challenging the CRA's-have we all missed something?

[vint1954]

I think these two sections cover their arses

 

Part II Rights of data subjects and others

 

Right to prevent processing likely to cause damage or distress

(1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons—

(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

(b) that damage or distress is or would be unwarranted.

(2) Subsection (1) does not apply

in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met, or

(b) in such other cases as may be prescribed by the Secretary of State by order.

 

 

SCHEDULE 2Conditions relevant for purposes of the first principle: processing of any personal data

1 The data subject has given his consent to the processing. This is what they rely on, when you apply for credit you sign to say that they can process your request

2 The processing is necessary—

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

3 The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4 The processing is necessary in order to protect the vital interests of the data subject.

But when you sign an application form, is it not pre contract and only applicable to the OC making enquiries.

 

Full agreement to process your data, should be post contract.

[vint1954]

Maybe request your MP to raise the question with the Minister concerned?

[vint1954]

I really think this "enforced consent" thing needs to be looked at

What do you think is the best way forward. I am in full agreement.

[vint1954]

I have checked a few websites. They all seem to try and justify the holding of data. I believe that:

 

1. You have to give permission for your data to be used. CRA's rely on the fact that you have given permission when signing an application. I am not sure that this would hold water if tested, due to the pre and post contract document issue. We all seem to have forgotten, that the CCA 1974 requires the OC to send us a signed contract. They never do.

 

The application form can be seen perhaps as a Tender is. You are invited to tender or participate. Not until both sides have signed, does it become a binding contract. I have been in work situations, where main contractors will not pay for work done, until the contract is signed, even though all work is completed.

 

2. So no signed contract, no agreement, no payment, no supply of services unless they are daft enough, NO SIGNED PERMISSION WITHIN CONTRACT TO PROCESS DATA.

 

Surely this would mean that the OC must remove adverse data, when no signature is present and CRA's are neglegent for just beleiving the OC when they they have signed permission. It must be down to the CRA to check their possition before handling data. After all, that is their stock in trade. The OC cannot indemnify them.

[vint1954]

the person in question phoned the ICO,and this was the report of the response they got

 

 

 

we need to get that in writing!!

 

Excelent point

[vint1954]

In reality, the CRAs ask the information provider "is the information is correct"?, they say "yes" , despite what dispute you have, and the CRAs then continue to display that data!

That may be so, but do they have the right to do that. As earlier, it is for the CRA to check that the data and situation is accurate. They cannot claim indemnity through the OC, no more than you or I could.

 

I think that they have become complacent and have been unchallenged up to now.

[vint1954]

In reality, the CRAs ask the information provider "is the information is correct"?, they say "yes" , despite what dispute you have, and the CRAs then continue to display that data!

Pinky69 is challenging this at the moment.

[vint1954]

 

With regard to unenforceable agreements, these are unenforceable, they do not cease to exist. this means that the cras can record the fact that a transaction existed and that you received money from xyz ltd. the fact that it can't be legally recovered against you does not mean that the transaction (be it gift or otherwise) does not exist. A cra's files contain lots of information about your financial situation, and does not just record bad information, as my example above demonstrates.

 

But it is a different matter if the agreement does not exist.

 

I still think that we need to find out more regarding pre and post contract situation. Those so called agreements that exist for credit cards, are usually only pre contract.

[vint1954]

Man, this is interesting.

 

I am particularly fascinated with the whole 6 year thing V DCA putting on fresh default notices.

 

I checked my credit file 2 weeks ago, shortly after finding this wonderful site. Of my (alleged) outstanding accounts, that all defaulted in 2003/early 2004, 1 DCA has put a fresh default notice on my file.

Appears on my credit file as - Defaulted On: 02/06/2006

 

I particularly think this is unfair.

I understood it to be one default per debt?

 

Should hopefully be 3 years when we come in line with europe.

 

Anything in the europe angle???????????????? ( European Law )

[vint1954]

mmmmmmm.

 

http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/default_tgn_version_v3%20%20doc.pdf

 

Sections 32, 41-44, 52-54

[vint1954]

looking around the web,it appears people have very little faith in the ICO's willingness to face down the CRA's

 

it looks like legal action may be the only option

 

I fear so. They are toothless at the end of the day, thanking the credit industry for their input?

[vint1954]

Tiz a quandary, no messing. Although this would only apply to completely absent agreements, not those that are knocking around but simply unenforceable due to prescribed terms missing or similar.

 

takes me back to my earlier point - an opt out would be easier, although I think that would run the risk of creative a societal divide which might be a bad thing™. Still, it would be the individual's choice.

And, also if the agreement that they rely on is just an application. This is usually the case and the point I think we need to break down. Pre and post contract documents.

