CRA's and The Data Protection Act 1998

[Sparkie1723]

The members who have read my thread “Big Claim against the RBS” will know how long I have been fighting them and that I took court action against them under the Data Protection Act 1998, my fight is still continuing.

During this time I have had to study the Data Protection Act and all the guidelines etc given by the Information Commissioners Office including the legal guidance given by the Information Commissioners Office.
I would like to put to members (especially mods) of my findings and conclusions.

My first point is about Credit Reference Agencies and their role under the Data Protection Act and the manner under which they operate which in my opinion is an absolute abuse of position and “self assumed power” and I believe could quite arguably be claimed to be unlawful.

As I cannot find any statute or law that states exactly what the powers of CRA’s are, the only real Statute they are truly governed by is…… the Data Protection Act. ( At least the only one I can find) They therefore must comply with that Act.

Nowhere in this Act does it state that CRA’s are forced by law to act in the way they do, that is to say,
They do not have to receive data about individuals, they do not have to store it they do not have to pass it/share it.

They do it because they are a business…….because they make money from it…..a lot of money.

I therefore come to the Data Protection Act by which they are governed and must comply with, they do not have ultimate rights not to comply with every aspect of the Act.

Under the old Data Protection Act 1984 CRA’s were classed as data processors, which meant they considered themselves not responsible for the data they held and passed on be it correct or incorrect, any challenge/dispute with them was merely answered with …….“we are not responsible for the data we are supplied with we only process it on behalf of the supplier”

This appeared to be the norm and accepted ( but even this was challengeable) as under a Privy Council decision of 1908 it was ruled that CRA’s were not immune to a libel claim, which I believe still stands to date.
Under the Data Protection Act 1994 the role and operation of CRA’s has changed, they are now classed as Data Controllers if you consider this statement, it makes it an extremely important one, and has a much greater meaning than the CRA’s would wish individuals to know.


This means now they are just as responsible for holding detrimental incorrect data as the institution that supplied it. They can no longer attempt to hide behind the excuse they did before ….that they only process it on behalf of the supplier.

They are classed as “dual” data controllers each of them as responsible to each other and for each others actions as well as a duty to the individual to ensure the data is accurate true and correct.
I believe that should court proceedings be instigated against a bank or other institution a second and/or
third Defendant should be added …..the CRA as they are jointly responsible with the supplier of that incorrect data.

I now come to a very specific issue and I copy this also from the Legal Guidance issued by the Information Commissioners Office
“Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless – at least one of the conditions in Schedule 2 is met; and in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
Conditions for Processing (Schedule 2 of the Act)
At least one of the following conditions must be met in the case of all processing of personal data (except where a relevant exemption applies):-
The data subject has given his consent to the processing (see paragraph 3.1.5 below).
The processing is necessary –
(a) for the performance of a contract to which the data subject is a party; or
(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

The processing is necessary to comply with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

The processing is necessary in order to protect the vital interests of the data subject.

The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject

The first is the establishment of the legitimacy of the interests pursued by the data controller or the third party to whom the data are to be disclosed and the second is whether the processing is unwarranted in any particular
case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject whose interests override those of the data controller


Because of the above my submission is that as CRA’s cannot fulfil any of the conditions for lawful processing of data, for reason
1.….they never get the individuals consent
2.….the individual has not got a contract with the CRA.
3.….they cannot therefore have a legitimate reason
Every piece of information/ data they pass on…. is passed on unlawfully and they are in breach of they First Principle from day one and they breach it on everyone’s data.

AS no-one has ever considered these aspects, I put all this up for arguments for and against please ….it could be what I believe a breakthrough in cutting the power of the CRA’s…..I intend to challenge them in court soon as I have RBS out of the way in one aspect but will include them in the claim against CRA’s

[bobbyh99]

Sparkie

Very interesting post! Lets just say you managed to get the CRA's into court and won, couldn't they just as easily refuse to hold any information on you, therefore making your creditworthiness (in the eyes of a lender) bad?

I don't have a problem with CRA's holding/storing information about me just as long as it is lawful and correct!

BobbyH

[Sparkie1723]

I agree bobbyh99,
I have no problem with CRA's holding and passing information if it is accurate and up to date AND you have given them permission to do it the same as you have given a creditor to pass on to a CRA again provided it is right and accurate, my point is that CRA's have "assumed" too much power ...unlawfully.....that I do not agree with, there lots an lots of people who have defaults registered against and the CRA's refuse to remove them and pass this information on to third parties....and a default is just as damaging as a county court judgement it a way a creditor can hit you really hard (damage your ability to obtain bank accounts and such) without taking you to court which 95 times out of a hundred they would lose and end up paying you damages......so if the original supplier can be held responsible for the wrong damaging data on your credit file, why not a CRA have the same responsibilty for example say.... court awards you £1000 damages from the creditor ...then a CRA or CRA's should also be liable for the same amount of compensation to be paid to you,...... they are the ones that pass the info on and in some cases sell it on make more money out of your data.

sparkie

sparkie

[banker_rhymes_with]

Hello Sparkie1723!

