credit rating + partner at same address?

[willtheywontthey]

yup - but any hint on ruining their so-called defence there linked ot 7(3) at all - is it make-believe by them or 'tweeked' or downright lies?

[cerberusalert]

They are hiding behind the Act, you could try sending them this;

 

Dear Sir,

 

You have stipulated that you require proof of my identity/signature before you comply with my SAR, may I bring the following to your attention;

Data Protection Act Good Practice Notes:

 

2. Do you have enough information to be sure of the requester’s identity?

Often you will have no reason to doubt a person’s identity. For example, if a person with whom you have regular contact sends a letter from their known address it may be safe to assume that they are who they say they are.

 

Suffice to say that if the Information Commissioners Office are satisfied that if you have previously corresponded with me at this address then it is reasonable that I am the person I say I am, therefore there is no leglislation nor guidelines that you can hide behind in an attempt to avoid fullfilling my legal request.

 

If you still fail to comply to my legal request, I will have no other option than to complain to the Information Commissioners Office & if my complaint is upheld you will be liable to a £5000 fine.

 

Yours,

Print name do not sign.

http://www.ico.gov.uk/upload/documents/library/data_protection/practical_application/checklist_for_handling_requests_for_personal_information.pdf

http://www.consumeractiongroup.co.uk/forum/attachment.php?attachmentid=8861&d=1242456802

[willtheywontthey]

thanks (yet!) again

 

Is there anything truthful about their actual reply. I would like to shoot that down if possible - I have used the line you suggested before but they ignored it stating this most recent waffle.

 

ps. I thought ICO do not fine them if they breach DPA...? (have had 3 other OCs found 'guilty' by ICO but that was it - no fine nothing - zilch)

[cerberusalert]

The rebuttal is the Good Practice Guide, if they are writing to you and discussing the matter if they are not sure who you are they are in breach of the data protection act, if they are sure you are who you are they cannot hide behind Section 7 (3)

[willtheywontthey]

well having asked the ICO for advice on this issue of whether Equifax had the right to ask for documents etc etc they returned some unfortunate news which I did not expect:

 

from a caseworker (Caseworker 2 - only reply and most recent response)

 

Whilst the ICO can understand and sympathise with your frustrations, in this case it is appropriate for Equifax to quote Section 7 (3)

 

“A data controller is not obliged to comply with a request under this section unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request and to locate the information which that person seeks.”

 

and request further documentary evidence to satisfy themselves of your identification.

 

This is likely to be for a number of reasons, but primarily to protect your personal data from being accessed by someone other than yourself, due to the sensitive financial nature of the data Equifax hold therefore preventing the potential for ID theft.

 

Whilst this office can in no way compel you to comply with Equifax’s request, it would be our recommendation that you do so, in order to facilitate a timely resolution to your request.

 

In addition, the requirement of Equifax for you to complete a standard request form is not covered by the Act; however, it would be the recommendation of this office to again comply with Equifax’s request, in order to facilitate a timely resolution to your request.

 

Upon you complying with Equifax’s requirements, we would expect a prompt response from them; however, you should note that their statutory response period of 40 days would only begin from the time you furnish them with the identification evidence they have requested.

 

 

 

 

and another caseworker responding to my concerns where I quoted the ICO guidelines regarding 'if they knew me already send me the stuff' and therefore they know me. Also quoted above advice from earlier posts.

 

 

 

(Reply 3 - Caseworker 1)

The guidance you have quoted is a checklist for small to medium sized businesses that are unlikely to hold the same levels of information held by a credit reference agency or have the same level of standard procedure in place to deal with legal requests such as Subject Access Requests.

 

This guidance encourages these organisations to use their own judgement in determining the identity of any individual requesting personal information. Whilst the note provides suggestions such as asking for a piece of information or using the address for correspondence to confirm identity, this is guidance only, and not legally binding, organisations are able to set-up their own procedures that will be relevant to their own business.

 

Earlier the same caseworker also said : (but note reference to credit report??)

 

(Reply 2 - Caseworker 1)

Section 7(3) of the Data Protection Act 1998 states that “A data controller is not obliged to comply with a request under this section unless he is supplied with such information as he may reasonably require in order to satisfy himself as to the identity of the person making the request”

 

It is the responsibility of the data controller to decide how to confirm the identity of the requesting individual so far as this is reasonable. With regard to the volume of information that can be contained in a credit report, and the harm that can possibly be caused if it was provided to the wrong person, it is not unreasonable for the data controller to require proof of identification in the form of bills or forms of ID – this is stated on our website page on securing a credit reference file. Different companies will have different procedures, and this explains the difference between the procedures for getting the credit report from Experian and Equifax.