 

If it can be proved that the application form is just that, then you are only signing for the potential creditor to check out your credit history, not permission to report going forward. This would be in the contract or agreement signed by both parties.

 

The CCA 1974 does state that an agreement must be signed by both parties. Even if one side signs a contract, if the other does not, there is no formal contract.

[vint1954]

Conclusions

When balancing the conflicting interest of lenders with the rights conferred by the data protection legislation, it could be reasonably argued that the right of informational self-determination of individuals in the modern society cannot necessarily be sacrificed for the interest of lenders of minimising risk in the name of better business. Obviously, the protection of creditors’ rights is important. But the legal tools to achieve this are already in place in the positive law. If a debtor fails to comply with his/her contractual obligations, the law recognises the rights of creditors to recover the debt and it offers the tools to satisfy the creditor’s rights.

 

Again this boils down to contracts. No contract, then they have no rights. No signature, no action should be taken.

It is important to stress, however, that credit scoring is about the minimisation of business risk and increased profitability, not the rights of creditors. At the least, it can be considered as an instrument for the economic welfare of society as a whole, but this circumstance is not supported by evidence of a link of cause and effect and, in addition, it lacks empiricism.

 

The law could punish or forgive a failing debtor, but credit scoring is about predicting failure beforehand. It does not satisfy any right of the creditor. It is a risk-management tool for the profitability of lenders, it is not a right. In fact, there is no legal right to maximise profits, especially if obtained with the sacrifice of other parties’ rights. Credit reporting is an activity which is carried out before a person enters any obligation in the creditor-debtor relationship. Only when a contractual relationship has been established then the creditor has rights, which however are not satisfied by the sharing of the debtor’s data.

Is this an Unfair relationship under The Consumer Credit Act 2006

 

It is against this background that one needs to analyse the legal framework of consumer credit scoring in the EC. Likewise, it is against the same background that an interpreter should read existing data protection legislation and ask how do the processing, sharing, and manipulation of a multitude of credit reference data empowered by highly sophisticated technologies comply with it. In so doing, he/she should bear in mind the design, functioning, and uses of modern consumer credit scoring systems, described earlier in this work: systems where data from different sources are easily and quickly aggregated, new data automatically created and disclosed to a potentially unlimited number of third parties for a growing number of expanding purposes, and decisions affecting the lives of people are taken by means of their profiling and differentiation as well as the conferment of reputations.

 

 

Again possibly an Unfair relationship under The Consumer Credit Act 2006

 

For consumer credit scoring systems to be legally used, in fact, they must be subject to the prevailing protection offered to individuals set out in the law. The existence of reputation is certainly an inevitable phenomenon that affects every individual living in a community (‘no man is an island’, as Sartor, 2006, writes quoting poet John Donne) but ever developing sophisticated information technologies exacerbate and push to the extreme the negative consequences that it entails, i.e., the creation of blacklists and dissemination of so-formed ‘achieved reputations’.

 

By contrast, the origins of, and reasons for, European data protection legislation denote the importance of the need for individual self-determination over one’s personal data and the dangers that would derive from its absence or violation. Informational privacy is a right and represents a safeguard of social relationships for every individual living in a community. It is about liberty, dignity, and intimacy (just to mention few) and contributes to protect the values of the democratic order, at least as it is perceived according to the European welfare state model. Despite all the criticisms and problems of implementation associated with Directive 95/46/EC, respect for the rule of law requires compliance with the basic principles that it sets out. Thus, consumers should be given the clear choice and freedom to accept or not whether their personal data could be used for credit scoring and its purposes without penalising them in case of refusal. Beforehand, they should be clearly and intelligibly informed as to such a freedom and lack of negative consequences on their application, be it present or the future ones, or the cost of credit. In this respect, the terms and conditions that consumers sign when applying for credit should be scrutinised more closely and non-compliance with the law punished firmly. Perhaps, therefore, the EU may find out that, although it has already caught the original strain of the virus, it already possesses in its existing law the vaccine to cure it and prevent a pandemic effect: all it has to do is making sense of its data protection legislation.

 

The tecnology and volume of data has moved on dramatically since 1974\1983 and has changed out of all recognition. Maybe this is where EU DP can come in.

 

 

There is no doubt that CRA's exist to facilitate the creation of a blacklist or blacklisting, it may be argued that it is their main reason for existing. If they were not being used for this purpose, then they need not exist. Banks would just accept everyone was a good risk. They used to be able to make a decision before electronic databases.

 

We do need some input from a legal brain. Not sure if there are any site team members that could help.

 

All the same, great thread to get areas for discussion out, Contracts, DPA, EU regulations and unfair relationships.

