FIN.
Abstract image of data pathways

FCA and ICO publish joint statement on vulnerability data

The FCA and ICO have published a joint statement on regulatory expectations regarding firms’ approaches to vulnerability data.

The FCA wants firms to understand the needs of vulnerable customers and take steps to deliver good outcomes for them, including by:

  • Understanding the characteristics of vulnerability that may exist within their customer base and target market;
  • Recognising indicators of vulnerability of respond appropriately to address customers’ needs;
  • Implementing processes that enable customers in vulnerable circumstances to disclose their needs; and
  • Designing and delivering support that is flexible enough to meet the needs of vulnerable customers.

The UK GDPR and Data Protection Act do not prevent organisations from sharing or using personal information where it is appropriate and necessary to protect individuals or provide them with the support they need.

However, data processing used to identify consumer in vulnerable customers should follow certain key principles to ensure it is responsible, proportionate and centred on the individual’s rights:

  • Lawfulness, fairness and transparency;
  • Purpose limitation;
  • Accuracy;
  • Data minimisation and storage limitation; and
  • Security and accountability.

Firms must also have a lawful basis for processing personal data. There are several lawful bases under the UK GDPR that may be relevant to firms. These include: consent; contract; legal obligation; vital interests; and legitimate interests.

The guidance also sets out how firms should treat special category data, that is particularly sensitive information such as health data, and how they should conduct data protection impact assessments.

Laura Wiles