Introduction
The following is a record of the legitimate interests assessment that Cifas has carried out for the processing of personal data within the Insider Threat Database (formerly the Internal Fraud Database). It identifies the processing involved and the legitimate interests that exist in relation to the Insider Threat Database, and the balance of those interests is considered in conjunction with the safeguards that exist.
What processing is there?
The purpose of the Insider Threat Database is to help Cifas members prevent fraud and unlawful or dishonest conduct, malpractice, and other serious improper conduct (collectively known as "Relevant Conduct") carried out by staff and potential staff. "Staff" means an individual engaged as an employee, director, trainee, homeworker, consultant, contractor temporary or agency worker, or self-employed individual, whether full or part time or for a fixed term.
Cifas members can query the Insider Threat Database as part of a pre-employment screening check, in order to verify the identity of job applicants and ascertain their integrity and suitability for employment by reference to their previous conduct. Such conduct could range from stealing cash or falsifying expenses, to colluding with organised criminals in order to steal customer data; the risk of fraud could also relate to the information originally given by an individual when applying for employment, when that information has been relied upon by a member during its recruitment process. It is also best practice to conduct annual checks for existing staff as part of a wider corporate counter-fraud strategy.
Details of Relevant Conduct risks that a Cifas member identifies are recorded in the Insider Threat Database in order to help the rest of the Cifas membership protect themselves and their customers from further risk of Relevant Conduct.
What are the legitimate interests?
The General Data Protection Regulation gives fraud prevention as an example of a legitimate interest (Recital 47).
It is in the legitimate interests of members to protect themselves from fraud and other Relevant Conduct, in order to be able to protect customer data and accounts, and so continue in business, and Cifas has a legitimate interest in enabling members to do this. It is also in the wider interests of the customers of each member that fraud and other Relevant Conduct against a member is prevented, in order that the member can continue to provide products or services, and also in the specific interests of customers that their personal data is not stolen or otherwise misused.
The prevention of fraud and other Relevant Conduct is in the general public interest – it is important for consumers to have access to realistically obtainable financial products, and other goods and services, which may otherwise be unavailable or limited in the event that widespread fraud occurs. Part of this is preventing organised criminals from infiltrating companies in order to steal customer or commercial data.
Is the processing necessary?
Individuals who intend to deceive members typically operate across business sectors, targeting any organisation where they can find a weakness and operating at volume, and so data sharing through cross-sector collaboration is the best and most effective approach to identifying new fraud risks. Fraud is a non-competitive issue and as a not-for-profit membership organisation, Cifas is trusted by organisations public and private to ensure that the data sharing is lawful, reciprocal, and fair.
Processing must be carried out without the consent of the data subjects concerned so as not to prejudice the purpose of the Insider Threat Database.
Balancing the interests
It is reasonable to expect that organisations will take steps to prevent fraud against themselves and against their existing customers, and that these steps will include checking people applying for jobs. Research by the University of Portsmouth’s Centre for Counter Fraud Studies[1] showed that the total cost to an organisation of an internal fraud can be much greater than the actual fraud loss itself, due to the costs of investigatory & disciplinary processes as well as the negative impacts upon the organisation’s reputation and staff morale. The purpose of the Insider Threat Database is to highlight to members an increased risk of fraud and unlawful or dishonest conduct, malpractice, and other serious improper conduct relating to a specific individual, based on past conduct. There can therefore be a significant impact upon individuals recorded within the Insider Threat Database; after an investigation, applications for employment can be rejected or existing employment terminated if the risk is determined to be too high or further fraudulent conduct is identified. At the same time though, individuals whose identities are being misused by organised crime groups have a strong interest in protecting their identities from that misuse – from accounts being opened in their names or from their own accounts being taken over.
The Insider Threat Database offers an effective and efficient means for Cifas and its members to identify risk in real time, with a minimal unwarranted impact upon individuals. Just by being a member of the Insider Threat Database, organisations are sending a clear message to their staff that any form of internal fraud will be taken seriously and any employees committing fraud will face the consequences of their actions.
What safeguards are in place?
A Cifas member must operate within the terms of the Insider Threat Database Handbook – a guide that sets out eight Principles of use with accompanying guidance. These Principles and guidance describe the controls in place to protect the data on the database, and ensure that the highest possible level of fairness and transparency are observed:
- The Insider Threat Database can only be used for preventing fraud and financial crime, and for complying with legislation;
- The fair processing notice that all members provide clearly states that personal information will be shared and records of risk retained; the notice also acts as a deterrent against the conduct that would be recorded;
- All individuals are provided with a secondary fair processing notice as a part of a member’s investigation into determining if sufficient evidence exists to support a filing to the Insider Threat Database – this secondary notice informs individuals that their conduct has been recorded or will be (depending upon the stage reached of the disciplinary process);
- All risk records must be supported by accurate and relevant evidence, and provided in a timely manner;
- Only trained staff can access the Insider Threat Database, operating under suitable technical and organisational measures to prevent unauthorised use of personal data;
- Members must ensure that the risk data is interpreted in a proportional manner according to their own risk appetite.
Cifas is a specified anti-fraud organisation under the terms of section 68 Serious Crime Act 2007, which provides public authorities with the legal power to share information with Cifas for fraud prevention. It is a condition of being a specified anti-fraud organisation that the Information Commissioner’s Office be given access to audit and inspect data sharing arrangements between public authorities and Cifas; the ICO audited Cifas in 2014.
As the data controller of the Insider Threat Database, Cifas is responsible for the security of the system. Cifas is certified to ISO/IEC 27001:2013, the international standard for operating an information security management system, and to Cyber Essentials, the online security scheme run by the Government’s National Cyber Security Centre. The Insider Threat Database runs in the Microsoft Azure UK cloud, which is itself certified to ISO/IEC 27001:2013 and many other international security standards, and so benefits from the Microsoft global incident response team. Cifas commissions regular penetration testing of all systems by independent experts approved under the CREST scheme.
Cifas operates a complaints process that provides all individuals with a way to challenge, and if necessary correct or remove, information that may be recorded about them within the Insider Threat Database. The first step is for an individual to exercise their right of access to any personal data held about them on the Insider Threat Database by contacting Cifas. An individual can then contact the member that recorded the risk information to challenge it, and if an individual is not satisfied with the response then Cifas will review the complaint.
Given the importance of preventing fraud and unlawful or dishonest conduct, malpractice, and other serious improper conduct, should the review by Cifas into the complaint find that the evidence supports the risk record it will be very rare that Cifas and Cifas members do not have compelling, overriding grounds to carry on processing the personal data concerned. Individuals can always approach the Information Commissioner’s Office at any stage.
Conclusion
The legitimate interests of Cifas, its members, and the public in the processing, subject to the safeguards described above, are significant, and outweigh the limited competing interests of data subjects. Cifas therefore concludes that the processing may be undertaken on the basis of those legitimate interests.
Cifas' Data Protection Officer can be contacted at dpo@cifas.org.uk or through the main Contact Us page.
[1] The True Cost of Internal Fraud, November 2013 (commissioned by Cifas)