Credit Ref Agency reply to DPA s.12 request-help please

[Tinkerbelle]

Like the letter

 

If I were you I'd send it via Recorded Delivery. At least you then have hard proof.

 

There is no guarantee that the fax will actually get to the right department.

 

Good Luck!

[Number6]

I did intend to mail it recorded anyway, just thought I'd fax a copy as well to give them a bit more time, kind soul that I am!

 

Pete

[Tinkerbelle]

I did intend to mail it recorded anyway, just thought I'd fax a copy as well to give them a bit more time, kind soul that I am!

 

Pete

 

Pah!! Forget being kind to that lot... LOL

[Number6]

Sent it recorded delivery today.

 

I shall await developments with interest.

 

Pete

[andrew1]

Well done, this looks great to me.

One thing that I picked up in Surlybonds postings and where I think Tinkerbelle is coming from is that if you have had credit with an organisation they automatically update the CRA's every month for 6 years, so if you stop them rather than the CRA's then you have achieved the objective and removed the monthly updates. If the contract has ceased then the argument is also that they should stop the processing, which of course they don't. Removing the ability of the CRA's to process the data stops them supplying anyone else and they are going to be a bit shell shocked because nothing like this has ever threatened their existance - and it does BIG TIME .

 

I take the argument that you can use the CRA to your advantage by clearing the historical information but remaining on it sufficiently enough so as not to create a kind of ' black list' - if your not on it you have something to hide approach.

 

They'll find a way of interpreting a 'non shower' you can guarantee.

 

This is going to be very interesting as I think the above letter is well structured to get the answers needed. Good luck and well done

[Number6]

Well done, this looks great to me.

One thing that I picked up in Surlybonds postings and where I think Tinkerbelle is coming from is that if you have had credit with an organisation they automatically update the CRA's every month for 6 years, so if you stop them rather than the CRA's then you have achieved the objective and removed the monthly updates. If the contract has ceased then the argument is also that they should stop the processing, which of course they don't. Removing the ability of the CRA's to process the data stops them supplying anyone else and they are going to be a bit shell shocked because nothing like this has ever threatened their existance - and it does BIG TIME .

 

I take the argument that you can use the CRA to your advantage by clearing the historical information but remaining on it sufficiently enough so as not to create a kind of ' black list' - if your not on it you have something to hide approach.

 

They'll find a way of interpreting a 'non shower' you can guarantee.

 

This is going to be very interesting as I think the above letter is well structured to get the answers needed. Good luck and well done

 

I do understand the logic of getting the creditor to remove any defaults etc and I agree that that is the way to go for most people.

 

What I'm doing is more by way of an experiment. A) I want to see how easy it is to get the CRA's to sit up and take notice of the fact that they are NOT all-powerful demi-gods and that they have to comply fully with the Data Protection Act. B) I want to see what actually does happen when I apply for credit after having got my data removed.

 

It's obvious from the responses so far from the CRA's that they seem to be self-delusional and assume that they can do what the hell they want; that attitude rubs me up the wrong way and makes me more determined to do something about it.

 

I'll keep you all informed as I go along.

 

Cheers.

 

Pete

[pford]

Neither do I been sending them emails on why they are allowed to hold this data for 6 years there responses are a joke. Have a look at my thread here for their responses.

[Number6]

I now have a reply from Callcredit, basically saying bog off.

 

the relevant paragraph is (paraphrased slightly):

 

"The element of the Data Protection Act to which you have referred relates to automated credit decision making, which is carried out by organisations who process credit applications. Our role as CRA is to provide accurate data and products. We do not play any role in the actual acceptance or rejection of credit applications.

 

For our part, we ensure that we take active steps to ensure (?) that the data we provide is accurate. Only if it is innacurate do we take steps to amend or remove the data.

 

Now to me this is buls**t. Section 12(1) of the Data Protection Act states:

 

An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.

 

I interpret this as stating that the CRA has to take steps to ensure that the data is not processed automatically, not just the applicant company.

 

What does the panel think?

 

Pete

[andrew1]

I think they might be asking themselves the question " what contract do we have with the customer that gives us the right to process his/her data and supply it to anyone who asks " The DPA forbids it without your permission. They are struggling for words - choking with a bit of luck!

