Fraud investigations and navigating the UK GDPR

As we emerge from the pandemic it is inevitable that instances of fraud will be uncovered. Each week there are reports of frauds being unearthed, whether they’re related to Covid-19 support schemes orindividuals who have managed to exploit weaknesses in existing fraud systems and processes.

The discovery of suspected fraudulent activity gives rise to a number of immediate considerations including:
• Who is involved?            
• Are those involved in the business? If so, should they be suspended from duties/dismissed?
• Is immediate injunctive relief required to seize and recover assets?
• Are there any third-party victims? If so, should they be notified?
• What evidence (physical and electronic) is available?And how should this be obtained?
• Are third parties involved/impacted?
• Should law enforcement/SFO be notified?
• Is there an obligation to make disclosures to the National Crime Agency and/or regulators and/or a listing authority?
• Is the potential loss covered by insurance?
• Do existing processes and procedures need to be reviewed to prevent/ minimise losses?

Those investigating appreciate that a failure to consider the above factors may lead to potential criminal liability, significant losses and reputational damage. In undertaking an investigation, it is criticalat the outset to have a detailed plan of action that addresses the above points and allocates responsibility to specific individuals who will be accountable for the action taken.

However, there is clearly a tension between the need to properly investigate and individual privacy rights. This article looks at the importance of locating and preserving data and the tension between the need to identify relevant evidence and the UK GDPR, in particular.

“Being prepared is the best step an organisation can take ahead of wrongdoing, particularly regarding how to conduct an internal investigation”

Locating, reviewing and preserving evidence

Restrictions

All efforts organisations take to locate, review and preserve evidence which relates to living individuals will likely constitute ‘processing’ personal data, which is subject to key restrictions, including that an organisation must have a legal basis for processing.

Obtaining an individual’s consent is often the most robust legal basis for processing, but seeking consent is unlikely to be attractive in an investigations context, particularly if it is large-scale or concerns sensitive matters or those relating to liability.However, personal data can also be accessed by investigators using the ‘legitimate interests’ basis provided by UK GDPR Article 6(1)(f). In other contexts, such as regulatory investigations or litigation, consent is also unnecessary where investigators can have a legal obligation to process the data (Art. 6(1) (c), UK GDPR).

‘Legitimate interests’?

Organisations can rely on the legitimate interestsbasis to process dataexcept where the interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Whether this test is met needs careful consideration. Use of client or employee data for fraud prevention (and related matters such as IT security) are specifically listed in the UK GDPR as legitimate interests (Recital 47). However, where the purpose of an investigation is conducted primarily to assist with a commercial objective, for example, organisations will likely need to consider:

1. the purpose of the processing;

2. whether it is necessary to achieve that purpose; and

3. whether the legitimate interest is overridden by the individual’s interests, rights or freedoms.

This testis particularly relevant in circumstances where processing a person’s personal data may itself lead to fraud or theft (Recital 75) or where sensitive ‘special category’ data may be disclosed or compromised as a result of an investigation.

Keeping records

Before commencing an investigation, the investigators should consider the above factors and produce a data protection impact assessment recording the extent of the proposed investigation, the reasons for it, the legal basis for accessing the data in question and recording the reasons why the proposed steps are proportionate having regard to any risk to the rights and freedoms of the individuals whose data might be accessed.

In addition to obligations to keep a record of processing activities (Article 30), ensuring records of personal data are accurate (Article 5(1)(d)) and are kept only for as long as necessary (Article 5(1)(e)), investigators should keep contemporaneous written records of the legal basis for their actions, relating them to the initial privacy assessment, to protect against an adverse finding later.

Consequences of getting it wrong

Organisations face three key heads of liability if they fail to comply withdata protection laws when conducting an internal investigation:

1. Regulatory action from the Information Commissioner’s Office(ICO) following a complaint: The ICOhas power to issue fines up to the higher of £17.5 million or 4% of the annual worldwide turnover, carry out investigation and issue notices requiring organisations to comply with specific steps.

2. Litigation:Data subjects can bring damages for distress and financial loss arising from breaches of UK GDPR under Article 82(1). Failure to treat personal data appropriately may also give rise to actions for misuse of private information (MPI), breach of confidence and possibly negligence

3. Reputational: Non-compliance increasingly attracts media and other scrutiny, particularly if it affects employees or consumers.

Can evidence be shared with law enforcement?

Most personal can be shared with law enforcement authorities provided they are discharging their statutory law enforcement functions under or where there is another lawful basis for passing them the information under Article 6(1)(f) UK GDPR. Additional requirements apply in the case of special category data and data regarding criminal offences, but these requirements are typically met where disclosure is required for the purposes of preventing or detecting an unlawful act.

Preparation

Being prepared is the best step an organisation can take ahead of wrongdoing, particularly regarding how to conduct an internal investigation.

Key steps from a data protection perspective include:
• Conducting regular data auditsto understand what data is held, and where.
• Reviewing security practices – not only security infrastructure but other measures such as staff training.
• Agreeing suitable investigation policies and procedures covering key eventualities, which can be used on an emergency basis. These should go beyond the privacy policy an organisation must make available to data subjects, and may well assist organisations seeking to assert that evidence was held with appropriate security – a key concern of regulators and potential litigants.
• Backing up key material, particularly for evidential or recovery purposes following wrongdoing.
• Limiting access of sensitive/confidentialor privileged data to only required individuals.
• Instructing external advisers early, particularly to benefit from privilege.
• Keeping contemporaneous records of decisions.
• Reviewing contractual protections in third party contracts.

Conclusion

Given the consequences of getting it wrong it is perhaps not surprising that some investigators are wary of taking steps that might infringe UK GDPR. The steps outlined above however should assist in minimising the risk of an infringement whist enabling a full and proper investigation to be undertaken.