Personal data sharing and Financial Services: lessons from the NHS, Lisbon-Moscow and the Experian enforcement notice

In November 2020, the Financial Conduct Authority (FCA) warned firms to be responsible when handling client data, noting that:

“Before transferring clients’ personal data, firms should consider whether this is fair to and in the interests of their clients (Principle 6).”

The recent National Health Service (NHS) “Big Data Grab” in the UK, Lisbon’s sharing with Moscow of the personal data of the organisers of a rally in support of a Russian opposition leader, and last October’s action by the UK Information Commissioner’s Office (ICO) against Experian for invisible processing, all have useful lessons on client interests and data sharing for financial services.

Trust

There is a long history behind the so-called NHS Big Data Grab (actually called the “General Practice Data for Planning and Research” (GPDPR) and announced on May 12, 2021) and it is all about trust. Trust is a well-used word in financial services, and as the FCA states:

“Trust is a prerequisite for a well-functioning competitive market. It gives consumers confidence that they will be treated fairly, allowing more mutually beneficial trades to take place.“

In November 2019, however, the Open Data Institute published findings that, while 87% of the public felt it was important or very important that the organisations they interacted with used data about them ethically:

• 42% trusted banks and building societies to use personal data ethically;
• 25% trusted credit card companies; and
• 20% trusted insurance companies.

Only 5% might trust social media, but 59% trusted the NHS, a significant increase over financial services. The work of Dame Fiona Caldicott on information governance in the NHS provides valuable insight for finance.

Trust me, I’m a doctor

In 1997, Caldicott led the eponymous review of the processing of patient data in the NHS, which had been commissioned “owing to increasing concern about the ways in which patient information is used in the NHS … and the need to ensure that confidentiality is not undermined”.

One can see parallels in current hot topics in finance such as open banking, digital ID, big data, and the use of artificial intelligence (AI).

“A positive firm culture is central to the development and sustainability of new trust models and the culture of financial services firms has become a key concern,” the FCA said in October 2020.

The Caldicott Review led to two fundamental changes to address the lack of trust and to improve information governance in the NHS:

• Caldicott Principles, forming “guidelines applied widely across the field of health and social care information governance to ensure that people’s data is kept safe and used appropriately”; and

• Caldicott Guardians, whom the review recommended be “a senior person, preferably a health professional … nominated in each health organisation to act as a guardian, responsible for safeguarding the confidentiality of patient information”.

In 2013, a 7th Principle on sharing was added and, in 2020, an 8th Principle on informing patients about how their confidential information is to be used, as there should be “no surprises”.

Lessons for financial services

• Transparency — the EU General Data Protection Regulation’s (GDPR) first principle covers transparency with regards the data subjects, so they are informed as appropriate of any processing of their personal data. The fact that it was felt an 8th Caldicott Principle, essentially on transparency, was warranted in 2020, 25 years after the 1995 EU Data Protection Directive, shows how important the provision of clear information is to the ability to then use, and to share, personal data.
• Making the case — Financial data can be just as high-risk as health data, although in different ways, with a potentially devastating effect on individuals if used incorrectly. That said, making the case for use and any data sharing to consumers is far easier than making the case to patients.
• Guardians — Having the equivalent of Caldicott Guardians in financial services would mean a truly senior, empowered consumer champion overseeing the ethics of data governance and sharing in financial services with a focus on the rights of the individuals concerned.

Moscow calling

June 2021 brought the shocking revelation that Lisbon’s City Council had shared the personal data of the organisers of a rally in Lisbon in support of Alexei Navalny, a critic of Vladimir Putin, the president of Russia, not only with the Russian Embassy but also,reportedly, the Ministry of Foreign Affairs in Moscow. This example of “invisible processing” (when data subjects are not informed of the processing) only came to light by mistake, when one of the organisers spotted evidence of the sharing when reviewing her emails with the council. The authority apologised, said the sharing should never have happened, was a “bureaucratic error”, but also — very worryingly — said the sharing was “compliant with existing municipal protocol and Portuguese law”.

Invisible processing

It does not need Putin as a counter-party. Invisible processing can creep in and take root in apparently staid areas, such as credit reference agencies. Following a two-year investigation into how Experian, Equifax and TransUnion used personal data in their data-broking businesses for direct marketing purposes, the UK ICO issued an enforcement notice in October 2020 against Experian in connection with its offline business.

All three agencies had improved their practices after the ICO’s involvement, with Equifax and TransUnion even withdrawing some products and services, but Experian stuck to its guns on certain issues. In the enforcement notice, the UK ICO gave short thrift to the arguments, which can be summarised as:

• “everyone else is doing it”;
• “we’ve all done it for years”; and
• “it’s a chunk of our business”.

Lessons for financial services

• Challenge standing practices — With the onslaught of new technologies and new opportunities, it is easy to take existing practices for granted. Yet times, expectations and laws change over time, and finance has many long-standing practices.
• Check for invisible processing — It is worth reviewing if the firm carries out any invisible processing, particularly as part of those long-standing practices.
• No herd immunity — “Everyone’s doing it” will not be a defence.

The regulations

GDPR

The UK GDPR and the EU GDPR clearly apply to personal data and are almost identical. Both include principles and obligations on lawfulness, transparency, purpose limitation and other areas that affect data sharing. The UK ICO’s statutory Code on Data Sharing sets out extensive guidance with very helpful practical examples. The code does not extend the law, nor is it law, but if firms fail to comply with it, they will find it harder to say they are acting in compliance.

Given the extensive guidance, it can be easy to miss the main statement, in the author’s view: you need a valid lawful ground to share personal data, as sharing is processing, and to identify it before you share the data.

Humble brag: we have a great overview of GDPR in our Privacy Kitchen video

FCA

The GDPR’s principles are reflected in the Principles in the FCA Handbook, particularly:

• Principle 6 customers’ interests: “A firm must pay due regard to the interests of its customers and treat them fairly.”
• Principle 7 communications with clients: “A firm must pay due regard to the information needs of its clients, and communicate information to them in a way which is clear, fair and not misleading.”

“We will act where we identify breaches of relevant parts of the FCA Handbook. Firms that intend to transfer or receive personal client data must be able to demonstrate how they have considered the fair treatment of consumers and how their actions comply with data protection and privacy laws,”  the FCA warned in November 2020.

Joined-up regulators

There have been various initiatives by regulators, both within and across jurisdictions, to present a more effective, joined-up regulatory environment and oversight.

A relevant example here is the Memorandum of Understanding between the FCA and the UK ICO, updated in 2019. The two regulators agree to alert each other about any breach of their respective regulations and provide relevant and necessary supporting information.

Summary

Financial services is a broad term for an incredibly wide range of services and solutions, from old to new, automated to manual, domestic to international. Sharing of data, and personal data in particular, is the lifeblood of the industry. It is essential that the basis for such sharing is identified, communicated to the relevant individuals, and decisions documented, to thrive in the Trust Economy and prove oneself a good actor to regulators.

Keepabl continues to help Financial Services firms, and companies within other industries, manage their GDPR obligations. See our case studies from Cannacord Genuity and MML Capital to see how our Privacy SaaS makes compliance easy. Or if you’d simply rather us show you ourselves, you can request a demo.

This article was first published on Thomson Reuters Regulatory Intelligence. Subscribers can access, here.