[vint1954]

Just another possible point, once they default then terminate, the contract is at an end!

 

Can they still report, given that creditors put so much store in " you contracted your consent"

[vint1954]

I wish some of the site team with a legal bent would give an opinion or two

Would be good. Have they been invited?

[vint1954]

....This is seriously interesting.!....Thanks all for your input .

 

Werner M.

 

(Hello Guest)

Hello 2 Guests

[vint1954]

maybe you could give them a call-I don't like to seem pompous,starting the thread and all

Done

[vint1954]

For discussion.

 

Posted by Surleybonds 2006

 

Basic things to remember about this whole process:

 

a) Remember that the three Credit Reference Agencies (CRAs), Experian, Equifax and CallCredit were not constituted by an Act of Parliament. They hold no official Govt. power even though they like to think they do.

 

b) The CRAs are corporations who simply have the technology to store vast amounts of data and have been doing so for years.

 

c) The banks and lenders supply them with information about your accounts not because they are legally allowed to, but simply because YOU agreed to it via your contract.

 

d) CRAs are allowed to hold any data about you that is deemed in the public interest or in the public domain. Things like Bankruptcy Orders and Discharges, CCJs, IVAs, etc. are public information, and you cannot stop CRAs holding this information. You can ask them to mark them as settled, but they do have legal right to hold JUST these on their records because there are actual Laws that allow them to do so, and judges have signed the Orders in all these types of cases. However, agreement 'defaults' do NOT come under those Laws, unless they have been progressed to a CCJ, etc.

 

e) Civil contract details cannot be stored unless you agree in writing. The Data Protection Act states clearly that your account information is personal data and only you have the right to determine who may collate, process and disclose it.

 

f) When CRAs reply with “it’s our legal right” they are talking nonsense. The legal to which they refer is simply the ‘lawful right’ because you gave permission. That permission can be withdrawn at any time according to your rights under the Data Protection Act.

You can see more about this in the copy of the Experian letter also here in the sticky section, where thay actually admit that they have no legal authority and that there is no six year 'rule'.

 

g) You are also allowed to tell any Data Controller (a company that processes or stores your data) to cease to process your data in any fully-automated process. The Data Protection Act states quite clearly that this includes processes that e.g. “affect your creditworthiness”. The actual clause is in the template letter.

 

h) If you decide to opt-out of auto-processing, then you may opt back in again later.

 

i) To ask a Data Controller to do anything you want them to do, including requesting bank statements, you send what is called a Data Subject Notice – you are known in the Act as the Data Subject – i.e. the person to whom the data refers.

 

j) Data is anything on computer disk, paper, etc., that can identify you as a individual person. “all 34-year-old architects” is not personal data, but “Mr A N Other, a 34-year-old architect from 16 Acacia Avenue, Anytown, AnyPostalCode” is personal data as it can identify a particular person.”

 

k) Your contract and all transactions relating to the running and administration of your account is deemed your personal data, as these may be subsets referenced by an account number that, in turn, can be linked to you.

 

l) All Data Controllers have a duty to protect your data, and must hold a Data Protection Act licence (issued by the Information Commissioners Office) to hold and process data. However, this licence does not allow them to disclose data without your express written permission – it is a criminal offence to do otherwise, except for reasons of national security, taxation, health, etc.

 

There is loads more on the Data Protection Act specifics and I might edit and add to this post as time goes by. The above is to give you the basics and the understanding of how to use this in the method below.

 

The Default removal method.

 

My contention is simple…

1) Data Controllers (e.g. the banks, CRAs) have no legal right to collate, store, process or disclose your data without your permission, except data clearly in the public domain.

 

2) But, you give that right to them when you sign your contract – most paperwork includes clauses such as “You allow us to disclose details about the conduct of your account to CRAs, etc….”.

 

3) That contract becomes Law under contractual LAW…however it is still under the ultimate authority of English Law. Any disputes have to be negotiated or referred to Court for a decision.

 

4) Once the contracts ends, nearly all the clauses also end. The lender does have some rights to prove monies owed and then pursue them lawfully, but my argument is essentially that other clauses all end, and the lender cannot arbitrarily choose to assume that the disclosure of Data clauses can carry on. This is a proposed change of contract that they are trying to impose and is therefore unfair and unenforcable under the UTCC Regs.

 

5) If they then continue to disclose data about you to a CRA, they are doing so without your permission, as your permission expired in the termination of the contract.

 

6) You can then serve them with a Statutory Data Subject Notice asking them to desist from doing so.

 

7) The Data Controller then has 21 days in which to conform to your request, or write to you giving lawful reasons as to why your request should be exempted. To do so, he would have to prove a legal Statute, a Common Law case, etc… but none exist. So, they simply turn around (especially the CRAs) and say that they have a “legal right”. They don’t…they are simply stating that they believe that they have a ‘lawful right’ under the contract Law that you agreed when you signed the contract.

