The Information Commissioner’s Office (ICO) has published a brief consultation seeking views on ways to improve its guidance for businesses on how they can comply with data protection law when sharing information for the purposes of preventing, detecting, and investigating scams and frauds.

The initial guidance was published at the end of last year with the intention of supporting “private sector organisations across the digital economy such as financial services, telecommunications and digital platforms that want to share personal information with each other to support scam and fraud mitigation efforts”.

It contained a six-point list of considerations that organisations should take into account when seeking to share data:

1. Conduct a Data Protection Impact Assessment to assess the benefits and potential risks associated with sharing the data.
2. Consider at an early stage whether the organisations sharing the data will be separate or joint controllers.
3. Set up data sharing agreements setting out the purpose of the data sharing, the practicalities of the process, and the respective responsibilities of the parties.
4. Identify a lawful basis for sharing personal information.
5. Understand the risks associated with potentially sharing criminal offence data.
6. Comply with the data protection principles.

The consultation seeks to assess how useful the guidance has been for organisations, asking whether it has influenced policies, beneficially improved awareness about how to share data for the purposes of preventing scams or fraud, or if implementing changes as a result of the ICO’s advice has proved difficult. It also seeks views on whether the guidance is clear and understandable, and if any aspects can be improved or clarified.

The deadline for submissions is 31 December 2025, and more information can be found here.