With daily life disrupted and working patterns altered thanks to COVID-19, it is more tempting than ever for opportunists to seek to defraud organisations and individuals. We are seeing many organisations reviewing their current fraud monitoring practices and managing an increase in fraud investigations. 

Fraud investigations can be complex and resource-intensive. They can also present myriad privacy and data protection risks. Organisations should take deliberate steps to assess privacy and data protection within a framework, in order to comply with the EU General Data Protection Regulation (GDPR) and other data protection requirements.

A fundamental principle of data protection law is that personal data must be processed lawfully. Of the legal bases available, we will focus on legitimate interests, the most flexible and commonly used basis for processing data.

Legitimate interest centres on whether the rights and freedoms of individuals “override” the interest of the entity processing their data in a given case. In the context of fraud, the legitimate interest is usually clear: indeed, the GDPR cites fraud as an instance where legitimate interest can be an appropriate basis for processing data.

The legitimate interest basis thus gives organisations a good deal of flexibility to conduct fraud investigations lawfully. Even so, they must still justify their conduct. This is commonly done by completing a legitimate interests assessment (LIA).

The LIA

An LIA describes the legitimate interest(s) and the rationale behind carrying out the processing of individuals’ data. From a practical perspective, it is beneficial for organisations to undertake the LIA as part of, or alongside, a wider privacy impact assessment (PIA) or data protection impact assessment (DPIA). The LIA is not a formal legal requirement, but it is an increasingly common exercise undertaken by organisations seeking to conduct compliant fraud investigations.

Organisations should keep in mind that legitimate interest is not a one-size-fits-all tool. As an investigation progresses, the risks to the rights and freedoms of individuals may increase or change. As such, the lawful basis may become narrower and the requirements stricter. An LIA ensures that the parameters of the legitimate interest – and the risks to individuals – are clear and understood, helping organisations demonstrate accountability and uphold data management standards.

Balancing the LIA: the key tests

An LIA should be undertaken before placing reliance on legitimate interests as the legal basis for conducting investigations-based activities for tackling fraud. The LIA should be documented, either as part of a PIA or DPIA, within the records of processing activities, or in a standalone document. The LIA assesses the legitimate interest in relation to three core criteria, set out below

As well as the three tests, there are other key factors which should be subject to careful consideration in the context of fraud prevention and detection activities. Specifically, transparency and information rights are a fundamental part of data protection law. Privacy notices issued to all individuals – including customers – should refer to anti-fraud related activities. Privacy notices and internal acceptable usage policies should set out expectations on employee use of company IT systems and devices, as well as how these policies are monitored and reviewed.

While in most cases individuals must be informed about the processing of their personal data, there are circumstances that would permit processing personal data for the purpose of investigating fraud without informing the individual. For example, this may apply in the context of market abuse investigations where informing the individual would be prejudicial and likely to constitute a ‘tipping off’ offence. Having said that, such exemptions are generally narrow in scope and difficult to rely on.

Equally important is to minimise the amount of personal data collected to ensure it is “adequate, relevant and limited to what is necessary”. Needless to say, organisations should resist the temptation to over-collect or harvest personal data, especially given the increase in using AI techniques to detect fraud. Organisations should also be aware of the pitfalls of using personal data for secondary purposes. For example, an investigation into an internal fraud regarding a specific employee may uncover attendance data suggesting wider timekeeping and attendance issues within the business. Careful steps should be taken to prevent personal data being used for purposes outside the remit of the original investigation.

In the event it is not possible to conduct a PIA or DPIA (for instance, due to time constraints), there are practical steps organisations can take at the outset of an investigation to limit their privacy risk exposure:

• Define objectives and scope of investigation, personal data to be interrogated and the location of systems and servers where data is stored;
• Establish core group of interested stakeholders ensuring timely participation from key stakeholders including Technology, Information Security, Human Resources or Data Protection Officer;
• Create a process for conducting sample-based human reviews of outputs where automation is used for predictive analytics purposes;
• If applicable, conduct a balancing test assessing the purpose and necessity of the legitimate interest against its impact on individuals;
• Put in place contract or non-disclosure agreements with third-party services providers who may assist in the investigation, making sure to include suitable data protection clauses;
• Define data storage protocols and access controls;
• Identify any cross-border data transfers and put in place data transfer agreements, incorporating standard contractual clauses or identifying ad-hoc derogation to be used (if applicable); and
• Establish clear data retention and record-keeping parameters once the investigation has been completed.

Conclusion

Fraud investigations are complex, multi-faceted and often need to be conducted at pace. By following the above actions, organisations can meet the legal basis for legitimate interest in relation to anti-fraud activities and investigations. It is perfectly reasonable for organisations to use legitimate interests as justification for undertaking fraud investigations (including the use of enhanced techniques using machine learning and artificial intelligence), provided the rationale for doing so can be evidenced alongside or as part of a PIA or DPIA. Conducting an LIA can help to mitigate additional risk and provide assurance that the investigation is compliant.

A&M: Leadership. Action. Results.

A&M’s investigations professionals have extensive operations and advisory experience together with a proven track record in leading businesses through tough, complex situations. To learn more about our expertise and to understand the full scope of our services, please get in touch with one of our authors.