They also use other nonsense expressions such as “under credit law”, “six-year permissions”, etc… There is no credit law permission, and the Data Protection Act over-rules contractual Law when it comes to your rights.

The six-year ‘rule’ that they so liberally quote, is them simply getting confused with County Court orders… such as bankruptcy, CCJs, that only a judge can sign.

NOTE: Banks and CRAs cannot sign Court orders.

 

8 ) If the Data Controller fails to show reasonable cause to try and exempt your Notice, then you may go straight to the Information Commissioners Office and ask them to enforce your Notice. You will need to put all the correspondence together with a covering letter.

 

9) You may apply for compensation, only if the incorrect data has caused you financial loss, or other significant inconvenience whilst the incorrect data was used in a process that affected you.

 

10) You can also go straight to the Court and issue a Court Claim to ask a judge to enforce your Notice. You will have to pay a fee, but you can claim this back from the Data Controller if you win. You can also apply for compensation on your Claim – again reasonable costs, damages, etc.

 

11) Damages claims have to be very clear that they caused inconvenience and hardship or distress, so use sparingly. At the end of the day, your primary mission is to remove what you consider is adverse data, not start going off on one for compensation, so stick to your basics first.

 

 

Finally, a few simple rules, that will help your case appear more professional:

1) Check your spelling and grammar – it is shocking to see some very basic mistakes, and it doesn’t give a very good impression if you make basic errors like your and you’re, there and their, etc.

 

2) Send ALL letters (without exception) via Recorded or Special Delivery, and keep a copy, and keep the Post Office receipts and stamped labels. They CANNOT argue if you can prove they got the letter. If you fax anything, keep the send confirmation sheet (sometimes called the transmission journal) – press the button the machine to print one.

 

3) If you phone anyone to discuss the case, use a program like SkyLook (available on this website) to record your calls. Note that it is NOT illegal to record your own telephone conversations – even though the uneducated Muppets in call centres try telling you otherwise. After all, they often record your conversations!

 

The best of British luck, and let’s see if some more wins start coming through – I am working on other aspects of the Data Protection Act and will keep you informed as to how they progress. And remember, that most of this really gets down to who blinks first... they know they don't have a prayer, which is why they are coming up with grasping-straws excuses. Be prepared to take it to Court, or at least the Information Commissioners Office...who knows, we could even end up with a case law in our favour if it went to the right Court.

 

So, to the letter itself…

 

The following was an amalgamation of several previous letters that I had sent for my own cases. This version was written for a friend who is having hell with a bank that adamantly refused to remove a default, and the CRAs involved had written back with many stupid replies that didn’t mean anything, or answer the issue.

 

Within 72 hours of it being received at their Head Office, we received a letter saying that they were happy to remove the default from the credit files, although denied any liability for distress, or breach of duty in relation to the Data Protection Act.

 

 

The Company Secretary

GrabItAll Bank plc

Large Ugly Building with nice view of Thames

Somewhere in London

Postcode

[must go to their company registered address!]

 

[Date]

 

 

Dear Sir,

 

Re: Formal notice to desist from processing or disclosing personal subject data

 

I have recently conducted an audit of my personal credit reports supplied by Experian, Equifax and CallCredit.

 

It is noted that there exists, within all three files, an entry referenced as “xxxxxxxxxxxxxx plc” indicating a former xxxxxxxx Loan (now closed) of £x. This is recorded as “In Default” albeit showing a settlement date of dd/mm/ccyy.

 

I am contesting that xs’ continued processing of my data is an unwarranted act and I enclose a Statutory Notice to that effect, which is deemed served as of the date noted on the Royal Mail's Recorded Delivery service audit.

 

My written permission allowing x to continue processing, or disclosing, my personal subject data was revoked upon termination of that original contract and I hereby reiterate that revocation. I also do not recall receiving any such Notice of Default being served on me, as required by the conditions of the Consumer Credit Act 1974. Unless the Bank can provide a true copy of the said Notice, then I consider that any default entry on my credit files to be wholly unwarranted.

 

However, if you can supply the copy, then I also contest xs’ continued processing on the following grounds.

 

As you are aware, I am afforded principled rights under the Data Protection Act (Data Protection Act), Schedule 1, Part 1 ("The Principles") in relation to the manner in which my data is collated, stored and processed. Of particular note, are Principles 3, 4 and 5:

 

“3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

 

4. Personal data shall be accurate and, where necessary, kept up to date.

 

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

 

In my case, x is still processing data after the cancellation of the contract, whether or not this is a simple renewal process of the default flag, daily or by other timing factor. As that contract is no longer in situ, then my written permission has also ceased from the date of cancellation.