 

 

 

 

Even earlier still the same caseworker said:

 

 

(Reply 1 - Caseworker 1)

 

Under section 7 of the Data Protection Act 1998, a data controller, in this case Equifax, must be certain of the identity of any individual making a subject access request (SAR). Credit reference agencies hold significant amounts of data on a large number of individuals, and there is a possibility of releasing incorrect information if the identity of an individual making a SAR is not properly clarified.

Equifax is therefore entitled to withhold the information until such time as the identity of the requesting individual can be confirmed.

 

The steps taken to verify an individual’s identity may appear cumbersome or unnecessary, however these steps are taken to reduce the possibility of fraud, breach of the DPA and identity theft. Cross-referencing bills or other forms of identification not only confirms a persons name and address, it confirms that the individual has multiple current relationships with other known bodies, making it unlikely that the request is fraudulent.

 

This also ensures that the data controller can provide all relevant documentation as part of the SAR, as they will use this information to put together your file.

 

The data controller should return all original documents to you.

Edited November 12, 2009 by willtheywontthey

[humbleman]

WW

 

ICO is run by I*****

[willtheywontthey]

just upping this in hope somebody can disprove what FOS said or for somebody to slag them off so I can feel better .......

[willtheywontthey]

one last 'hup' in hope somebody can find a way so I do not have to send 2 documents and dob to Equifax. I need to get the details off them so unless there is a way out I'm going to have to reluctantly give them my documents

[willtheywontthey]

Having had my SAR documents from Experian I notice on the credit report part which states company name, amount etc and the 6/5/3/3/0/0/ etc numbers for how I paid - anyhow I noticed that these only go back about 12 months. What about 'before' this? I had a comment written on one regarding my concerns that default was not valid. That's no longer there and I cannot see anything on there other than in logs whcih is really confusing. Is that acceptable?

 

What do the numbers mean (I know on website it says but hardcopies do not mention as far as I can tell) - I thought 8 was default but I seem to have 6's on those that should be defaulted?

 

Also is it possible to get anything removed from Experian if OCs or DCAs cannot find CCA or move account along to somebody else?

 

One time I asked them t check with OC regarding my very first account but OC replied back saying 'yes it is - did not do what we told them to' basically. No evidence nothing. Eperian say they scrutinize etc but based on the 'OC told us you defaulted so we believe them' mentality how can that be true? Is there no simple steps to resolve anything?

[cashins]

Having had my SAR documents from Experian I notice on the credit report part which states company name, amount etc and the 6/5/3/3/0/0/ etc numbers for how I paid - anyhow I noticed that these only go back about 12 months. What about 'before' this? I had a comment written on one regarding my concerns that default was not valid. That's no longer there and I cannot see anything on there other than in logs whcih is really confusing. Is that acceptable? If you think they have not fully complide with your SAR you need to go after them on that issue.

 

What do the numbers mean (I know on website it says but hardcopies do not mention as far as I can tell) - I thought 8 was default but I seem to have 6's on those that should be defaulted? Numbers mean 2 - is two months behind on payments etc.behind etc.

Also is it possible to get anything removed from Experian if OCs or DCAs cannot find CCA or move account along to somebody else? Yes, the info they hold should be accurate - but it's a struggle

 

One time I asked them t check with OC regarding my very first account but OC replied back saying 'yes it is - did not do what we told them to' basically. No evidence nothing. Eperian say they scrutinize etc but based on the 'OC told us you defaulted so we believe them' mentality how can that be true? Is there no simple steps to resolve anything?

 

David

[willtheywontthey]

It's been a couple of years since I got information from a couple fo CRAs. Prior to that I used Experian but it seemed (there was a thread - a very long one ages ago) that if you joined with Experian then you'd end up being 'switched on' somehow and get loads of comms from all and sundry offering this and that...... it was advised not to use them so I didn;t.

 

I then sent a SAR (£10) to three of the agencies a couple of years ago. Two wanted one piece of ID and the other CRA wanted one ID... I didn;t want to give two so I didn;t (which reminds me they kept my tenner!) and got no information from them.

 

I seem to recall I did send £10 for a full SAR rather than a credit report because I thought the credit report would also 'alwrt' other organisations I was looking at my credit report and it would be noted by Experian and the likes. If I did a SAR thry couldn;t log it on there - or so I thought / think (!)

