BoSBoy V Orange - Help Please

[BoSBoY]

I default on my account many years ago due to my ex partner running up a hugh bill on my second line. Anyway i send them this letter trying to get the default removed..

 

The Company Secretary

Orange PCS LTD Credit Referrals

Top Floor

Global House

Senhouse Road

Darlington

DL1 4BY

 

3rd September 2008

 

 

Dear Sir,

 

Re: Formal notice to desist from processing or disclosing personal subject data

 

I have recently conducted an audit of my personal credit reports supplied by Experian, Equifax and CallCredit.

 

It is noted that there exists, an entry referenced as “Orange (I) / REMOVED” indicating a former mobile contract (now closed).

This is recorded as “In Default” albeit showing a settlement date of 12/04/2005.

 

I am contesting that Orange continued processing of my data is an unwarranted act and I enclose a Statutory Notice to that effect, which is deemed served as of the date noted on the Royal Mail's Recorded Delivery service audit.

 

My permission allowing you to continue processing, or disclosing, my personal subject data was revoked upon termination of that original contract and I hereby reiterate that revocation. I also do not recall receiving any such Notice of Default being served on me, as required by the conditions of the Consumer Credit Act 1974. Unless you can provide a true copy of the said Notice, then I consider that any default entry on my credit files to be wholly unwarranted.

 

However, if you can supply the copy, then I also contest Orange’s continued processing on the following grounds.

 

As you are aware, I am afforded principled rights under the Data Protection Act (Data Protection Act), Schedule 1, Part 1 ("The Principles") in relation to the manner in which my data is collated, stored and processed. Of particular note, are Principles 3, 4 and 5:

 

“3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

 

4. Personal data shall be accurate and, where necessary, kept up to date.

 

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

 

In my case, Orange is still processing data after the cancellation of the contract, whether or not this is a simple renewal process of the default flag, daily or by other timing factor. As that contract is no longer in situ, then my permission has also ceased from the date of cancellation.

 

This is confirmed in Principle 2 of the Data Protection Act, which states:

 

"2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."

 

I emphasise the term "specified and lawful purposes" as in ‘those specified within the contract’, and no more. I also emphasise the term "shall not be further processed".

 

I have taken the matter up with the Credit Reference Agencies, and they had claimed that they had a

“legal right” to maintain this type of adverse entry for up to six years. When I challenged them to quote me the exact Statute that includes this so-called “legal right”, they remained remarkably quiet. Only after my continued insistence of disclosure did they eventually concede that, whilst they have no statutory right, it is

“standard industry practice” but they added that they are “allowed to by Law”. After further challenges, they finally admitted that unless this was a County Court issue, their term actually referred to contractual Law, but continued to emphasise that it was “standard industry practice to record default entries for six years.”

 

I respectfully presume that you likewise recognise that “standard industry practice” does not correlate with “legal right”?

 

Further investigation has also led me to conclude that the only six-year data ‘retention rule’, to which they may adhere to, is in relation to information in the public domain, e.g. Bankruptcy Orders/Discharges, IVAs, CCJs, etc. These are kept in the public domain for six years. But, these are sealed orders issued by a judge through the Courts who oversee the ultimate jurisdiction in all matters relating to Law, be it the criminal code or the Common Law. It is not up to Credit Reference Agencies, or lenders, to decide legal issues.

 

In addition, the agencies may also hold information that is deemed ‘in the public interest’ for the avoidance of credit fraud or deliberate repayment avoidance; I refer, of course, to CIFAS and GAIN entries on a credit file. My former account was not subject to any such marker.

 

After scrutiny of all the relevant legislation, including the Consumer Credit Act (As Amended), the various Financial Services Acts and the Data Protection Act, etc., it is clear that there is absolutely no legislation that allows a lender or supplier (e.g. Orange) to collate, process or distribute any other information unless there is express written permission from the data subject.

 

In fact, Section 10 of the Data Protection Act awards the real authority, regarding privacy of data, to the data subject, not the Data Controller. The Act is also very clear as to the rights of the data subject in respect of withdrawing permission to continue data processing and disclosure:

 

10. - (1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons-

 

(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

 

(b) that damage or distress is or would be unwarranted.

 

However, there are some exclusion provisions for Data Controllers, and Section 10 does continue with various exceptions to subsection (1) above, and these are quoted, in full, below:

 

10. - (2) Subsection (1) does not apply-

 

(a)in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met,

or

(b)in such other cases as may be prescribed by the Secretary of State by order.

 

To paragraph (b), I can only presume that you have not applied to HM Secretary of State for an order allowing you an exclusion, which leaves you with the only remaining possibility of requesting an

exemption under paragraph (a).

 

So, we must turn to the exemptions permitted in paragraph (a) to find where the Data Controller may invoke his perceived exemption to the Data Protection Act, namely, those listed in paragraphs 1 to 4 of Schedule 2. I have reproduced these exemption paragraphs, in full, below:

 

“1. The data subject has given his consent to the processing.

2. The processing is necessary-

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4. The processing is necessary in order to protect the vital interests of the data subject.”

 

It is my contention that Orange’s supposed right of obtaining an exemption is not contained within any of these paragraphs. I have followed each in turn with my notation to give a clearer explanation, should there be any lack of clarity.

 

1. The data subject has given his consent to the processing.

 

That consent was terminated upon the cessation of the contract and, as stated earlier, I reiterate the revocation herein, and by the attached Statutory Notice.

 

2. The processing is necessary-

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

 

For (a), there is no contract being performed, and for (b), Orange and I are not entering into any form of contract, and certainly not at my request.

 

3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

 

According to the Information Commissioners Office (I.C.O.), exemption 3 includes all other statutory obligations for which the interests of national security and welfare override personal privacy.

