Rachael Eyre, our Head of Regulatory Services and data protection practitioner, asks whether firms can validly sanctions-check third parties without express consent.
In our recent webinar we mentioned that the latest SRA sanctions guidance suggests there are times when you may need to check whether or not a third party (be it a funder or the opposition) is a ‘designated person’ i.e. they are subject to a financial sanction.
Firms must not act for designated persons unless either a general licence applies or you get a specific licence from the Treasury.
Many firms check their own clients using a Electronic Identification and Verification system (ED&I) (such as Thirdfort, Legl, Smartsearch, Traceflow etc).
Surely you can just use the same system for third parties?
Well, it depends on your basis for processing, how your ED&I system works and what they say. Lets look at the pros and cons of the bases of processing.
How ED&I works (in general)
This is just a general guide and you should speak with your provider. Many ED&I providers work by processing consumer credit information via Experian or Equifax, which checks a persons credit file against the provided information along with checking electoral rolls and passport or drivers licence information.
This is great for a full Anti Money Laundering check, but excessive for a sanctions check.
Principles of Processing Personal Data
- Lawful, fair & transparent
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality
Lawful Bases for Processing
- Legal obligation – you have a legal obligation to check for sanctions and designated persons, but you also need to comply with the principles of data minimisation. If your ED&I provider can do a simple check against the sanctions list, with updates, then this is a good basis to rely on. Speak with your provider about it as they have their own agreements and bases with their providers. If the checks include a credit check, then this, in my opinion, would breach the data minimisation principle.
- Contract – this is the basis on which you process the information in respect of your client and the ED&I provider may have given you some wording to put into your letter of engagement or terms of business. You obviously don’t have a contractual relationship with third parties.
- Legitimate interest – you could potentially use this ‘fallback’. Again, the data minimisation point rears its head. Moreover, you would open yourself up to difficulties. All data subject rights apply when legitimate interest is used, including the right to erasure. You could find yourself having to delete your sanctions checks leaving you open to being in breach and not being able to demonstrate you carried out reasonable checks.
- Consent – has all of the same difficulties with Subject Rights as Legitimate Interests, in addition to getting valid consent from the third party.
- Vital interests – does not apply in this situation and neither does public interest.
We think the strongest basis for lawfully processing third party sanctions checks is ‘Legal Obligation’, bearing the following in mind:
- Data minimisation. Check you are only processing as necessary to check for sanctions. Have a chat with your ED&I provider or simply use the publicly available sanctions checking tool from the Treasury and take a screen shot.
- Ensure third party sanctions checks is in your data process maps/data flows and in your publicly available Privacy Notice/Data Protection Notice
- Do not forget the ongoing duty to check. If you do not have updates from your ED&I provider, do you need to run checks with the Treasury database on a regular basis?
- Document your decision and why you took it, including to when you will make checks on third parties and what data your will process and your lawful basis.
Data protection is there to protect individuals but not to stop you complying with your obligations. A little thought is needed on how to keep the two requirements in line with each other.