Insider Threat Database Principles
The Insider Threat Database (ITD) - formerly the Internal Fraud Database - is a repository of fraud risk information that can be used by your organisation to reduce exposure to fraud and other relevant conduct, and inform decisions according to your organisation’s risk appetite.
The Insider Threat Database builds on the matches you receive from the Insider Threat Database by allowing relevant first party fraud risk matches from the National Fraud Database to be returned in searches. We call this a Data Sharing Membership. The core of ITD remains the Insider Threat Database and so when you join Cifas our Handbook and Principles refer to the Insider Threat Database.
Insider Threat Database Handbook
To use the database, a Cifas member must operate within the terms of the Insider Threat Database Handbook – a guide that sets out eight Principles of use with accompanying guidance. These Principles and guidance describe the controls in place to protect the data on the database, and ensure that the highest possible level of fairness and transparency are observed.
The Handbook allows you and your organisation an appropriate degree of flexibility – there will be many ways for you to achieve the outcomes it describes. It also helps you maintain the quality and integrity of the data for the benefit of all members. By observing the Handbook and engaging with our compliance process your organisation will be compliant and can enjoy the benefits of the database.
Principles of use
The Insider Threat Database is a reciprocal data sharing arrangement where members commit to provide data and file cases of fraud and other relevant conduct. In return, members receive the benefit of searching the database.
Both Cifas and its members have equal responsibility for the quality, protection and lawful use of the data submitted to and held on the Insider Threat Database. Every member is responsible for the accuracy of the cases filed, and for the proportionate use of the data returned from a search.
We want the data we hold on behalf of our members to be used to the maximum benefit in protecting themselves from fraud and other relevant conduct. We also have a responsibility to ensure that the rights of the citizen are balanced with the legitimate interests of our members; therefore the Insider Threat Database Principles are closely aligned to data protection legislation.
The Principles are as follows:
Principle 1: Reciprocity
The Insider Threat Database relies on member data – members must contribute their own cases to receive benefit from the data shared by other members.
Principle 2: Purpose Limitation (Legitimate reasons for searching)
Data can be used in a wide range of situations for the purpose of the prevention, detection and investigation of fraud and other unlawful or dishonest conduct, malpractice or other seriously improper conduct.
Principle 3: Transparency
Subjects have a right to know how data will be used and how any decisions related to them have been made.
Principle 4: Lawfulness (Searching and filing)
Subjects must only be searched and filed if they have been legally informed of how their data may be used via a Fair Processing Notice.
Principle 4: Lawfulness (Standard of Proof)
Cases filed to the Insider Threat Database must be supported by evidence and meet the ‘four pillars’ of the Standard of Proof. The Standard of Proof is:
- There are reasonable grounds to believe that a fraud or relevant conduct has been committed or attempted;
- That the evidence must be clear, relevant and rigorous;
- The conduct of the subject must meet the criteria of one of the case types;
- To file a case, the member must have:
- Declined employment; or
- Withdrawn employment; or
- Identified a fraud or relevant conduct after staff have left employment.
All Subjects involved that meet the Standard of Proof, must be filed to the Insider Threat Database.
Principle 5: Fairness (Proportionality)
Members must ensure that the data is interpreted in a proportional manner according to their own risk appetite.
Principle 6: Accuracy
All data that is captured must be accurate.
Principle 7: Integrity (Security of the National Fraud Database)
Access to the Insider Threat Database is restricted and all members must have adequate policies, procedures and technical measures in place to protect the data.
Principle 8: Data Minimisation
Members must be able to retrieve the evidence to support a case filed to the Insider Threat Database but they must not hold data indefinitely – once it has served its purpose, it must be deleted securely and permanently.