[Number6]

This reply is going to Callcredit:

 

"Dear Mr Ward,

 

Thank you for your reply.

 

I do not agree with your claim that Callcredit is not subject to Part 2 Section 12(1) of the Data Protection Act 1998. The relevant paragraph reads:

 

“An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.”

 

You will note that nowhere does it mention any role in the acceptance or otherwise of credit applications, merely that any Data Controller must ensure that no decision is taken based on automated processing of subject data. This does not refer solely to the prospective lender but to any Data Controller involved in the process and this includes Callcredit.

 

Callcredit is making my subject data available to any applicant via an automated process and without Callcredit holding any contract or other permission from me to store or process it by any means, let alone by an automated process. If you disagree with this statement please send me a true and certified copy of the contract whereby I have agreed that you may hold and process my data. You will of course be aware that breach of the Data Protection Act 1998 is a criminal offence.

 

I repeat my demand that you remove all data relating to me from any of your systems that allow the data to be automatically processed. I will give you a further seven days to conform with this demand following which I will commence legal action to enforce your compliance with the Data Protection Act 1998; this action will incur fees and costs for which you may become liable.

 

I look forward to receiving your confirmation by close of business on 8th September 2006."

[Tinkerbelle]

You might wanna throw this in for good measure also. It's from the Consumer Credit Act 1974

 

Part XII

Supplemental

 

 

General

 

174 Restrictions on disclosure of information.

 

(1) No information obtained under or by virtue of this Act about any individual shall be disclosed without his consent.

 

It then goes on to list some exceptions none of which is a Credit Reference Agency.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

The full list of exceptions can be found in the Consumer Credit Act 1974 which is now in the library.

[Number6]

Thank you Tinkerbelle. I have thrown it in.

 

Pete

[JamesJ]

S12 of the DPA doesn't refer to how credit reference agencies produce your credit report, it relates to how lenders use this and other information when deciding whether or not to lend. If a particular lender bases their lending decisions solely on credit scoring then you have the right under S12 to have your application reviewed manually - that is all. In fact, most lenders voluntarily did this before this right was added to our data protection legislation in 1998. So I think you are all barking up the wrong tree. If you're in any doubt I suggest you seek advice from the Office of the Information Commissioner.

 

Of course, if information should be removed from a credit report we will happily check with the provider and remove it.

 

James Jones

Experian

[Number6]

S12 of the Data Protection Act doesn't refer to how credit reference agencies produce your credit report, it relates to how lenders use this and other information when deciding whether or not to lend. If a particular lender bases their lending decisions solely on credit scoring then you have the right under S12 to have your application reviewed manually - that is all. In fact, most lenders voluntarily did this before this right was added to our data protection legislation in 1998. So I think you are all barking up the wrong tree. If you're in any doubt I suggest you seek advice from the Office of the Information Commissioner.

 

Of course, if information should be removed from a credit report we will happily check with the provider and remove it.

 

James Jones

Experian

 

Thank you for your advice.

 

I and others do not agree with your interpretation. A test case via the legal system should settle the matter one way or the other.

[Number6]

Actually James, while you're here perhaps you could give us Experian's views on the following?:

 

In what way exactly does Experian, or any other CRA have the right to store and process private personal data? I have no contract with Experian, nor have I issued Experian with any permission to hold or process or pass on my data.

 

So why do you feel you have the right to do so? I am interested in an explanation.

[JamesJ]

Thank you for your advice.

 

I and others do not agree with your interpretation. A test case via the legal system should settle the matter one way or the other.

 

It might also be expensive for you and others, so you should seriously consider seeking legal advice or, at least, advice from our regulator first.

 

Regards

James

[JamesJ]

Actually James, while you're here perhaps you could give us Experian's views on the following?:

 

In what way exactly does Experian, or any other CRA have the right to store and process private personal data? I have no contract with Experian, nor have I issued Experian with any permission to hold or process or pass on my data.

 

So why do you feel you have the right to do so? I am interested in an explanation.

 

We are licensed under the Consumer Credit Act to operate a consumer credit reference agency in the UK. So as long as we adhere to the obligations placed upon us by that legislation, by the Data Protection Act and any other relevant legislation we have a right to operate our business. We also go beyond the letter of the law as we are a responsible and reputable business. In fact, we are currently UK business of the year.

