SUMMARY

  1.  CIFAS—The UK's Fraud Prevention Service welcomes the opportunity to submit evidence to the Home Affairs Committee's inquiry entitled "A Surveillance Society?". CIFAS is an independent not-for-profit membership association, set up as a company limited by guarantee, that allows the exchange of information on applications, accounts and insurance claims that have either been made fraudulently or are being used fraudulently.

  2.  This evidence explores the current benefits and safeguards involved in data sharing within the private sector, as undertaken by those organisations who are already Members of CIFAS, and also proposals for data sharing with the public sector. It also sets out our suggestions for criteria that will be key to the effective sharing of data between the public and private sectors.

SHARING OF DATA

  3.  Fraud knows no boundaries. Professional criminals do not care from whom they take money—they attack wherever and whenever an opportunity arises. Fraud losses suffered by the private sector can mean that prices increase and tax revenues fall. Equally, losses suffered by the public sector can reduce the ability to provide public services. Sharing data about fraud is a very good way—and often the only practical way—to prevent such losses and help identify those responsible—namely criminals who will continue to use the same false identities and illegal methods as long as they are effective. Sharing details about these will reduce the opportunity for criminals to profit.

  4.  Pilot data matching exercises between the public and private sectors undertaken by CIFAS have proved that many of those who commit fraud against the private sector also commit fraud against the public sector.[106] Sharing data on fraudsters will lead to earlier detection and prevention of fraudulent activity.

  5.  The types of fraud that can be prevented through data sharing within both the public and private sectors are not limited to identity theft, the focus of much of the current media coverage on fraud. Also covered are application frauds and insurance claim frauds, which involve a real person who misrepresents his or her entitlement or status, and which can have as large an overall cost to the UK economy as frauds involving identity.

  6.  Across the private sector, the sharing of data is a long-established and effective method of preventing and detecting fraud proactively. The 260 CIFAS Member organisations share data on identified frauds in the fight to prevent further fraud and, by doing so, avoided losses during 2006 totalling £790 million. This figure represents an increase year on year of 16%.

  7.  CIFAS welcomed the overall conclusions of the Government's Fraud Review, and would support the establishment of a National Fraud Reporting Centre.

STANDARDS AND EVIDENCE

  8.  Since the inception of CIFAS in 1988, Members have always followed strict rules regarding the sharing of data. The CIFAS operating model has been developed in consultation with the Information Commissioner.

  9.  CIFAS recognises that there must be clear standards relating to the nature of the information that is shared. There must be a defined burden of proof for determining fraud and a high level of accuracy must be upheld. There must also be strong safeguards to maintain the security and proportionality of data that is shared. Such measures will be key to ensuring the consent and support of both the general public and the Information Commissioner's Office. However, it is important that the detail of these measures should not be put into the public domain, as to do so could give criminals the knowledge required to circumvent the processes.

  10.  All data shared through CIFAS has to be backed by sufficient evidence to support a formal report to the police or other relevant law enforcement agency, although sharing data through CIFAS is not a replacement for a report to the police. Before sharing details of a fraud or attempted fraud, the CIFAS Member will have identified a criminal offence, having either suffered, or potentially suffered, a loss and will have sufficient grounds to press criminal charges.

  11.  The information that is shared through CIFAS is limited to that which will be of relevance to the prevention and detection of further frauds. Only factually correct and accurate information may be shared and will not include any expressions of opinions by the CIFAS Member. Details of racial or ethnic origin are not shared, and neither are details of political or religious beliefs.

TRANSPARENCY

  12.  It is important that individuals are clearly made aware of the uses to which their data could be put. In order to comply with the fair processing principle of the Data Protection Act 1998, current CIFAS Members include a "fair processing notice" in all customer contracts. This clearly defines the nature and purpose of the information sharing that occurs between CIFAS Members. Similar notification would be essential for any future public-private data sharing, regardless of the mechanism used.

  13.  Similarly, individuals must be told how to access, and if necessary correct, any information held about them. As the extent of data sharing grows, this becomes increasingly important. The use of inaccurate data is self-defeating, risks the loss of public confidence and would breach data protection law. Published complaints procedures and clear methods for individuals to access any data held about them are key to this.

  14.  CIFAS Members successfully resolve the majority of complaints they receive about the use of CIFAS data directly with the individual concerned. Only in a handful of cases has CIFAS found that the Member did not act according to the rules.

  15.  CIFAS is run on not-for-profit principles and any financial surplus is always ploughed back into the services delivered to Member organisations. The current CIFAS Members are banks and building societies and other suppliers of secured/unsecured credit to consumers and businesses, along with share dealing, leasing and hire, communications and insurance companies. Membership is not open to intermediaries, such as brokers, independent financial advisers, loss adjusters, or to debt collection agencies, tracing agents and private investigators. Public authorities and utilities are able to join, subject to having appropriate legal powers to share data for the purposes of fraud prevention and detection.

USE OF DATA

  16.  The prevention and detection of fraud needs to be proactive to be most effective. Limiting the sharing of data to cases where a suspicion of fraud already exists would curtail potential benefits. That is not to say that a "blacklist" of people involved in fraud should be created; rather that it should be normal procedure for any request or application for a public sector benefit/service to be checked against those who have committed fraud previously. This is what has been happening in the private sector for many years to great positive effect.

  17.  Every two years the Audit Commission runs the National Fraud Initiative (NFI), a data matching exercise that detects frauds and overpayments. Using data from a number of different public bodies, the 2004/05 exercise detected £111 million worth of fraud and overpayments—but only after the event, when the money had been lost. The proactive sharing of data, as opposed to the retrospective matching of data, would enable such frauds against the public sector to be prevented before money is lost.