 

This is confirmed in Principle 2 of the Data Protection Act, which states:

"2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."

 

I emphasise the term "specified and lawful purposes" as in ‘those specified within the contract’, and no more. I also emphasise the term "shall not be further processed".

 

I have taken the matter up with the Credit Reference Agencies, and they had claimed that they had a

“legal right” to maintain this type of adverse entry for up to six years. When I challenged them to quote me the exact Statute that includes this so-called “legal right”, they remained remarkably quiet. Only after my continued insistence of disclosure did they eventually concede that, whilst they have no statutory right, it is

“standard industry practice” but they added that they are “allowed to by Law”. After further challenges, they finally admitted that unless this was a County Court issue, their term actually referred to contractual Law, but continued to emphasise that it was “standard industry practice to record default entries for six years.”

 

As a highly-educated company secretary for a major PLC, may I respectfully presume that you likewise recognise that “standard industry practice” does not correlate with “legal right”?

 

Further investigation has also led me to conclude that the only six-year data ‘retention rule’, to which they may adhere to, is in relation to information in the public domain, e.g. Bankruptcy Orders/Discharges, IVAs, CCJs, etc. These are kept in the public domain for six years. But, these are sealed orders issued by a judge through the Courts who oversee the ultimate jurisdiction in all matters relating to Law, be it the criminal code or the Common Law. It is not up to Credit Reference Agencies, or lenders, to decide legal issues.

 

In addition, the agencies may also hold information that is deemed ‘in the public interest’ for the avoidance of credit fraud or deliberate repayment avoidance; I refer, of course, to CIFAS and GAIN entries on a credit file. My former account was not subject to any such marker, nor is my former civil contract with x a public matter.

 

After scrutiny of all the relevant legislation, including the Consumer Credit Act (As Amended), the various Financial Services Acts and the Data Protection Act, etc., it is clear that there is absolutely no legislation that allows a lender or supplier (e.g. x) to collate, process or distribute any other information unless there is express written permission from the data subject.

 

In fact, Section 10 of the Data Protection Act awards the real authority, regarding privacy of data, to the data subject, not the Data Controller. The Act is also very clear as to the rights of the data subject in respect of withdrawing permission to continue data processing and disclosure:

 

10. - (1) Subject to subsection (2), an individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing, or processing for a specified purpose or in a specified manner, any personal data in respect of which he is the data subject, on the ground that, for specified reasons-

 

(a) the processing of those data or their processing for that purpose or in that manner is causing or is likely to cause substantial damage or substantial distress to him or to another, and

 

(b) that damage or distress is or would be unwarranted.

 

However, there are some exclusion provisions for Data Controllers, and Section 10 does continue with various exceptions to subsection (1) above, and these are quoted, in full, below:

 

10. - (2) Subsection (1) does not apply-

 

(a)in a case where any of the conditions in paragraphs 1 to 4 of Schedule 2 is met,

or

(b)in such other cases as may be prescribed by the Secretary of State by order.

 

To paragraph (b), I can only presume that x has not applied to HM Secretary of State for an order allowing you an exclusion, which leaves x with the only remaining possibility of requesting an exemption under paragraph (a).

 

So, we must turn to the exemptions permitted in paragraph (a) to find where xs’ Data Controller may invoke his perceived exemption to the Data Protection Act, namely, those listed in paragraphs 1 to 4 of Schedule 2. I have reproduced these exemption paragraphs, in full, below:

 

“1. The data subject has given his consent to the processing.

2. The processing is necessary-

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

4. The processing is necessary in order to protect the vital interests of the data subject.”

 

It is my contention that xs’ supposed right of obtaining an exemption is not contained within any of these paragraphs. I have followed each in turn with my notation to give a clearer explanation, should there be any lack of clarity.

 

1. The data subject has given his consent to the processing.

 

That consent was terminated upon the cessation of the contract and, as stated earlier, I reiterate the revocation herein, and by the attached Statutory Notice.

 

2. The processing is necessary-

(a) for the performance of a contract to which the data subject is a party, or

(b) for the taking of steps at the request of the data subject with a view to entering into a contract.

 

For (a), there is no contract being performed, and for (b), x and I are not entering into any form of contract, and certainly not at my request.

 

3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

 

According to the Information Commissioners Office (I.C.O.), exemption 3 includes all other statutory obligations for which the interests of national security and welfare override personal privacy.

 

These obligations allow for the provision of data to Official agencies and organisations, e.g. disclosure to crime prevention agencies (Police, Intelligence Services, etc), official Government agencies (DVLA, DSS, Passport Agency, etc.) and health authorities, etc., and for any other purpose not agreed within a civil contract.

