The ICO exists to empower you through information.

We are calling on organisations to share personal information responsibly to protect their customers from scams and fraud.

Fraud is the most frequently experienced crime in the UK, accounting for 39% of all reported crime in England and Wales. 1

We're warning that reluctance from organisations to share personal information to tackle scams and fraud can lead to serious emotional and financial harm.

Data protection law does not prevent organisations from sharing personal information, if they do so in a responsible, fair and proportionate way.

This International Fraud Awareness Week, we have published new practical advice to provide clarity on data protection considerations and support organisations to share data responsibly to tackle scams and fraud.

It is aimed at any organisation seeking to share personal information to identify, investigate and prevent fraud, especially banks, telecommunications providers and digital platforms.

For example, organisations may wish to explore sharing personal information with banks to identify users who are likely to have been exposed to a scam on their services. Timely sharing of this data could help banks to assess the risk and ensure extra checks are in place to prevent fraud.

Stephen Almond, Executive Director for Regulatory Risk at the ICO, said:

“From emotional distress to financial damage, scams and fraud have serious consequences. We strongly support responsible and effective data sharing between organisations, which is key to staying one step ahead of criminals and preventing scams before they cause harm.

“Protecting people must be the priority - I am warning organisations today that data protection law is not an excuse and it does not stop you sharing data that may assist with tackling fraud. Organisations acting responsibly can be reassured that we will take this into account if something goes wrong and we need to consider a regulatory response.”

Nick Sharp, Deputy Director Fraud in the National Economic Crime Centre, said:

“Information sharing between private industry, and with the public sector, is a fundamental tool used to tackle fraud.

“The new advice from the ICO is very welcome, and we encourage all industry partners to use it to ensure appropriate and confident data-sharing enables our joint efforts to reduce the harm from fraud.

“Together with our partners in both the private and public sector, we are working to identify, disrupt and prevent fraud, and will pursue every legal angle to ensure criminals who target the UK public are held to account.”

Informed by engagement with key stakeholders, the ICO’s advice includes practical considerations and case studies to support organisations to understand the law when sharing data.

We continue to engage with private and public sector organisations, including its Digital Regulation Cooperation Forum (DRCF) partners, to support efforts to protect the public from scams and fraud.

The new advice accompanies a wealth of further resources from the ICO on sharing data responsibly, including the ICO’s statutory Data Sharing Code, sector specific guidance, and practical case studies.

Organisations can visit the our innovation advice service or the DRCF’s AI and Digital Hub for further support.

We have this week marked our 40th anniversary by launching a digital exhibition telling the story of the most important moments in privacy over the past four decades and our crucial role in protecting the public's information rights. Visit the exhibition here.

Notes for editors
  1. The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the United Kingdom General Data Protection Regulation (UK GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five acts and regulations.
  3. The ICO can take action to address and change the behaviour of organisations and individuals that collect, use, and keep personal information. This includes criminal prosecution, civil enforcement and audit.
  4. To report a concern to the ICO telephone call our helpline on 0303 123 1113, or go to ico.org.uk/concerns.

1 Crime in England and Wales - Office for National Statistics