Latest Arguments by Experian

[Tinkerbelle]

One of the conditions for processing in Schedule 2 is that the individual has given his consent to the processing. It is the view of the Information Commissioner that consent is not easy to achieve and that organisations should consider other conditions for processing before looking at consent.

 

In the context of applying for credit, consent to share information with the credit reference agencies cannot be freely given. This is because if you do not agree to your data being shared then your application will simply be rejected. In other words you have no choice if you want the credit on offer.The Information Commissioner has notified us that the condition for processing below covers the sharing of account data with the credit reference agencies for the duration of a contract and six years beyond.

 

"The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject."

 

We have been informed that the Information Commissioner takes a wide view of the legitimate interests and considers that it is in the interests of other creditors to make informed lending decisions.

 

The fifth data protection principle states that:

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

 

Account information is held by credit reference agencies for a period of six years after the account was last active. In addition to current credit commitments, the preceding six years of an individual's credit history is taken into account by credit grantors when applications for credit facilities are assessed. As a consequence, this historical information is relevant to the purpose of credit referencing and by holding this data the Information Commissioner has confirmed that the credit reference agencies do not appear to be in breach of the fifth principle.

[dayglo]

I'm sure I've read that before somewhere?

 

 

anyway...

 

Experian are also arguing that there is a difference between 'settled accounts' that were simply 'settled' and accounts that were 'settled defaults'

 

They argue that the concessions in the letter to Surly on 6th September (see sticky) only apply to 'settled accounts' and not to 'settled defaults'

 

They argue that the CCA allows new terms to be included in the default notices that may allow such notices to remain 'on file' for six years.

 

They still maintain that no data can be removed from a subject's credit file without permission from the subscriber.

 

They also state (possibly correctly) that 'consent' not required through the DPA but through the 'CCA' which goes a long way to explaining why Vodafone and other mobile phone companies are claiming that their contracts are NOT covered by the CCA so that they can avoid any issues of 'consent'

[buzby]

But what about when the Data Controller asserts Exceptions to the DPA under Sections 29 and 35? Basically, they can use this as a bogus excuse and you're completely fried - unless the ICO agree with you and take up the matter on your behalf?

[dayglo]

EXEMPTIONS

 

29. - (1) Personal data processed for any of the following purposes-

 

(a) the prevention or detection of crime,

(b) the apprehension or prosecution of offenders, or

© the assessment or collection of any tax or duty or of any imposition of a similar nature,

are exempt from the first data protection principle (except to the extent to which it requires compliance with the conditions in Schedules 2 and 3) and section 7 in any case to the extent to which the application of those provisions to the data would be likely to prejudice any of the matters mentioned in this subsection.

(2) Personal data which-

(a) are processed for the purpose of discharging statutory functions, and

(b) consist of information obtained for such a purpose from a person who had it in his possession for any of the purposes mentioned in subsection (1),

are exempt from the subject information provisions to the same extent as personal data processed for any of the purposes mentioned in that subsection.

(3) Personal data are exempt from the non-disclosure provisions in any case in which-

(a) the disclosure is for any of the purposes mentioned in subsection (1), and

(b) the application of those provisions in relation to the disclosure would be likely to prejudice any of the matters mentioned in that subsection.

(4) Personal data in respect of which the data controller is a relevant authority and which-

(a) consist of a classification applied to the data subject as part of a system of risk assessment which is operated by that authority for either of the following purposes-

(i) the assessment or collection of any tax or duty or any imposition of a similar nature, or

(ii) the prevention or detection of crime, or apprehension or prosecution of offenders, where the offence concerned involves any unlawful claim for any payment out of, or any unlawful application of, public funds, and

(b) are processed for either of those purposes,

are exempt from section 7 to the extent to which the exemption is required in the interests of the operation of the system.

(5) In subsection (4)-

"public funds" includes funds provided by any Community institution;

"relevant authority" means-

(a) a government department,

(b) a local authority, or

© any other authority administering housing benefit or council tax benefit.

 

35. - (1) Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court.

(2) Personal data are exempt from the non-disclosure provisions where the disclosure is necessary-

(a) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or

(b) for the purpose of obtaining legal advice,

or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

 

I don't see anything at all in here that allows a CRA to argue that they can process non-public data (e.g. default notices) following the expiration of a contract.

 

In terms of (29) prevention of crime, that's what CIFAS and GAIN markers are for, if you don't have any of those on your file how can they argue an exemption under crime prevention?

 

and (35) unless ordered to do so by a court - fine. I completely agree with this, if a CRA can convince a judge that it is in the public interest for them to continue processing settled default notices then I shall d'off my cap and say fair play m'lud. But until they do this... no dice I'm afraid.

[buzby]

I've just had a series of letters from an Insurance company (I have no contractural dealings with them) and the end of the letter contained a 200w statement, basically saying my details would be used and disclosed in a manner dictated by the Insurance industry. I responded by saying they did not have my permission, my first reply stated they coud do it under s29, when I said that was nonsensical, they replied saying they also could do itr under s35! Faced with that level of 'we can do what we want in the name of stopping crime' is both high-handed and in need of reigning in. I have no problem with law enforcement access, it's these fast-and-loose interpretations that need nailing down by the ICO.

[dayglo]

I have no problem with law enforcement access, it's these fast-and-loose interpretations that need nailing down by the Information Commissioners Office.

 

hmmm, now there's an effective bunch of folk (not!)

[buzby]

Couldn't agree more. Pity there's no Consumer Action availavle to redress the balance!

[Tinkerbelle]

Couldn't agree more. Pity there's no Consumer Action availavle to redress the balance!

 

There's us!!

 

From little acorns oak trees grow

[buzby]

Absolutely! However much I appreciate this forum, it would be really nice (for once) to have 'report injustice' button to some regulatory authority that could fix the problem without having to resort to countless emails, threats of court action, SAR's and of course... the Courts!

[dayglo]

Absolutely! However much I appreciate this forum, it would be really nice (for once) to have 'report injustice' button to some regulatory authority that could fix the problem without having to resort to countless emails, threats of court action, S.A.R - (Subject Access Request)'s and of course... the Courts!

 

and how are things this morning in glorious utopia?

[buzby]

I can dream.... can't I...?