The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 govern how personal data is processed in the United Kingdom. Because a CIFAS marker is a form of personal data, these laws apply directly to how it is recorded, stored, and shared in the National Fraud Database (NFD).
This means that CIFAS and its members must ensure every marker complies with the principles of data protection. If they fail to do so, the marker may be unlawful.
GDPR Principles and CIFAS Markers #
The CIFAS Principles closely mirror the principles of GDPR, including:
- Lawfulness, Fairness and Transparency – A marker can only be filed if you have been informed of how your data will be used, normally through a Fair Processing Notice.
- Purpose Limitation – Data can only be used for the prevention and detection of fraud, not for unrelated purposes.
- Data Minimisation – Only relevant information should be kept, and not longer than necessary (six years for markers).
- Accuracy – Data must be accurate and updated. If new evidence emerges that changes the picture, the marker should be amended or removed.
- Storage Limitation – Data should be securely deleted once it is no longer needed.
- Integrity and Confidentiality – Access to the NFD must be secure and restricted to authorised staff only.
If a member fails to meet these principles, the marker may breach both the CIFAS Handbook and data protection law.
Your Rights Under GDPR #
As the subject of personal data, you have several rights under GDPR that are highly relevant to CIFAS markers:
- Right of Access (DSAR) – You can submit a Data Subject Access Request (DSAR) to any bank or CIFAS itself to see what data they hold on you. This is often the first step in challenging a marker.
- Right to Rectification – If data is inaccurate or incomplete, you can request a correction.
- Right to Erasure (Right to be Forgotten) – In certain cases, you can request deletion of your data, especially if it is being unlawfully processed.
- Right to Restrict Processing – You can ask an organisation to limit how your data is used while a dispute is ongoing.
- Right to Object – You can object to the use of your data for fraud prevention if it is disproportionate or unfair.
Why This Matters for CIFAS Challenges #
Most CIFAS challenges begin with a DSAR. This allows you to see:
- The exact case type filed against you.
- The evidence the bank or member relied on.
- How the decision to file was made.
If the evidence is weak, inaccurate, or does not meet the Standard of Proof, you can use GDPR rights to demand correction or removal.
This makes GDPR and data protection law one of the strongest tools for overturning unfair markers.