  18.  A proactive method of fraud prevention provided by CIFAS is the Protective Registration Service. This service, frequently recommended by the police, allows those who are at risk from identity fraud to put a protective warning against their address. The risk could arise from the theft of personal identification documents (eg during a burglary) or following a breach of security (eg the loss of a computer containing payroll data). The protective warning alerts CIFAS Members to take extra care when receiving new applications from that address, which could involve requesting further proof of identity.

  19.  CIFAS information is processed by a number of participating fraud prevention agencies that also provide CIFAS Members with fraud prevention services. When a Member identifies a fraud, a warning is placed against the addresses linked to the application/proposal/claim or account/policy/service. The warning shows the name used on the application/proposal/claim or account/policy/service but this does not necessarily mean that the person named is involved in the fraud, as fraudsters tend to use a variety of names, some false and some genuine.

  20.  The CIFAS warning will appear on the fraud prevention agency record of any person who has a link with the address, and any CIFAS Member subsequently checking that address will see the warning. Matching data for fraud prevention purposes using just the address, rather than a name at an address, is a proportionate response to the threat posed by fraud, particularly fraud involving identity. The added value of this matching has been proven consistently.

  21.  The process that results from sharing information about a previously identified fraud must be fair and consistent, yet also robust enough to ensure its effectiveness. Any CIFAS Member that sees a CIFAS warning is required to take extra precautions to ensure that the application or account that prompted the search is genuine. No CIFAS Member organisation that receives a CIFAS warning from the system when checking an application or account is allowed automatically to refuse to supply the facility, product or service because of the warning—an appropriately trained member of staff must make the decision after due consideration.

  22.  The value of the shared information is related to its age. Although historical information can have value, the sharing of current data will be of much greater benefit and will be more compliant with the fifth Data Protection Act 1998 principle.

ONWARD TRANSMISSION OF DATA

  23.  Data that has been shared by a CIFAS Member is only shared with other CIFAS Members—it is not passed on to anyone else. Organisations who are not Members but also use a participating fraud prevention agency would not see any CIFAS warnings. This concept of reciprocity is essential to the long term success of any data sharing system.

  24.  The police and other law enforcement officers are able to request data from CIFAS but only on a case-by-case basis. Section 29 of the Data Protection Act 1998 permits disclosure of data for the purposes of the prevention or detection of crime, or the apprehension or prosecution of offenders.

  25.  The Social Security Fraud Act 2001 gave the power for authorised Department for Work and Pensions officers and for authorised local authority officers to obtain information from certain types of organisations, including CIFAS. Authorised officers can obtain any information relevant to the prevention and detection of benefit fraud in tightly defined circumstances as set out in a Code of Practice.

  26.  Whilst there have been large scale data matching exercises successfully undertaken using CIFAS data,[107] no personal data was disclosed as part of those pilots. Any profiles of fraudsters based upon the data shared between CIFAS Member organisations have not been shared with law enforcement agencies.

  27.  Any proposed data sharing through CIFAS between the public and private sectors would still occur under the existing practices and procedures outlined previously. Neither the source, destination or nature of the information shared would materially alter the standards or safeguards applied.

MISUSE OF DATA

  28.  Information on those identified as being involved in fraud is also valuable to the criminal community, as it could be used to circumvent measures put in place to prevent fraud. The misuse of data can arise from both internal and external threats.

  29.  Although many external threats can be managed through the use of appropriate hardware, software and physical security tools, internal threats (ie employee fraud) are more complex to deal with. Best practice among CIFAS Members for vetting prospective employees includes references for—and the full verification of—employment history, the verification of any qualifications, and verification of identity to the same standard as for anti-money laundering checks. CIFAS has recently launched a staff fraud database for Members and, in conjunction with the Chartered Institute of Personnel and Development, has also provided Members with a guide to tackling staff fraud and dishonesty.

  30.  The wrongful disclosure of data is an offence under Section 55 of the Data Protection Act 1998 and other legislation. CIFAS welcomes the proposed increases in the penalties for this offence recently announced by the Department for Constitutional Affairs.

DATA SHARING AND SURVEILLANCE

  31.  As used in the CIFAS operating model, the sharing of data cannot be considered surveillance as the sharing only occurs after a fraud (whether attempted or successful) has been identified. It is important, however, to strike the right balance between the operational need for confidentiality and the public need to be open about how fraud is prevented. To maximise the likelihood of the successful apprehension and prosecution of offenders, customers are not advised when a CIFAS warning is placed in the majority of cases. Data protection legislation has still been observed as customers will have already been notified by a "fair processing notice" that details of any identified frauds may be passed to fraud prevention agencies.

CONCLUSIONS

  32.  CIFAS suggests that the following criteria are key to the effective sharing of data between the public and private sectors:

—    The sharing of data needs to be proactive, but only information relevant to the prevention of fraud should be shared.

—    There needs to be a defined burden of proof which is satisfied before sharing takes place.

—    Individuals must be made aware of the possible uses of their data.

—    Automatic refusals should not be made purely on the basis of data that has been shared.

  33.  Sharing data for the purposes of preventing and detecting fraud offers the potential for great benefits to UK citizens, the private sector and public authorities. The full potential can only be realised with the minimum of impact on individual liberty, however, where there are clear standards and safeguards in place to govern this sharing.

April 2007

107   ibid. Back