 

What's the latest on the CRAs behaviour regarding alerting others (somehow) you're searching your credit recors and is there an issue if I go for the £2 (if it still is that?) credit search rather than a SAR - I'd like not to spend so much on them!!

 

Thanks

[BRIGADIER2JCS]

Applying for and searching your own

report does not alert anyone about anything,

big myth that DCA's and others can see your

own use of CRA files it has no impact what so ever.

[BRIGADIER2JCS]

30 day free trials are available from the major CRA's.

[willtheywontthey]

wow - so far that completely contradicts the CAG mantra from a couple of years ago. I will have to find that thread and link to it. Changes in law I can understand but am surprised the info. could be different on cag now than before. i seem to recall it was a 'hot potato' topic at the time...

[BRIGADIER2JCS]

I can guarantee that the information

I've posted is accurate and has in fact

been so for many years, there was a great

deal of mythology built up about what

the CRA's did or didn't do, for instance

that they hold a'' black list'' of properties

so any occupants at any time would be refused

credit.

I agree mistakes are made by CRA's as in any business

but the responsiblity for the accuracy of the dat

lies firmly with the organisation that places it, any complaint

must therefore be made to the creditor.

I completed a three year project on the CRA's

which will take 6-12 months to collate and write up.

 

I have to say I have been more pleasantly surprised

than I exp[ected.

[willtheywontthey]

thanks - but I, as did many people some time ago, posted that we received many 'new' phone calls, emails, letters almost immediately after checking credit score. It was a VERY big debate on CAG some time ago - cannot believe this view has completely been overtaken with a new one but always appreciate differing opinions. How (why!) would you do research on CRAs??!

[BRIGADIER2JCS]

The main source of these mystery call etc

is the comparison site and the like.

THE CRA SEARCHES HAVE NEVER IMPACTED ON

ANY OTHER AREA ONLY YOU SEE YOUR OWN

SEARCHES!!!!!

[willtheywontthey]

I appreciate your opinion but...... anyhow - I'll find that thread but it will take me ages.

[BRIGADIER2JCS]

Can I just say this is not opinion but

fact based on 3 years of research including

responses etc., from the agencies.

[willtheywontthey]

Hi again

 

I really do appreciate your input honestly and will take your information 'on board'. I also realise that many 'opinions' on forums are exactly that so I do really take all on board. Just wanted to find that darned thread - made an interesting read. A random check of certain pages of posts have led nowhere - will find it probably tomorrow so that you can review it if you wanted to. It was a topical sticky and very long.

 

Is there actually any such facts available for average Joe Bloggs to read about such matters? Otherwise we're stuck with opinions.....

[BRIGADIER2JCS]

I think I know the one you mean, it was

one of the reasons I started my project.

I can't find it on line but I may have screen

prints of parts.

[willtheywontthey]

Cheers.

 

May I ask how you actually managed to do research on CRAs anyhow as I'd imagine (opinion!) that they would be extremely protective in safeguarding all information from competitors, researchers and so on - even their processes I'd imagine thay'd keep closely guarded. Being private companies they don;t have much accountability other than to owners / shareholders..... bit like News International fobbing off Parliament committee(allegedly)

[BRIGADIER2JCS]

I make contact with the agencies and creditors, regulators, politicians'

those with grievances, those who had positive reactions.

The businesses themselves are anxious to dispel the myths

that in fact are far more damaging to the public at large than they

are to their business, it takes time, patience and understanding

of the underlying mistrust and misunderstanding of what

actually happens, even my MP helped.

You may remember my appeal for info from Caggers

last year which produced a good deal if great information.

[willtheywontthey]

Will we (Joe Bloggs) ever get to see this research and its findings? Have there been any other research prjects on them... make a good MBA project for an insider

 

I suppose it's actually quite simple for CRAs to dispel the myth about them if they clearly stated they do not sell on / distribute personal details when you ask to see your credit file - why don;t they say this if it's not true? I'm still very wary of them until I get some 'facts' I suppose and will err on the side of prevous opinion until my brain catches up with real-time! A SAR to them it will be yet again !

[BRIGADIER2JCS]

1, yes still a lot to collate and edit started 3 years ago almost

to the day, I have interest in the project from a number of areas.

2. CRA's sell demographic information, such as prosperous

areas, areas that a business might make useful business promotions etc.,

This information is not in any way personal or identifiable to any individual.

3. They don't have to say anything the Data Protection Act says it for them,

if they have not been in compliance as and when their performance is audited

then they are in serious trouble.

4. SAR if you will IMHO ten quid for something you can get for two.