INFORMATION COMMISSIONERS RULING ON CREDIT AGREEMENTS - DATA SHARING NOV 6 2006
6 November 2006
Credit agreements - Data sharing
A number of individuals have claimed that information relating to accounts they haveheld with credit providers should no longer be held by credit reference agencies. Thecomplaints maintain that the agencies only have permission to hold accountinformation for the duration of a credit agreement and that once the agreement endsso does the consent to process information about it. This note sets out the Information Commissioner’s view on the matter.
The complainants’ argument is based on the assumption that the credit reference agencies need consent to process account information. This is not the case.
The first data protection principle requires that as well as processing information fairly and lawfully, organisations must satisfy one of the conditions in Schedule 2 of the Data Protection Act 1998.
It is our view that the condition for processing below covers the sharing of account data with the credit reference agencies for the duration of a contract and six years beyond.
“The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject.”
We take a wide view of the legitimate interests and we consider that it is in the interests of other creditors to make informed lending decisions. It is important to note here that the fact that the processing may be seen by some to prejudice a particular individual (for example, someone with an adverse entry on his credit reference file may not be able to obtain credit facilities) does not necessarily render the whole processing operation prejudicial to all individuals.
The fifth data protection principle requires that information processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
The Act does not prescribe the period for which information is retained by credit reference agencies. However we understand that the Crowther Report on Consumer Credit 1971 expressed support for the view that a statutory time limit should be considered and suggested a period of six years should be adopted. At the time this was already the practice common to some of the major credit reference agencies.
The Younger Committee on Privacy considered that as the prevailing practices of the agencies were coordinated, there was no immediate necessity for statutory recommendations to be made but prepared the ground for the Data Protection Act 1984 by recommending that periods should be specified beyond which the information should not be retained.
Account information is held by the credit reference agencies for a period of six years after the account was last active. It appears to be the case that in addition to current credit commitments the preceding six years of an individual’s credit history is taken into account by credit grantors when applications for credit facilities are assessed. As a consequence this historical information would appear to be relevant to the purpose
of credit referencing and by holding this information the agencies would not appear to be in breach of the fifth principle.
LINK
http://www.ico.gov.uk/upload/documen...%20sharing.pdf
Information Commissioners Ruling On Credit Agreements - Data Sharing Nov 6 2006 
