Cifas fair processing notice for fraud prevention and detection

‍

What’s this? When you first collect Personal Data from someone, Cifas recommends you include a short notice in your Privacy Policy. This document has their recommended wording for this notice – there’s a short notice, and a full notice. (If you use the short version, you need to tell people they can ask for the full one.)

You don’t have to use the text exactly as it is – as long as the meaning and key points are the same, Cifas are flexible about the actual wording. But they do recommend you keep the paragraphs in the same order.

1. Cifas recommended wording for the short notice

1.1. The short notice must clearly explain to someone what happens when you Process their Personal Data. The recommended wording is:

“The personal information we have collected from you (concerning all directors, beneficial owners and persons providing a personal guarantee) will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by our lenders and these fraud prevention agencies, and your data protection rights, can be found by [DESCRIBE HOW TO OBTAIN THE FULL NOTICE].”

You must include a short notice of some kind – you can’t just replace this with a link or a reference to another document.

2. Wording for the full notice

“General

1. Our lenders will undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require them to process personal data about you.
2. The personal data you have provided, we have collected from you, or we have received from third parties will be used by our lenders to prevent fraud and money laundering, and to verify your identity.
3. Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details and device identifiers including IP address.
4. Our lenders and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.
5. Our lenders will process your personal data on the basis that they have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect their business and to comply with laws that apply to them. Such processing is also a contractual requirement of the services or financing you have requested.
6. Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

Consequences of processing

7. If our lenders, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, they may refuse to provide the services or financing you have requested. 
8. A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.

Data transfers

9. Whenever fraud prevention agencies transfer your personal data outside of the United Kingdom or European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

Your rights

10. Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data; request that your personal data is erased or corrected; request access to your personal data.
11. For more information or to exercise your data protection rights, please contact us using the contact details above.
12. You also have a right to complain to the Information Commissioner’s Office which regulates the processing of personal data.”

‍