Fully agree.

The Debt Reference Agencies are way out of control now, and have adopted a rather odious self-serving-self-licking-lollipop status.

I had a quick scan through an old Copy of an Equifhart Report, and it made my blood boil. Lots of stupid little comments on my otherwise perfect History "advising" how it could be made better.

I'm not on the Electoral Register, it helpfully told me that Creditors don't like that, perhaps I should do something about that...

As it happens, I am on it, I've just elected not to have that made public, so money-lenders and their mates can't poke about in my details more than they need to...not that they need to.

It was also advising me that Creditors don't like this, and don't like that, and don't like the other either.

In effect, it was saying that I need to have a Mortgage, I need to have a nice splattering of Loans, a few HP Debt Accounts, a Sofa or two on HP, maybe a Car on HP, perhaps a Kitchen Loan too, maybe a little batch of Debt Cards, all paid on time, not too many Applications for more Debt, but enough to make it look good...

IOW, they were suggesting I should be suitably shafted and saddled with a nice spread of Debt, as then I would have no problem getting, wait for it...more Debt!

Debt is a nice fluffy thing.

Debt, you know it's good for you.

Debt, you know you want it.

Debt, you know it makes sense.

I think the DRAs need to be forced to issue nothing but plain Text Reports, no Sales jibberish, and they should be Regulated so hard they have to live in fear of massive fines for even the slightest mistake. Any duff Data must be pulled if it there is reasonable notification by the Data Subject.

Access to their Records should be properly logged, with no secret banking back doors, and every single access should be shown on your Debt History...every single one, with a link to show who, exactly, was poking around in there. Police/HMRC access can be hidden, but accountable.

Oh yes, that reminds me, and DRAs should NOT own Debt Collection Agencies and Vice Versa.

This would satisfy the need to avoid fraud and help with Debt Applications, and would remove the particularly distastful way our Data is currently used by a great big back-slapping club of self-serving bankers.

Cheers,
BRW

P.S. Come the Revolution, they should all be shot first, and then the Estate Agents!

[lookinforinfo]

Sparkie I think they can claim a legitimate interest here for example
The first is the establishment of the legitimacy of the interests pursued by the data controller or the third party to whom the data are to be disclosed

if the CRA is passing on information to a prospective lender this would surely fulfil the above criteria since the information would inform the lender whether their loan had a good chance of being paid or not.

and the second is whether the processing is unwarranted in any particular
case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject whose interests override those of the data controller .

if someone who has a good track record is looking for a mortgage say, he would probably not consider it prejudicial to have his date passed on to a mortgage company since it may well mean that he would get a preferential
rate of interest as a result. And while someone with a poor track record would either get a poorer rate on no mortgage at all, may feel that the data is prejudicial to his legitimate interests, a Court may well take the view that the data may have prevented the potential borrower from becoming overextended and thus while not appreciated by the borrower was in his best
interest for the data to be processed. In addition, it would surely mean that
conmen could go around every lender borrowing money ad infinitum were their
data not to be passed among potential lenders, which is what I presume you are looking for.[For data not to be processed by CRAs, I meant, not that conmen could go round cheating all the financial institutions].

I know where you are coming from in terms of them being jointly responsible for defamatory data on their files in the same way as a newspaper would be equally guilty were it to publish a libellous article which it had copied form another newspaper.

In practice I am not so sure that that is what would happen with a CRA judging by comments I have read both by the Information Commissioners Office and a Judge. For some
reason they think they are indemnified or something against prosecution since they demand that their clients assure them that the data they are passing on does have the permission of the borrower.

Interestingly, the Information Commissioners Office take the view, somewhat bizarrely, that the definition of
"permission" as defined by the EEC is that it is something that is freely granted, and the Information Commissioners Office concludes that as you have to sign the contract in order to get the loan, your permission was not given freely and therefore
your permission was not given. It appears to me quite a cataclysmic reading of the situation which puts the CRAs as well as all the lenders in a very weak position. I guess it may depend on how a Judge reads it.

[davethorp]

Subbing as I was starting to take on the CRAs back end of last year/early this year though my tack was about the processing of data that could be damaging without verifying the authenticity beyond mere heresay of third parties.

Unfortunately my campaign against them had to be placed on the back burner but I'll be keeping my eye on this thread