 

We all know that the three major credit reference agencies are not Government bodies, nor official agencies, but for-profit companies, even though they like to think they are official. None of these three agencies are listed in the appropriate Data Protection Act Schedule that names the specific organisations that are permitted any such exemption rights.

 

4. The processing is necessary in order to protect the vital interests of the data subject.”

 

With reference to the I.C.O. again, this is interpreted as anything that affects the data subject as a matter of life and death. This clause is included in the Data Protection Act to permit data, like medical records or contact details, being disclosed in emergency situations. I do not believe that my former account details could be described as anything like a matter of life or death.

 

So, it is clear to see that there is neither statutory provision permitting xs’ Data Controller to assume continued processing rights of my data at his discretion, nor any exemption. I can then only assume that x is relying on the Common Law, and contractual law, as determined by the contract that both parties originally agreed.

 

However, the contract that I originally signed with the bank, only gave x permission to process data during the term of that contract. I think it is fair to assume that you agree that the contract was terminated some years ago, whether or not a Default Notice was served.

 

The contract neither included any other permission, nor did it imply that your perceived 'rights' to process my data would be ‘in perpetuity’. There was also no clause contained within the contract that stated that x had any arbitrary right to continuing processing data for up to six years after the ending of the contract.

 

Also, I cannot recall any clear statement that gave my express permission for x to continue disclosing my subject data to third parties after the end of the contract. You are no doubt aware that any non-agreed disclosure of personal data to third parties, without express written permission, is a criminal offence under Section 35, of the Data Protection Act.

 

However, if I am mistaken, and the contract did, indeed, specify unlimited time extensions, then you must provide me with a copy of those signed terms indicating where I have agreed to them. This should be sent to me as one of your enclosures, if you wish to contest the enclosed Statutory Notice. You should be aware that you have, by statute, twenty-one days in which to either comply with my Notice, or give written notice stating your reasons and why you consider the Notice unjustified.

 

In summary, in relation to this former loan contract, I am formally instructing you, as an authorised officer of the Bank, from this day onwards, to:

1) cease to continue storing, processing or communicating my data;

2) remove all such data from automated process systems, as per the provisions of Part II, Section 12 (1) of the Data Protection Act, namely:

(1) An individual is entitled at any time, by notice in writing to any data controller, to require the data controller to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data in respect of which that individual is the data subject for

the purpose of evaluating matters relating to him such as, for example, his performance at work, his creditworthiness, his reliability or his conduct.

 

Of particular note is the Acts own term “his creditworthiness”;

 

3) cease to disclose any data to any third party including, but not restricted to, Equifax plc, Experian Ltd and Callcredit plc; and

 

4) instruct Equifax plc, Experian Ltd and Callcredit plc to remove all data pertaining to your records on me, to the extent that no data entry in relation to x Bank plc will exist on my credit files.

 

Any failure on your part to adhere to these statutory timescales will automatically be interpreted as your non-compliance with the legal procedure. In that case, you will be expected to unconditionally comply with my Statutory Notice or I shall have no alternative but to refer the matter to the Court to seek an Order to that effect. Should it be necessary to refer the matter to the Court, then I shall also apply for Court fees and legal costs against the Bank. I shall also reserve the right to seek redress for damages as per the remit of the Data Protection Act.

 

 

I trust that I have made my position clear, and that x will now make a serious effort to understand its legal obligations and effect the changes requested. Should you be in any doubt as to the Banks obligations as a Data Controller, then I would advise that you consult your corporate counsel.

 

 

In any event, I shall expect a written confirmation from you acknowledging the contents of this letter within 5 working days, as per the requirements of section 15.3 of the Banking Code.

 

Yours faithfully,

 

 

 

 

 

 

 

 

 

 

 

 

Statutory Notice pursuant to Sections 10 and 12

 

 

 

of The Data Protection Act 1998.

 

 

Data Subject Notice

 

 

 

 

To: The Data Controller

GrabItAll Bank plc

Large Ugly Building

Somewhere in London SomePostalCode

[replace with registered company address]

 

 

Data Subject: [your title and full name]

 

 

Address: [your full postal address inc. postcode]

 

Whereas I have been a customer of x Bank plc and whereas I consented in my contract with you to the disclosure by you of certain data to third parties, at no time did I consent and neither was it within the contemplation of the parties to the contract that I did consent to the processing by you of that data in any manner which would be unfair or inaccurate or which in any way would breach The Data Protection Act 1998.

