UK data protection law includes the UK version the of the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).
These laws work together to create a framework that every data controller must comply with. Most of the time the UK GDPR says we must uphold the principle of transparency and the right to be informed, these work together to ensure the individuals who may be identified by the personal data we process, know how their data is being used and for what purpose. We translated this into providing information by way of a privacy notice on our websites or by other means where possible. So, in order to process data lawfully, we must ensure our processing is transparent and predictable. However, on some occasions we need to achieve objectives that require us to be anything but transparent, tackling fraud is one of these. In order to address such circumstances, being transparent is likely to prejudice the outcome of, for example an investigation, or forewarn an individual about a report to the Police. UK data protection law allows for such situation by providing us with a series of special lawful conditions and exemption to the normal provision of the law. These clauses enable a data controller to pursue their interests (including public interests) whilst removing some obligations such as the right to be informed. Essentially, the individual concerned is not permitted to know that their data is being processed. This paths the way for the controller to lawfully process the data and in this instance, investigate the potential crime or report it to the Police.
This is an additional step to the normal processing activities; a controller must identify the
appropriate laws and document them. Here is an example that might be used, this may not
apply in all cases and therefore legal guidance should be obtained which is specific to the
circumstances.
It is likely that tacking fraud will be a legitimate interest (UK GDPR article 6 condition).
‘The processing is necessary to pursue the interests of the controller’. But this lawful basis alone will be sufficient, it will need to be coupled up with a UK GDPR article 9 condition (because criminal records or information that may reveal a crime is special category data) along with a special condition which can be found in the DPA. As potential or actual fraud will be considered a crime, the applicable law might be the DPA, schedule 1, part 2, paragraph 10, ‘Preventing or detecting unlawful acts.’ This condition allows for the data to be processed without the knowledge of the individual, it identifies for this specific purpose. It may be important to have an appropriate policy document (APD) in place.
Here is a link to the ICO guidance on this subject.
The ICO have a right to request a copy of your APD
It is important to date your APD and to include a reference to the lawful basis you are relying upon as discussed above. The ICO have a right to request a copy of your APD at any time.
So bear in mind there may be three stages to your lawful basis (Art.6, Art.9 and an applicable
law in the DPA).
If you would like an assistance with this aspect of your compliance, please get in touch with Hope and May by called 0330 111 0013 or emailing at info@hope-may.com
