Data Sharing and Fraud

October 7, 2008

The Home Office has laid before Parliament the final version of the code of practice for public authorities disclosing information to a specified anti-fraud organisation. The Code can be seen here. The obligation to prepare a code of practice and keep it under review arises under the Serious Crime Act 2007, s 71.

The Serious Crime Act (Commencement No. 3) Order 2008 (SI 2008/2504) brought the balance of ss 68 to 72 of the 2007 Act into force on 1 October. These provisions deal with sharing the prevention of fraud and the sharing of information with ant-fraud organisations. Section 72 amends the Data Protection Act 1998, sch 3 in line with the new powers of disclosure.  The Serious Crime Act 2007 (Specified Anti-fraud Organisations) Order 2008 (SI 2008/2353) specifies the following as anti-fraud organisations in accordance with s 68 of the Serious Crime Act 2007:
(a) CIFAS;
(b) Experian Limited;
(c) Insurance Fraud Investigators Group;
(d) N Hunter Limited;
(e) The Insurance Fraud Bureau;
(f) The Telecommunications United Kingdom Fraud Forum Limited.
The new Code completes the circle of protection and guidance.

In a foreword to the Code of Practice, the Information Commissioner states as follows:

Fraud prevention is a key priority for the public and private sectors alike. The powers under the Serious Crime Act 2007 allow public sector information to be exchanged with the private sector so that fraud can be detected, targeted and prevented on a much wider scale. However, the powers under the Act must be considered in the context of any Data Protection Act requirements. Specifically, information must be shared in a manner that is proportionate, and any organisations using this information sharing gateway must take steps to ensure that they only share such data as is necessary for the prevention of fraud.
Where multiple partners engage in information sharing, being transparent and enabling individuals to exercise their rights to know how their information is being used is crucial. Equally, the importance of security when sharing personal information has never been as prominent as in recent months, and this must remain a major priority for any organisation wishing to share personal information. I welcome this high-level Code of Practice in terms of setting out some broad principles and considerations for participants.
I also welcome the Home Office’s commitment to make any organisation participating in these information sharing arrangements subject to audit by the Information Commissioner’s Office. The next key step is for organisations to define and agree the detail around what data will be shared and how any data protection risk will be minimised. Personal information is both an asset and a liability, and I expect any organisation involved in sharing personal information under the Serious Crime Act to treat it as such. Complying with the requirements of this Code will allow participants to identify those individuals involved in fraudulent activity while protecting the rights of the majority who are not

David Bowden, director of D Bowden Consulting (see, drew the latest development to the attention of the editor of the SCL Web site. He comments: ‘Fair Processing Notices used by financial services companies will need to be wide enough to encompass the data flows both to and from themselves and the public sector.’