 

Therefore, take notice that I require that you cease from processing within twenty one days of the receipt by you of this Notice, or else that you do not begin to process any personal data of which I am the subject insofar as that processing involves the communication or passing of personal data of which I am the subject to any third party and insofar as the said data relates wholly or in part to the implementation by you of alleged defaults or contractual breaches or breaches contrary to The Common Law.

 

This Notice is given on the grounds that the processing or continued processing by you of the said data will be likely to affect my credit rating and my reputation and cause substantial damage and/or substantial distress to me and my family members in addition to that which has been caused to date. And that as the processing of the said data in the way referred to in this Notice would violate both the Principles and Data Subject’s rights of The Data Protection Act 1998, to do so would be both unwarranted and unlawful.

 

Signed

 

 

 

[sign it in pen]

 

 

[put your title, initials and surname]

 

Dated this [something -th] day of [month], in the year two thousand and [year].

 

Please note I am not a lawyer and this is given infomally and without prejudice.I am unable to answer individual questions by PM.

[vint1954]

Another possible letter,

 

Dear Sir,

 

I refer to your recent letter, dated XX/XX/XXXX, reference number XXXXX.

 

You have stated that you cannot provide a true certified copy of the default notice that you are required by law to issue (Section 87 of the Consumer Credit Act 1974, with content as dictated in the form of Section 8:cool:.

 

Accordingly, I require you to immediately contact all external and internal agencies (including, but not limited to Credit Reference Agencies) that you have processed my default to and arrange for the item to be removed from my credit history.

 

Please note - a simple amendment or note will NOT suffice, I require full removal.

 

I look forward to your reply confirming that you have taken the above action.

 

Should the above not be confirmed by you as actioned within 14 days, I shall seek legal recourse.

 

Yours faithfully,

 

 

Mr X

[vint1954]

Comments from Andrew 1

 

You do not give them rights to process your data 'in perpetuity' ie: forever and a 6yr day. Once the contract is ended it is widely agreed within this thread at least, that the obligation to process your data ends. Someone else will come and confirm that, but it is a long battle against organisations which believe this processing for 6 yrs is in statute. The credit industry invented these rules for themselves. They abide by their own rules and regulations not what the law states. If you look at the agreement you signed and pick the words to pieces you'll see what I mean. You will need to have your wits about you and a sheer cold blooded resolve to get them to stop, but it can and has been done. Good luck.

[vint1954]

Further point on 6 years rule:

 

You should also be aware that the Information Commissioner has notified us that the condition for processing below covers the sharing of account data with the credit reference agencies for the duration of a contract and six years beyond.

 

this section above pasted from experian reply on previous page to mr kirk i think, am i right that the cras say a default means the end of the contract and then they process for six years beyond that date? if so which date applies when a creditor places two defaults over a two year period, which date is the end of the contract date?

Credit Report Click link to open in new window.

[vint1954]

Car2403's thoughts on the above

 

The contract comes to an end at the point of Termination after Default. (If you don't comply with the Default Notice the account can - and usually is - Terminated) This is the point where the terms of the contract can be said to have "come to an end", arguably including the terms allowing processing/sharing of data about the data subject.

 

The Information Commissioners Office's view is an opinion, which, IMHO, is wrong and should be challenged, as there is no legal precedant to support his opinion. The fact this is "industry standard practise" is obviously having an effect on his opinion - an effect which can't be considered in a Courtroom without evidence of its legal effect.

[vint1954]

Useful link:

 

http://www.consumeractiongroup.co.uk/forum/data-protection-default-issues/103974-roll-call-who-has.html

[vint1954]

And Surleybonds WON..................

 

Just like the old Chinese bamboo story... unless you keep going, the end result will never happen...even when you felt like giving up..

 

We got a four page email this afternoon in relation to our calls to Experian yesterday. This was from the Directors' Office who must now be softly shi**ing themselves waiting for the onslaught... I have added my own comments (with the permission of the letter recipient)...

 

I cut some waffle paragraphs out - God, do they still try and wriggle, even when they're stuffed - but I hope you get the salient points and admission of wrongdoing.... by a CRA. Good grief...wonders will never cease.

 

I'll bet he was squirming in his seat having to write this, gnashing his teeth and sticking pins into a Voodoo doll of me. Ouch!

 

Read, digest, enjoy and then go have damn good s*x... because it's almost as good as that... okay maybe I'm totally exaggerrating that last bit!!!!

 

Our Ref: ************

BY E-MAIL AND POST

6 September 2006

 

Dear Mr ************

 

Thank you for your e-mail received 4 September 2006 and your telephone call yesterday. [You're so very welcome...but, have you got the hearing back in your right ear?]

