Intelligence Service Legitimate Interests Assessment
Introduction
The following is a record of the legitimate interests assessment that Cifas has carried out for the processing of personal data within the Cifas Intelligence Service. It identifies the processing involved and the legitimate interests that exist in relation to the Cifas Intelligence Service, and the balance of those interests is considered in conjunction with the safeguards that exist.
What processing is there?
The Cifas Intelligence Service will collect and analyse data and information to identify where there are reasonable grounds to investigate links to fraud and financial crime risk as well as other forms of unlawful conduct, malpractice, and seriously improper conduct in relation to employment (collectively known as ‘Risk Conduct’).
This data and information will be proactively shared via intelligence reports to our members. Members will be able to use the data and information contained in intelligence reports to direct enquiries that assist them to identify and investigate Risk Conduct.
Risk Conduct could relate to the identity of the applicant or customer or to the conduct of the customer in running the existing account. It could also relate to the information originally given by an applicant when opening an account, when that information has been relied upon by a member during its decision-making process.
In relation to employment, Risk Conduct could range from stealing cash or falsifying expenses, to colluding with organised criminals in order to steal customer data; the risk could also relate to the information originally given by an individual when applying for employment, when that information has been relied upon by a member during its recruitment process.
What are the legitimate interests?
The General Data Protection Regulation gives fraud as an example of a legitimate interest (Recital 47).
It is in the legitimate interests of members to protect themselves from Risk Conduct in order to in order to be able to protect customer data and accounts and be able to continue in business. Cifas has a legitimate interest in enabling members to prevent Risk Conduct. It is also in the wider interests of the customers and staff of each member that Risk Conduct against a member is prevented, in order that the member can continue to provide products or services and to continue to offer employment. It is in the specific interests of customers and individuals whose personal data or identities are being stolen or misused for identity theft, impersonation, and account takeovers to be prevented.
Risk Conduct prevention is in the general public interest – it is important for consumers to have access to realistically obtainable financial products, and other goods and services, which may otherwise be unavailable or limited in the event that widespread Risk Conduct. This includes preventing organised criminals from infiltrating companies in order to steal customer or commercial data.
Is the processing necessary?
Individuals who intend to deceive members typically operate across business sectors, targeting any organisation where they can find a weakness and operating at volume, and so data sharing through cross-sector collaboration is the best and most effective approach to identifying new Risk Conduct. Data and information are shared via the National Fraud Database and Insider Threat Database when an investigation is completed, and the facts establish links to Risk Conduct. The Intelligence Service shares data and information where Risk Conduct is ongoing, there are reasonable grounds to investigate further, and the sharing of this information will assist in the identification of Risk Conduct. An Intelligence report will only contain the minimum amount of data and information considered relevant, necessary, and proportionate to the identification of Risk Conduct.
Risk Conduct is a non-competitive issue and as a not-for-profit membership organisation, Cifas is trusted by organisations public and private to ensure that the data sharing is lawful, reciprocal, and fair.
Balancing the interests
It is reasonable to expect that organisations will take steps to prevent Risk Conduct against themselves and against their existing customers and staff. Members of Cifas using the Cifas intelligence Service face billion pounds in Risk Conduct losses each year. The intelligence Service helps its members to identity Risk Conduct and if those losses are not prevented or reduced, then the costs of financial products, goods, and other services such as insurance would be higher – a significant negative impact upon the wider public. Furthermore individuals whose identities are being misused by organised crime groups have a strong interest in protecting their identities from that misuse – from accounts being opened in their names or from their own accounts being taken over.
The purpose of the Cifas intelligence Service is to alert members to an increased risk of Risk Conduct relating to a specific application or existing account, based on past or current conduct and relevant data attributes. As an Intelligence report cannot be used in isolation, members must always investigate and establish further reasons before making a decision about an applicant or customer.
The Cifas intelligence Service offers an effective and efficient means for Cifas and its members to identify Risk Conduct, with a minimal impact upon the user experience of applicants, and minimal expense to members which might otherwise need to be passed on to consumers. Without an effective means of Risk Conduct prevention technologies and methods – which meet sophisticated techniques employed by fraudsters in an increasingly digital world – the general public may be denied proper access to a wide range of commercial and competitive financial services and products.
What safeguards are in place?
A Cifas member must operate within the terms of the Cifas Intelligence Service Handbook – a guide that sets out eight Principles of use with accompanying guidance. These Principles and guidance describe the controls in place to protect the data on the database, and ensure that the highest possible level of fairness and transparency are observed:
- The Cifas Intelligence Service can only be used for preventing fraud and financial crime, and for complying with legislation. The information contained in the intelligence report cannot be used as a reason to justify the withdrawal or rejection of a financial service or product, employment or offer of employment. It can only be used to identify opportunities to locate and secure evidence to support such a decision;
- The fair processing notice that all members provide states that personal information will be shared, and records of Risk Conduct retained;
- All intelligence risk records must be provided in a timely manner and supported by relevant evidence that supports reasonable grounds to investigate further;
- Only trained staff can access the Cifas Intelligence Service, operating under suitable technical and organisational measures to prevent unauthorised use of personal data;
- Innocent parties such as victims of impersonation are clearly distinguished from other individuals recorded within the Cifas intelligence Service;
- Members must ensure that the Risk Conduct data is interpreted in a proportional manner according to their own risk appetite and the product being assessed.
Cifas is a specified anti-fraud organisation under the terms of section 68 Serious Crime Act 2007, which provides public authorities with the legal power to share information with Cifas for Risk Conduct prevention. It is a condition of being a specified anti-fraud organisation that the Information Commissioner’s Office be given access to audit and inspect data sharing arrangements between public authorities and Cifas; the ICO audited Cifas in 2014.
As the data controller of the Cifas intelligence Service, Cifas is responsible for the security of the system. Cifas is certified to ISO/IEC 27001:2013, the international standard for operating an information security management system, and to Cyber Essentials, the online security scheme run by the Government’s National Cyber Security Centre. The Cifas Intelligence Service runs in the Microsoft Azure UK cloud, which is itself certified to ISO/IEC 27001:2013 and many other international security standards, and so benefits from the Microsoft global incident response team. Cifas commissions regular penetration testing of all systems by independent experts approved under the CREST scheme.
Cifas operates a complaints process that provides individuals with a way to challenge, and if necessary correct or remove, information that may be recorded about them within the Cifas Intelligence Service. An individual can exercise their right of access to any personal data held about them on the Cifas Intelligence Service by contacting Cifas. However, given the context of the Intelligence Service, Cifas may be required to temporarily redact personal data so as to not prejudice the purposes of preventing ongoing Risk Conduct investigations. It may not be possible to explain why or confirm when a redaction has occurred, if doing so would undermine the reason for the redaction. Individuals do have the right to complain to the Information Commissioner’s Office (who regulates data protection in the UK) if they are unhappy with how Cifas has responded to a subject access request.
Conclusion
The legitimate interests of Cifas, its members and the public, and the interests of data subjects themselves, in the processing, subject to the safeguards described above, are significant, and outweigh the limited competing interests of data subjects. Cifas therefore concludes that the processing may be undertaken on the basis of those legitimate interests. Cifas' Data Protection Officer can be contacted at dpo@cifas.org.uk or through the main Contact Us page.