In November 2020, the Financial Conduct Authority (FCA) warned firms to be responsible when handling client data, noting that:
“Before transferring clients’ personal data, firms should consider whether this is fair to and in the interests of their clients (Principle 6).”
The recent National Health Service (NHS) “Big Data Grab” in the UK, Lisbon’s sharing with Moscow of the personal data of the organisers of a rally in support of a Russian opposition leader, and last October’s action by the UK Information Commissioner’s Office (ICO) against Experian for invisible processing, all have useful lessons on client interests and data sharing for financial services.
There is a long history behind the so-called NHS Big Data Grab (actually called the “General Practice Data for Planning and Research” (GPDPR) and announced on May 12, 2021) and it is all about trust. Trust is a well-used word in financial services, and as the FCA states:
“Trust is a prerequisite for a well-functioning competitive market. It gives consumers confidence that they will be treated fairly, allowing more mutually beneficial trades to take place.“
In November 2019, however, the Open Data Institute published findings that, while 87% of the public felt it was important or very important that the organisations they interacted with used data about them ethically:
Only 5% might trust social media, but 59% trusted the NHS, a significant increase over financial services. The work of Dame Fiona Caldicott on information governance in the NHS provides valuable insight for finance.
In 1997, Caldicott led the eponymous review of the processing of patient data in the NHS, which had been commissioned “owing to increasing concern about the ways in which patient information is used in the NHS … and the need to ensure that confidentiality is not undermined”.
One can see parallels in current hot topics in finance such as open banking, digital ID, big data, and the use of artificial intelligence (AI).
“A positive firm culture is central to the development and sustainability of new trust models and the culture of financial services firms has become a key concern,” the FCA said in October 2020.
The Caldicott Review led to two fundamental changes to address the lack of trust and to improve information governance in the NHS:
In 2013, a 7th Principle on sharing was added and, in 2020, an 8th Principle on informing patients about how their confidential information is to be used, as there should be “no surprises”.
June 2021 brought the shocking revelation that Lisbon’s City Council had shared the personal data of the organisers of a rally in Lisbon in support of Alexei Navalny, a critic of Vladimir Putin, the president of Russia, not only with the Russian Embassy but also,reportedly, the Ministry of Foreign Affairs in Moscow. This example of “invisible processing” (when data subjects are not informed of the processing) only came to light by mistake, when one of the organisers spotted evidence of the sharing when reviewing her emails with the council. The authority apologised, said the sharing should never have happened, was a “bureaucratic error”, but also — very worryingly — said the sharing was “compliant with existing municipal protocol and Portuguese law”.
It does not need Putin as a counter-party. Invisible processing can creep in and take root in apparently staid areas, such as credit reference agencies. Following a two-year investigation into how Experian, Equifax and TransUnion used personal data in their data-broking businesses for direct marketing purposes, the UK ICO issued an enforcement notice in October 2020 against Experian in connection with its offline business.
All three agencies had improved their practices after the ICO’s involvement, with Equifax and TransUnion even withdrawing some products and services, but Experian stuck to its guns on certain issues. In the enforcement notice, the UK ICO gave short thrift to the arguments, which can be summarised as:
The UK GDPR and the EU GDPR clearly apply to personal data and are almost identical. Both include principles and obligations on lawfulness, transparency, purpose limitation and other areas that affect data sharing. The UK ICO’s statutory Code on Data Sharing sets out extensive guidance with very helpful practical examples. The code does not extend the law, nor is it law, but if firms fail to comply with it, they will find it harder to say they are acting in compliance.
Given the extensive guidance, it can be easy to miss the main statement, in the author’s view: you need a valid lawful ground to share personal data, as sharing is processing, and to identify it before you share the data.
Humble brag: we have a great overview of GDPR in our Privacy Kitchen video
The GDPR’s principles are reflected in the Principles in the FCA Handbook, particularly:
“We will act where we identify breaches of relevant parts of the FCA Handbook. Firms that intend to transfer or receive personal client data must be able to demonstrate how they have considered the fair treatment of consumers and how their actions comply with data protection and privacy laws,” the FCA warned in November 2020.
There have been various initiatives by regulators, both within and across jurisdictions, to present a more effective, joined-up regulatory environment and oversight.
A relevant example here is the Memorandum of Understanding between the FCA and the UK ICO, updated in 2019. The two regulators agree to alert each other about any breach of their respective regulations and provide relevant and necessary supporting information.
Financial services is a broad term for an incredibly wide range of services and solutions, from old to new, automated to manual, domestic to international. Sharing of data, and personal data in particular, is the lifeblood of the industry. It is essential that the basis for such sharing is identified, communicated to the relevant individuals, and decisions documented, to thrive in the Trust Economy and prove oneself a good actor to regulators.
Keepabl continues to help Financial Services firms, and companies within other industries, manage their GDPR obligations. See our case studies from Cannacord Genuity and MML Capital to see how our Privacy SaaS makes compliance easy. Or if you’d simply rather us show you ourselves, you can request a demo.
This article was first published on Thomson Reuters Regulatory Intelligence. Subscribers can access, here.
Our latest Cordium Insights webinar outlines: best practices for assessing data processing, storage, and protection policies, tips for identifying and remediating control gaps and weakness and on how to develop…