 

Of course, one of the fundamental principles of data sharing in the UK is that data can only be shared and stored with the consumer's consent, unless the data is in the public domain already. That is why lenders obtain your consent, (when you apply for credit) to check your credit report, for a record of the check to be retained by the CRA, and for information about any subsequent account you are granted to be shared with other lenders through the CRAs, to promote responsible lending, fight fraud etc.

 

If you really want to wipe data off your credit report (and in my opinion you would be crazy to do so as you would end up with a very, very low credit score making obtaining any sort of credit unnecessarily difficult) you would need to contact the lenders you had previously given consent to share your data to and ask them if you can now withdraw it. I think in practice you'd find they'd say no as it was an element of the legally-binding contract you entered into with them.

 

James

[Tinkerbelle]

We are licensed under the Consumer Credit Act to operate a consumer credit reference agency in the UK.

 

James

 

Any comments on post #36?

[jamesbond]

i fail to see how you feel you are beyond the letter of the law irrespective of how many awards you hold. my brother in law holds a consumer credit license but is not above the letter of the law.!! in reality you are i beileve a business like any other company granted a consumer credit license and are bound by the terms of the data protection and consumer credit laws as laid down in those laws, as are we.

[Number6]

I seem to remember that Enron was US business of the year for quite a few years...!!!

[andrew1]

JamesJ

 

On who's authority do you have the right to give my data to anyone else without my explicit permission?

 

If I do give my permission by way of signature on a contract with a financial institution to share my data with third parties such as yourselves, from where do you derive the right to process that data thereafter?

[Guest Zooman]

JamesJ

 

On who's authority do you have the right to give my data to anyone else without my explicit permission?

 

If I do give my permission by way of signature on a contract with a financial institution to share my data with third parties such as yourselves, from where do you derive the right to process that data thereafter?

nice concept

[Number6]

We are licensed under the Consumer Credit Act to operate a consumer credit reference agency in the UK. So as long as we adhere to the obligations placed upon us by that legislation, by the Data Protection Act and any other relevant legislation we have a right to operate our business. We also go beyond the letter of the law as we are a responsible and reputable business. In fact, we are currently UK business of the year.

 

Of course, one of the fundamental principles of data sharing in the UK is that data can only be shared and stored with the consumer's consent, unless the data is in the public domain already. That is why lenders obtain your consent, (when you apply for credit) to check your credit report, for a record of the check to be retained by the CRA, and for information about any subsequent account you are granted to be shared with other lenders through the CRAs, to promote responsible lending, fight fraud etc.

 

If you really want to wipe data off your credit report (and in my opinion you would be crazy to do so as you would end up with a very, very low credit score making obtaining any sort of credit unnecessarily difficult) you would need to contact the lenders you had previously given consent to share your data to and ask them if you can now withdraw it. I think in practice you'd find they'd say no as it was an element of the legally-binding contract you entered into with them.

 

James

 

Perhaps you would like to comment on this quote from one of your competitor CCA's:

 

"it is necessasry for that company to carry out a credit search therefore, as a Credit Reference Agency Equifax must provide this information and cannot prevent any company from accessing your information automatically"

 

Note that they use "must" and "cannot prevent" as though they delusionally see themselves as some sort of quasi-legal or official body which of course they're not, and neither is Experian. You're just data processing companies that sell private information to anyone that wants it and you have no more right than me to act as though you are above the law.

 

Is it not in fact true that you cannot disclose information about any third party without their express consent? I note James that you made no comment to my specific question as to why you think you have permission to disclose my data. A lender may have permission to pass my information to you or anyone else but that does not give Experian or any other CRA the right to pass that information on to anyone else, you need my direct permission for that. Please directly answer that question.

[jamesbond]

bar the exclusions in schedule 2 which are very restrictive...they can only disclose data with your permission..., given when an application is made with a credit company, how are they able to maintain that agreement for the six year period that they use if your agreement is terminated in less than that period? surely your agreement ended there and with it there rights of disclosure?

[jamesbond]

also when we do agree to allow data to be shared with a credit ref agency i have not read one that defines any 6 year term from completion or default of an agreement...correct me if i am wong? does this not breech your agreement and question the validity of the data you relay?