 

I apologise if I caused any offence in my last e-mail and can assure you that this was not my intention. Nor was I attempting to scare or bully you by suggesting you contact the Information Commissioner in the first instance. This is the recommended course of action suggested in the Information Commissioners own literature. Their leaflet 'Taking a Case to Court' also advises that a court will wish to know what steps you have taken to try and settle your claim. [that's right - grovel all you like now I've threatened to send your letter to the I.C.O. and sue your sad ars*s in a Court of Law]

 

I have been informed that the wording on our web-site is being amended to reflect a more accurate portrayal of our rights with regards to your information. [Ahem?... could it have been anymore 'less' accurate???] The suggested wording is as follows:

 

"We have a legal right to hold information about people that is already in the public domain (e.g. CCJs, IVAs, etc). Other information is collected and supplied under cover of the Data Protection Act 1998 Schedule 2.1 which says that the data subject should have given their consent. This will be collected by your lender or supplier when you apply for a product. A section on the application form will typically direct you to a section on the use of your personal data and will state that "by proceeding you are agreeing to your information being used in this way"."

 

I trust that this now meets with your approval. [Yes, maybe I should have even charged publishing fees for my wording! ] As discussed I can also confirm that as far as we are aware there is no specific piece of documentation or legislation that provides us with the right to retain your information for six years from the date an account is settled. [GOOD GOD!!!!!! .... they now FINALLY admit in writing!! halle-blu**y-lujah]

 

It was agreed throughout the credit industry that six years is considered a reasonable amount of time for account data to be retained from the point that an account is settled in accordance with the 5th Data Protection Principle.

 

 

[and this bit is absolutely vital to my whole initial argument:]

 

This information would only be retained with your consent as per the terms and conditions of the particular account you held. [Thank you for agreeing with me ... at last]

 

The generic terms and conditions I referred to in our telephone conversation can be found on the Orange web-site and read as follows:

 

19.3 Your information

Orange or its Group companies will use your information which you provide to us together with other information for administration, marketing, credit scoring, customer services, tracking your Device and web use preferences, and profiling your purchasing preferences. We will disclose your information to our service providers and agents to help us with these purposes. We will keep your information for a reasonable period after your contract with us has finished in case you decide to use our Services again and may contact you about our Services during this time. [Yes, I know what they NOW say - it was my kicking that forced to try a new tactic]

 

I am unable to comment on the specific terms and conditions you signed up to when agreeing your contract with Orange. [so STFU then and stop pretending you know all about what was agreed to] All companies that subscribe to our services are required to comply with our suggested consent wording which can be located on our web-site at the following address:

 

http://www.experian.co.uk/corporate/compliance/fairobtainingclauses/index.html

 

...

 

As requested I am also adding the following Notice of Correction to your credit report until you notify us that it is no longer required:

 

"THE DATA SUBJECT HAS EXERCISED HIS RIGHTS UNDER SECTION 12(1) OF THE DATA PROTECTION ACT 1998 AND HAS CHOSEN TO OPT OUT OF AUTOMATED PROCESSING AS OF 05 SEPT 2006. CREDIT STATUS ENQUIRIES SHOULD BE MADE VIA A MANUAL PROCESS."

 

I would recommend that when applying for credit you notify each lender of your request as we cannot guarantee that a company will follow the instructions outlined above.

 

I have added this statement to the electoral roll information appearing on your report. As this is information you agree we are entitled to hold, it will be available to anyone searching your details regardless of any other entries being removed from your report.

 

If you have any further queries, please feel free to contact me directly either by e-mail at *********@uk.experian.com, by telephone on ********** or by writing to me at the following address:

 

Directors' Office, Experian Ltd, PO Box 8000, Nottingham, NG80 7WF

 

Yours sincerely

 

Mr * * *******

Consumer Compliance Executive

Directors' Office

 

 

I've absolutely NO idea how many thousands of words I have typed into letters, emails or this forum, but when I get a result like this, I can honestly say that each and every damn key press was worth it.

 

Now, excuse me whilst I go and have a quiet lie-down and recover...

Of course, their admission in this letter can now be used as evidence that they agree that it is dependant on the specific terms of the individuals contract... and what's more Experian's legal dept. must have approved such a letter before allowing it to go.

 

HOWEVER, I bet that you will now see contract terms being altered to six years even for non-public defaults.. I note that Experian have already changed their suggested templates.

 

As I said on another thread, just amend the T&Cs, to read "for the duration of the contract only" and initial it.

 

Having said that, I think there are also ramifications under the UTCC Regs anyway, as there are no reciprocal rights for the consumer. However, it is harder to have a clause deemed unlawful, and removed from a contract and then have the CRA amend the data, than just amending the contract in the first place.

[vint1954]

vint-you've been busy!!

Sad for a saturday afternoon.