be in breach of the Data Protection Act 1998 and open to liability.
The 2007 Act makes clear that allow public authorities may disclose personal data to certain anti-fraud organisations to prevent fraud without the risk of breaching the Data Protection Act 1998 (DPA 1998). There has, however, been some concern as to whether the data sharing provisions of the 2007 Act are achieving their intended purpose and whether the delicate balance between data protection and lawful sharing of data has been respected.
The ICO’s review looked at the arrangements in place between public bodies and authorised anti-fraud organisations in light of the good practice recommendations of the ICO’s statutory Code of Practice on Data Sharing, the Home Office’s Data Sharing for the Prevention of Fraud Code of Practice, and the requirements of the DPA 1998.
The review did not highlight any major shortcomings in arrangements, but identified certain areas for improvement, which were primarily aimed at public sector bodies. A summary of the findings are as follows:
- Ensure data sharing agreements are in place setting out rules and standards relating to agreed arrangements.
- Periodically review the data sharing agreements to ensure they are fit for purpose and satisfy all legal and regulatory requirements.
- Take steps to ensure private bodies do not retain personal data for longer than necessary
- Maintain records of what personal data is shared and the reasons for its disclosure.
- Make privacy notices available to individuals explaining which organisations personal data may be shared with and the reasons for these arrangements.
The review highlights the cautious approach being adopted by the ICO to ensure compliance with data protection provisions and serves as a reminder as to the high level of scrutiny that surround these arrangements.