 

These obligations allow for the provision of data to Official agencies and organisations, e.g. disclosure to crime prevention agencies (Police, Intelligence Services, etc), official Government agencies (DVLA, DSS, Passport Agency, etc.) and health authorities, etc., and for any other purpose not agreed within a civil contract.

 

We all know that the three major credit reference agencies are not Government bodies, nor official agencies, but for-profit companies, even though they like to think they are official. None of these three agencies are listed in the appropriate Data Protection Act Schedule that names the specific organisations that are permitted any such exemption rights.

 

4. The processing is necessary in order to protect the vital interests of the data subject.”

 

With reference to the I.C.O. again, this is interpreted as anything that affects the data subject as a matter of life and death. This clause is included in the Data Protection Act to permit data, like medical records or contact details, being disclosed in emergency situations. I do not believe that my former account details could be described as anything like a matter of life or death.

 

So, it is clear to see that there is neither statutory provision permitting you to assume continued processing rights of my data at his discretion, nor any exemption. I can then only assume that Orange is relying on the Common Law, and contractual law, as determined by the contract that both parties originally agreed.

 

However, the contract that I originally signed, only gave Orange permission to process data during the term of that contract. I think it is fair to assume that you agree that the contract was terminated some years ago, whether or not a Default Notice was served.

 

The contract neither included any other permission, nor did it imply that your perceived 'rights' to process my data would be ‘in perpetuity’. There was also no clause contained within the contract that stated that Orange had any arbitrary right to continuing processing data for up to six years after the ending of the contract.

 

Also, I cannot recall any clear statement that gave my express permission for Orange to continue disclosing my subject data to third parties after the end of the contract. You are no doubt aware that any non-agreed disclosure of personal data to third parties, without express written permission, is a criminal offence under Section 35, of the Data Protection Act.

 

However, if I am mistaken, and the contract did, indeed, specify unlimited time extensions, then you must provide me with a copy of those signed terms indicating where I have agreed to them. This should be sent to me as one of your enclosures, if you wish to contest the enclosed Statutory Notice. You should be aware that you have, by statute, twenty-one days in which to either comply with my Notice, or give written notice stating your reasons and why you consider the Notice unjustified.

 

In summary, in relation to this former contract, I am formally instructing you, as an authorised member, from this day onwards, to:

1) cease to continue storing, processing or communicating my data;

2) remove all such data from automated process systems, as per the provisions of Part II, Section 12 (1) of the Data Protection Act, namely:

 

(1) An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for

the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.

 

Of particular note is the Acts own term “his creditworthiness”;

 

3) cease to disclose any data to any third party including, but not restricted to, Equifax plc, Experian Ltd and Callcredit plc; and

 

4) instruct Equifax plc, Experian Ltd and Callcredit plc to remove all data pertaining to your records on me, to the extent that no data entry in relation to Orange will exist on my credit files.

 

Any failure on your part to adhere to these statutory timescales will automatically be interpreted as your non-compliance with the legal procedure. In that case, you will be expected to unconditionally comply with my Statutory Notice or I shall have no alternative but to refer the matter to the Court to seek an Order to that effect. Should it be necessary to refer the matter to the Court, then I shall also apply for Court fees and legal costs against Orange. I shall also reserve the right to seek redress for damages as per the remit of the Data Protection Act.

 

I trust that I have made my position clear, and that Orange will now make a serious effort to understand its legal obligations and effect the changes requested. Should you be in any doubt as to your obligations as a Data Controller, then I would advise that you consult your corporate counsel.

 

 

In any event, I shall expect a written confirmation from you acknowledging the contents of this letter within 5 working days.

 

Yours faithfully,

REMOVED

For security this letter has only been initialled.

 

 

 

 

Anyway here is the reply I got.. and i am not happy..

 

 

so if anyone has any advise please post it. i guess my fight is now over.. or is it..?

 

thanks everyone

[BoSBoY]

well i have decided to play them at there own game.

 

at the very least i will continue to annoy them for a while.

 

here's what i am popping in the post tomorrow.

 

The Company Secretary

Orange

Credit Referrals

Top Floor

Global House

Senhouse Road

Darlington

DL1 4BY

4th November 2008

To Whom It May Concern:

Data Protection Act 1998 Subject Access Request

DATA SUBJECT: Removed

Thanks you for your letter dated the 10th of October 2008, I have in fact decided to take your up your suggestion and seek further legal advice.

Please now supply me with a complete breakdown and copies of all information held with your organisation, this includes every bill ever produced, every letter sent and every note placed on my account.

 

Also provide details for every organisation that you have shared my data with for the period which you hold records and any supporting documentation and notes.

 

If there is specific information which you require in order to satisfy my request, please let me know by return.

Please consider this a request under section 7 of the Data Protection Act 1998. I enclose the statutory fee of £10. You have 40 days in which to comply.

 

Thank you in advance for your assistance with this matter.

 

I would appreciate your due diligence.

 

Yours faithfully,

Removed

 

For security this letter has only been initialled.

[SharpmanTF1]

go get em BoSBoy

[BoSBoY]

thanks for the support sharpman, i am hoping i can find something to get them with, as so far.. i have, despite my best attempts, hit a brick wall.

[buzby]

For security, they may decline your request. Without a signature to prove its you they would be entitled to refuse. You didn't pay their £10 fee by cheque, by any chance?

[BoSBoY]

yeah i did send them a chq, why?

[buzby]

Why not sign the letter then? (Especially since it would be the same as the one on the cheque).

[BoSBoY]

never thought of that, the first letter i sent i didn't sign so.. just following the same trend

[johnukccj]

any update here BosBoy?